Ensuring GDPR Compliance: Understanding Your Responsibilities Under Article 24
GDPR Article 24 is the first section of GDPR that addresses the general obligations of the data controller, which are described in greater detail in subsequent articles.
The change in tone from passive compliance to the use of obligatory language is a hallmark of GDPR legislation, and sets the tone for how controllers are expected to behave later on in the legislation.
GDPR Article 24 Legal Text
EU GDPR Version
Responsibility of the controller
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
UK GDPR Version
Responsibility of the controller
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Technical Commentary
‘Measures’
GDPR doesn’t actually define what a technical measure is, which has led to some confusion among organisations who struggle to understand what their obligations are. As such, most legal authorities defined ‘measure’ as any action that an organisation can take, which makes them compliant.
Adopting a Risk-Based Approach
Given the broad scope of the term ‘measure’, in order to ascertain how to achieve compliance, organisations should undergo a thorough risk-assessment that takes into account the nature, scope and purpose of its processing activities.
In addition, organisations need to be continually mindful of the right to individual freedom, alongside any operational risks.
Demonstrating Compliance
As a general rule, the more riskier the processing operation is, the larger the amount of evidence is required. Organisations should be preoccupied with collecting physical and digital evidence that proves they are a compliant, law-abiding organisation.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 5.2.1 (Understanding the Organisation and Its Context) and EU GDPR Article 24 (3)
Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.
This includes:
- reviewing any prevailing privacy laws, regulations or ‘judicial decisions’;
- taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures;
- administrative factors;
- third party agreements or service contracts.
ISO 27701 Clause 6.15.1.3 (Protection of Records) and EU GDPR Article 24 (2)
Record management encompasses four key areas:
- Authenticity;
- Reliability;
- Integrity;
- Useability.
Organisations should:
- publish guidelines that deal with:
- storage;
- handling (chain of custody);
- disposal;
- preventing manipulation.
- outline how long each record type should be retained;
- observe any laws that deal with record keeping;
- adhere to customer expectations in how organisations should handle their records;
- destroy records once they’re no longer required;
- classify records based on their security risk, e.g:
- accounting;
- business transactions;
- personnel records;
- legal.
- ensure that they are able to retrieve records within an acceptable period of time, if asked to do so by a third party or law enforcement agency;
- always adhere to manufacturer guidelines when storing or handling records on electronic media sources.
ISO 27701 Clause 6.2.1.1 (Policies for Information Security) and EU GDPR Article 24 (2)
ISO advocates for a dual-fronted approach to organisational privacy protection that includes:
- a general privacy protection policy;
- topic-specific privacy protection policies.
Both types of policy can either be combined into one document, or separated out as the organisation sees fit.
Policies should be disseminated to all relevant staff members (and external personnel, if needs be), to ensure ongoing adherence with internal and external privacy protection requirements.
Anyone who receives a policy should be asked to confirm, preferably in writing, that they both understand what is being asked of them, and are willing to comply.
Policies should be reviewed when changes are made to:
- business strategy;
- operational practices/technical environments;
- any laws (including GDPR), regulatory stipulations or general PII-related guidelines that the organisation has a responsibility to adhere to;
- privacy protection risk levels and the prevailing/projected threat landscape.
General Policies
Senior management should establish a top-level privacy protection policy (along with other topic-specific policies) that clearly outlines the processes and practical steps that will be taken in order to safeguard PII.
Organisational privacy protection policies should contain information from, and remain relevant to:
- the overall business strategy;
- any prevailing regulatory, legal or contractual requirements;
- any clear and present privacy protection risks.
Privacy protection policies should define the organisation’s:
- operational definition of privacy protection;
- stated privacy protection goals;
- broader set of governing principles relating to the protection of PII;
- commitment towards meeting their PII-related objectives, and improving them on an ongoing basis;
- approach to delegating responsibility for all or part of the privacy protection policy to the relevant role types;
- approach to dealing with exceptions to the policy;
- plans for Senior Management to review and approve changes.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 7.2.8 (Records Relating the Processing of PII) and EU GDPR Article 24 (1)
Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:
- operational – the specific type of PII processing that’s being undertaken;
- justifications – why the PII is being processed;
- categorical – lists of PII recipients, including international organisations;
- security – an overview of how PII is being protected;
- privacy – i.e. a privacy impact assessment report.
Index of Linked EU GDPR Articles and ISO 27701 Clauses
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Article 24 (3) | ISO 27701 5.2.1 | None |
| EU GDPR Article 24 (2) | ISO 27701 6.15.1.3 | None |
| EU GDPR Article 24 (2) | ISO 27701 6.2.1.1 | None |
| EU GDPR Article 24 (1) | ISO 27701 7.2.8 | None |
How ISMS.online Helps
ISMS.online offer you a complete GDPR solution.
We provide an environment that’s been pre-built for you to describe and demonstrate your approach to protecting your European and UK customer data that fits seamlessly into your management system.
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced.
Got 30 minutes? Find out more by booking a demo.
