Supervision and Enforcement of GDPR
Many have interpreted the clauses of General Data Protection Regulation, uttering on the guiding principles, its territoriality, heavy fines in cases of non-compliance or the new terms and requirements it is bringing. Yet, there seems nothing concretely and thoroughly explained about the procedures, enforcement and supervision. How does an organization actually comply with GDPR?
Supervision is actually implemented through various methods. It should be highlighted that under GDPR, the bulk of the responsibility falls to the shoulders of data controllers. Data processors are viewed as subordinates to controller and it is the controllers that primarily and effectively determine the purposes personal data will be allocated, stored, changed or used.
The agents to fulfill the supervision and enforcement processes are courts, markets, self-regulatory schemes and citizens.
The one to whom one can be most familiar with could be the administrative authorities of national jurisdiction. The regarding and frequently cited Data Protection Authorities vary from country to country. For UK, it is Information Commissioner’s Office (ICO), for France Commission Nationale de l’Informatique et des Libertes (CNIL) and for Spain Agencia Espanola de Proteccion de Datos (AEPD). These are what we in reality call Data Protection Authorities and they are the only bodies yielded with supervisory and enforcement powers. A significant indication in GDPR’s articles of 51 and 52 that emphasis is on the independence of such authorities. They shall also be equipped and recognized with sufficient skills and resources.
The Article 36 of GDPR makes in important and smart change in the course of law making. It embeds Data Protection Authorities into the processes of law making through consultation. The law assigns the DPAs task to advice the law makers in the processes, to help them embed data protection into the skeleton and initial structure of the law. These bodies are also responsible for dealing with complaints. Article 35 requires the Data Protection Authorities to publish lists of situations where Data Protection Impact Assessments should be conducted. According to the results of assessment, an organization is obliged and advised to consult with the regarding DPA.
Self-regulation is another important tool for data protection collectively. As GDPR’s subjects are mainly organizations that process and control data of data subjects on their behalf, GDPR is aimed to regulate those organizations. In order to avoid heavy fines that may result up to the loss of 4 per cent of yearly revenues, organizations try to regulate themselves permanently. This self-regulation tool in form of compliance is the most effective tool to be witnessed. The same principle also requires the employment of Data Protection Officers, although majority of organization already have one. Distinctive part about DPOs is that DPO’s job stands on the side of the data subject, providing the service for the usage of only sufficient and accurate information to carry out operations.
Another tool is the most appreciated one: Regulation by the citizen. An example is the litigation filed by an Austrian citizen against the Safe Harbor Decision, also in 2014, a Spanish citizen carried the landmark litigation about the right to be forgotten under the Data Protection Directive (1995).
GDPR makes use of some principles and rights that are designated for the sake of data subjects, like integrity and confidentiality principles of Article 5. Individuals, according to the Regulation, have clear paths for pursuing remedies against data controllers. They are entitled to be informed in case of data breaches and in similar and alike cases, data controllers are obliged to inform them; so whenever they are dissatisfied with the processing and usage of their data by processors and controllers, they can file for remedies and complaints, either to controllers directly or to Data Protection Authorities. However, in majority of the cases, Regulation fails to address the capability for the subject to directly address the controller if he or she is satisfied with the usage of the data; instead, the procedure allows the subject to file for complaints directly to Data Protection Authorities, which may extend the time for the recourse and solution of the problem raised.