Vol.15 Issue 1 (2019)

Accountability and Enforcement Aspects of the EU General Data Protection Regulation - Methodology for the Creation of an Effective Compliance Framework and a Review of Recent Case Law

Paolo Balboni, Martim Taborda Barata, Anastasia Botsi &
Kate Francis

The General Data Protection Regulation (GDPR), which has been applicable within the EU/EEA since 18 May 2018, has brought about reinforced rules on personal data protection which have dramatically shifted the paradigm for all organisations bound by them. This includes not just those which actively handle personal data as a core part of their business model, but also those which are required to handle personal data (on employees, customers or suppliers, for example) as part of their day-to-day activities – in other words, all organisations falling under the GDPR’s scope. By holding organisations responsibile for their own compliance, and requiring those organisations to carefully assess the risks to the rights, freedoms, and legitimate interests of individuals when implementing
measures to address these rules, the GDPR demands a higher level
of accountability from all organisations concerned – the ability
to not only comply with the rules, but to also demonstrate that
compliance has been achieved. To help organisations understand
how they can address the practical implications brought about
by the GDPR, this article seeks to break down a proposed Data
Protection Compliance Framework – six overarching steps
which, if correctly and comprehensively implemented by those
organisations, will allow them to make the necessary adjustments
to their internal practices to align with the GDPR’s requirements.
To highlight the importance of implementing such a Framework,
the article also explores the different types of powers granted to
supervisory authorities in order to enforce the Regulation, and
includes a selection of relevant supervisory authority decisions
to allow insight into common types of GDPR breaches, and
common enforcement responses (including fines) taken by those
authorities.

Author

Prof. Dr Paolo Balboni is a top-tier European ICT, Data Protection & Cybersecurity lawyer and serves as Data Protection Officer (DPO) for multinational companies. Founding Partner of the international law firm ICT Legal Consulting. Professor of Privacy, Cybersecurity, and IT Contract Law at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law. Lead Auditor BS ISO/IEC 27001:2013 (IRCA Certified), he also obtained the EU General Data Protection Regulation DPO Professional University Certificate (ECPC-B DPO). (paolo. balboni@ictlegalconsulting.com and paolo.balboni@maastrichtuniversity.nl) accessed 23 January 2020. ** Martim Taborda Barata, LL.M., is a Partner at ICT Legal Consulting International, and an Intellectual Property, Privacy & Data Protection lawyer registered at the Portuguese Bar Association. He also obtained the EU General Data Protection Regulation DPO Professional University Certificate (ECPC-B DPO). (martim.tabordabarata@ictlegalconsulting.com) accessed 23 January 2020. † Anastasia Botsi, LL.B. is an Associate at ICT Legal Consulting International. She also obtained the EU General Data Protection Regulation DPO Professional University Certificate (ECPC-B DPO). (anastasia.botsi@ictlegalconsulting.com) accessed 23 January 2020. ‡ Kate Francis, M.Sc., is a Privacy and Ethics Researcher, Development and Communication Specialist at ICT Legal Consulting. Ph.D. candidate at the European Centre on Privacy and Cybersecurity (ECPC) within the Maastricht University Faculty of Law. She also obtained the EU General Data Protection Regulation DPO Professional University Certificate (ECPC-B DPO). (kate.francis@ictlegalconsulting.com) accessed 23 January 2020.