Who is responsible for GDPR compliance?

The General Data Protection Regulation (GDPR) has been in effect in the European Union (EU) since 2018, so companies doing business in the EU have had time to learn their privacy compliance responsibilities. We will look at who is responsible for data privacy compliance and how to implement best practices. We will also outline GDPR enforcement from a government level down to day to day corporate operations.

The General Data Protection Regulation (GDPR) is a set of regulations introduced by the European Union (EU) to protect the privacy of EU residents’ personal data. The focus is on individuals. GDPR compliance is mandatory for any organization that processes the personal data of EU residents, regardless of where the organization is located or whether or not the processing is for commercial purposes.

The GDPR has been highly influential on subsequent data privacy legislation around the world, like Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). After Brexit, GDPR UK compliance requirements didn’t really change, as the EU’s GDPR was maintained almost in its entirety.

To ensure GDPR compliance, it’s essential to understand the roles of data controllers and data processors. They are the ones collecting and processing users’ personal data, and thus responsible at the day to day level for data security and privacy.

A data controller under the GDPR is a “person”, but in reality likely an organization, that collects personal data and determines the purposes and means of its processing. Data processing can mean anything from creating customer profiles to aggregating demographic information for sale.

A data processor is a person — again, likely an organization — who processes personal data on behalf of a data controller. Advertising partners are a good example of this. GDPR requirements apply to both data controllers and data processors, but the specific responsibilities differ. Ultimately, data security and privacy compliance is usually the controller’s responsibility.

Data controllers are primarily responsible for ensuring GDPR compliance. They must obtain valid consent from individuals for data processing. (See Art. 7 GDPR for conditions for valid consent.) Their additional responsibilities include:

• maintaining secure records of consent preferences
• keeping data accurate and up to date
• correcting or deleting data when requested, under certain circumstances
• implementing appropriate technical and organizational measures to protect data

Data controllers must also ensure that any third-party data processors they work with are GDPR-compliant, with contractual agreements in place.

Data processors must process personal data only according to the instructions and contractual agreement with the data controller. Their additional responsibilities include:

• implementing appropriate technical and organizational measures to protect data
• notifying the data controller of any data breaches
• keeping records of their processing activities
• compliance with data deletion requirements after processing

Data Protection Authorities (DPAs) are independent public authorities that oversee GDPR compliance and enforcement within each EU member state. Typically, each EU member country has its own DPA, which enforces the GDPR and other local or regional privacy laws. DPAs have the power to investigate GDPR violations, issue fines, and order organizations to take corrective actions.

Who has a duty to monitor compliance with the GDPR? DPAs, certainly, but organizations need to monitor data processing and security themselves every day. This includes which third-party vendors like data processors and other partners are handling user data.

Additionally, the technology and legal landscapes are always changing, so organizations need to keep up with those changes. A consent management solution can help to automate and comply with the GDPR’s consent requirements for use of cookies and trackers, but this is a primary responsibility of legal counsel and/or a privacy expert.

Ensuring GDPR compliance can be challenging, especially for small and medium-sized organizations. In many cases, GDPR compliance requires appointment of a Data Protection Officer (DPO). In smaller organizations, this could be someone who already has another job within the company.

Common compliance challenges include:

• understanding the organization’s specific compliance responsibilities
• obtaining valid user consent
• setting up and maintaining a consent management solution
• implementing appropriate data security measures
• complying with data subject rights requests in a timely manner, particularly when a smaller organization has limited resources available
• reporting data breaches to DPAs within 72 hours

To enable and maintain GDPR compliance, organizations should implement data protection and privacy best practices. Some of these actions are regulatory requirements in some countries, but just recommendations for security and compliance elsewhere. It is important to check on GDPR and other local regulations for requirements applicable to your business:

• conducting data audits to fully understand data processing activities
• conducting data protection impact assessments
• implementing data protection policies and procedures
• training employees on GDPR compliance
• appointing a qualified and well-informed DPO (from outside the company in some cases to access sufficient expertise)
• working with trusted third-party vendors and service providers that are GDPR-compliant
• using a comprehensive consent management solution online to collect and store valid user consent

GDPR enforcement is the process of ensuring that organizations comply with GDPR regulations, like obtaining consent before data processing. It can include activities like investigations of violation reports or audits of a company’s handling of user data, including consent information. Organizations that fail to comply with GDPR requirements, whether failing to obtain valid consent, experiencing a data breach, or other issue, can face significant fines and other penalties.

GDPR fines can range up to € 20 million, or 4% of a company’s annual global revenue, whichever is higher, for severe or repeated offenses, or € 10 million, or 2% of a company’s annual global revenue, whichever is higher, for milder or first offenses. DPAs can also order a halt to data processing activities temporarily or permanently, or even deletion of data.

The largest GDPR fine levied to date was against US-based company Meta, formerly Facebook, for US $1.3 billion over handling of user information. EU privacy regulators gave the company five months to stop transferring EU-based users’ data to the United States. The EU and US have been without the EU-US Privacy Shield framework covering international data transfers since July 2020 when it was invalidated by the “Schrems II” judgment.

Penalties represent a failure of data controllers and processors to adequately comply with the GDPR via understanding and securing their data processing, failing to demonstrate legitimate use of their chosen legal basis, and other issues. Data controllers and processors are also responsible to “cure” GDPR violations to ensure issues do not continue to happen, or happen again in the future.

However, unlike under some other data privacy laws, like those in the United States, under the GDPR there is no “cure period” when organizations accused of or found in violation of the law can fix or remediate data privacy issues without facing penalties.

Data controllers and data processors have specific responsibilities under the GDPR, and organizations should implement best practices to protect data and limit data processing to only what’s necessary. If organizations fail to comply with GDPR requirements, they can face significant fines and other penalties, as well as loss of brand reputation and user trust, which will also impact revenue long-term.

To ensure GDPR compliance, organizations should appoint a DPO if required, implement appropriate data security measures, including limiting data processing and having strong contractual agreements, and work with trusted third-party vendors and service providers.

Organizations should also use comprehensive tools like a Consent Management Platform to inform users and securely collect and store user consent data. Ideally you also want a consent solution to integrate with your tech stack and marketing tools to help integrate consent and data privacy compliance across your operations, user engagement touchpoints, and marketing activities.

Do you have concerns about how to achieve GDPR compliance, or whether you are doing it correctly? We want to help you ensure that your organization meets its responsibilities to users and customers. Check out Cookiebot CMP now for the most reliable, user-friendly consent management solution.

The Cookiebot™ WordPress plugin may be the perfect solution for your WordPress site. It’s fast and easy to install, and enables fully automated GDPR compliance and consent management.

Usercentrics AS (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.