Here is a little thread you need to know about the #GDPR and accountability ππ
#eudatap #privacy
#eudatap #privacy
Chapters 2, 5 and 9 #GDPR contain the rules for processing personal data. However, 100% compliance with these rules is impossible in practice. #eudatap #privacy
So, during the #GDPR negotiations, the EU Council of Ministers pushed hard on the accountability principle enshired in Chapter 4. They called it "the risk-based approach". #eudatap #privacy
The risk-based approach means controllers (and to some extent also processors) must do their homework to limit risk and be compliant. #eudatap #privacy
'Homework' means a.o. carrying out a DPIA if risks are high (art.35 #GDPR), taking appropriate security measures taking into account costs and state of art (art.32) and appointing a DPO (art.37). #eudatap #privacy
However, there are limits to how much homework is required. DPIA's are only required when the risk is likely high. Most organization are not required to have a DPO, etc. #eudatap #privacy #GDPR
The only non risk-based article in Chapter 4 #GDPR is art. 30 (data registry), although a not very useful exception for SME's is included in there. #eudatap #privacy
So, #GDPR accountability means: doing your homework where appropriate and the best you can. But there is no obligation to stive to eleminate all risk and be 100% compliant with the material rules. #eudatap #privacy
Or as a high civil servant of the European Commission once put it: "the measures don't need to be perfect, only good enough".
#eudatap #privacy #GDPR
#eudatap #privacy #GDPR
A good example of homework not required is a recent case in a Dutch court. A process server inquiring for information acts as a civil servant and is subject to disciplinary rules. The employer probably afraid of a data breach refused to disclose the personal data. #GDPR #privacy
The Court said that given the legal status of the process server, there was no #GDPR duty for the employer to verify the existence of the court order and he was required to disclose the data under procedural law. #eudatap #privacy
So basically the Court rightfully implied that any #GDPR liability aring from an unauthorized disclosure would in such case be the problem of the process server, not the disclosing employer. Same for fines. #eudatap #privacy
In contrast, another Dutch court recently prohibited an employer from implementing biometrics. The Court concluded that the employer had failed to do his #GDPR homework (necessity assessment, DPIA), so given art.9, the biometrics were disproportionate. #eudatap #privacy
The risk-based approach in Chapter 4 #GDPR means that a controller/processor cannot be fined nor held liable if he has done his homework and the extent if such homework was appropriate given the circumstamces. #eudatap #privacy
Not doing the #GDPR homework or doing it only half-baked given the circumstances may result in fines, liability and sometimes being barred from processing personal data. #eudatap #privacy
All you need to do is to find the level of appropriateness of the measures you implement or carry out to comply with the #GDPR in light of the risks involved, the costs and the state of art, best practices and the law (non-GDPR). There is no need to eliminate all risk. #privacy
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
