Privacy and Data Protection based on the GDPR. Leo Besemer
GDPR sets out six basic principles for the application of our data protection rights. And, for example, a failure to adhere to the obligation under Article 5(1)(f) for securing personal data from “accidental loss” is not, per se, an infringement of privacy. However, a data protection failure resulting in accidental loss, e.g., of a hospital patient’s medical records, could have potentially fatal consequences – there can be nothing more serious.
This highlights a key theme of the GDPR – taking appropriate account of the risks to data subjects resulting from failures to protect their personal data. Part IV – “Risks assessment and mitigation” – covers this very well. The word “risk” appears eight times in the English language text of data protection Directive 95/46/EC, compared to 75 times in the GDPR. However, this is very frequently ignored by organizations. This was plainly shown to me by a survey I did in 2019 of data protection officer (DPO) recruitment advertisements throughout Europe. DPOs are required under Article 39(2) to take a risk-oriented approach to the performance of their tasks. The implication is that risk assessment and management is an essential component of the DPO’s expertise. But in my survey this risk expertise was neither required by, nor desirable for, 76% of employers.
It is also important to emphasize that although the six basic GDPR principles are legal obligations, they also provide a first-rate framework for the data management and governance described in Chapter 6. So, even if not required to, it would still be in every organization’s interests to apply them. An obvious illustration is the Article 5(1)(d) requirement to keep personal data accurate and up-to-date. However, to the extent that our organizational decisions are based on data which is inaccurate or out of date, they will be flawed and less effective. Therefore, we clearly should be doing this anyway.
In order for organizations to reach a good compliance standard with the data protection principles, it must be absorbed into organizational culture from top to bottom. Under GDPR Article 38(3), DPOs must “directly report to the highest management level”. This infers that, firstly, the highest management must have a reasonable understanding of what is being reported to them and, secondly, that data protection compliance must be carried out as a strategic issue. Leo’s book can provide very effective support to you and your colleagues in reaching this understanding and applying it in practice.
Fintan Swanton,
LLM MSc CEng FICS MBCS.
Senior Data Protection Consultant & Managing Director,
Cygnus Consulting Ltd.
Fintan Swanton is the Irish representative in the Confederation of European Data
Protection Organizations (CEDPO).
Contents
PART I | Privacy and data protection history and scope
1.1 The history of privacy and data protection
1.1.2 Milestones in Data Protection history
1.2 Context within European and national law
1.2.1 European legal acts
1.2.2 European legal acts complementing the GDPR
1.2.3 GDPR implementation laws
1.2.5 The concepts of subsidiarity and proportionality
1.3.1 The concept of personal data
1.3.2 Material scope of the GDPR
1.3.3 Geographical scope of the GDPR
PART II | Principles and practice of processing
2 Stakeholder roles, rights and obligations
2.1.2 Implementing data protection by design and by default
2.1.3 Required types of administrations
2.1.4 GDPR security requirements
2.1.5 Outsourcing of processing actions
2.2.1 Obligations of the processor
2.4 Data protection officer (DPO)
2.4.2 Tasks of a data protection officer
2.4.3 Position of the DPO in the organization