Get startedGet started for free

Who is responsible?

1. Who is responsible?

Hello! In this video, we'll learn all about the key GDPR roles and responsibilities.

2. Key GDPR roles

The four key GDPR roles are Data controller, Data processor, Data Protection Officer or DPO, and Supervisory Authority, also known as the Data Protection Authority.

3. Data controller

Data controller means anyone, whether a person, a company or a public body, who decides the purposes and means of processing personal data; If two entities make these decisions together, they become joint controllers. Data controllers are ultimately responsible and accountable for data protection and GDPR compliance. Imagine you own a boutique pastry shop. You are growing steadily but don't need a full-time employee to handle payroll. So you outsource this task to a payroll services company. You share your employee data, salaries, etc., with that company to fulfill your payroll needs. So here, your company is the data controller, and the payroll company is.. yes, as you may have guessed, a data processor.

4. Data processor

Data processors are often third parties or sub-contractors who process personal data on behalf of the controller, like the payroll company in the previous example. Data processors don't hold direct responsibility for data protection. Controllers must carefully choose data processors and ensure they comply with GDPR using data processing agreements.

5. Data protection officer or DPO

Data protection Officers or DPOs are responsible for monitoring and advising on data processing activities in companies for GDPR compliance. They are the contact point of your company for the Supervisory Authority. Companies, whether they are controllers or processors, need to appoint a Data Protection Officer or DPO if their data processing involves many data subjects, sensitive data, or systematic monitoring of individuals. GDPR makes DPOs mandatory for public bodies and for companies processing high risk or large scale personal data. The need for DPO is based on the proportional risk of personal data processing rather than the company's size.

6. Supervising authority or data protection authority

GDPR requires all EU member countries to appoint an independent public authority, known as Supervisory Authority (SA) or Data Protection Authority (DPA). They are responsible for monitoring and enforcing GDPR. These authorities decide on imposing the GDPR fines for non-compliance. Every member country has an SA; for example, the Italian one is known as the "Garante per la Protezione dei Dati Personali" and the Dutch one is "Autoriteit Persoonsgegevens". Now let's see all the key GDPR roles in action when there is trouble. Among all the troubles related to non-compliance the most common one is a data breach.

7. Data breaches: what to do?

Data breaches are any incidents that cause loss or unauthorized access or disclosure of personal data that compromise the confidentiality, integrity, or availability of personal data. If a data breach occurs, controllers should notify the supervisory authority as soon as possible, within a 72 hour window of becoming aware of a breach. If a breach poses a high risk to data subject rights, then the data subjects should be notified. An example data breach is a cyber-attack on your online marketplace. The attacker publishes your clients' user names, passwords, and purchase history online. Then you need to immediately inform your country's supervisory authority and all your clients. You should also keep a record of data breaches and have an updated action plan for your management team, employees, and data processors. Your DPO will play an important role in all these communications and processes. What happens when multiple supervisory authorities of different countries are involved? And who coordinates their roles?

8. Coordination across countries

The European Data Protection Board, or EDPB is an independent body to ensure the consistent application of data protection rules and enables cooperation among the supervisory authorities. All the EU27 country supervisory authorities are members of the EDPB. European Data Protection Supervisor, another EU supervisory and advisory body, is also a member. Iceland, Norway, and Liechtenstein are members without voting rights. Now that we know the basics of GDPR compliance and monitoring structures, we'll learn more about the principles and steps required for compliance.

9. Let's practice!

Let's test your fresh knowledge on GDPR roles.