GDPR Data Controller Responsibilities & imposing obligations on the Supplier / data processor.

 

The Data Controller is responsible. 

 

The DC must:

​

1. Be Accountable and Demonstrate compliance. (Article 27)

2. Adopt Privacy by design – all new projects subject to DPIA; all legacy systems should have non-compliances designed out. (article 25).

3. Appoint a representative in the EU (If not in a member state). (Article 27).

4. Develop Due Diligence when using a third party Data Processor (Article 28).  Please download the spreadsheet to see an IL7 questionnaire for 3rd party suppliers (developed for HMG framework agreements).

5. Keep records of all processes (Article 30).

6. Do security well (Article 32).

7. Report a breach within 72 hours (Article 33).

8. Inform the data subject if it is a serious breach (Article 34).

9. Conduct Data Protection Impact Assessments (DPIA) (Article 35/36).

10. Appoint a DPO (Articles 37,38,39).