National data protection authority
Each participating country (also known as a member state) has a national data protection authority (DPA). DPAs are responsible for determining compliance and enforcing relevant laws at a national level, but are required to be very independent, even of their nation’s own government control. Tricky stuff.
Member states may have one or more national DPAs for complying entities to choose. Each entity can choose one DPA, which regulates GDPR compliance for the entire entity, regardless of how many member states the company operates in or derives its data from (something known as “one-stop-shop”). The “lead supervisor authority” has the ability to control data processing and protection happening in other member states. Some critics correctly note that companies operating in multi-member states may shop for the most flexible DPA with which to operate, much like they already do for lower taxation and organizational independence today.
Some experts aren’t sure how much benefit would be gleaned by “DPA shopping”. Van Hoof says, “You’re going to see a lot of coordination and communication among DPAs from the different countries. Although there are going to be some differences among DPAs in each country because of their local laws and regulations, 95 percent of what they do will be general and the same no matter what country.”
DPAs were established under a previous EU data protection law, but significantly strengthened under the GDPR. The DPAs are essentially the official regulators, and police in the GDPR scheme. The DPA helps decide on matters of law, and it can investigate companies for potential violations and hold controllers or processors legally responsible for GDPR violations and assess penalties. It also decides if an entity can transfer data outside of the EU, and if so, what protections must be applied. For a particular organization, their DPO is likely to be the primary contact to the DPA and vice-versa. Because of the inherent responsibilities, both the DPO, and especially the DPA, are likely to be composed of teams of people and not a single person.
If a data subject feels a violation has occurred they can contact either the DPO or DPA, which was selected by the involved company and communicated to the subject. This can be awkward in practice,as a controller’s or processor’s DPO or DPA may not be in the same country or speak the same language, as the subject.
Data breaches must be reported quickly
Personal data breaches (including theft, data loss, destruction, or adulteration) must be reported immediately, or at least within 72 hours, to the lead supervisor authority (i.e., DPA). The impacted individuals must be notified if an adverse impact is expected. However, if the data is appropriately encrypted or anonymized, and that ultimate protection has not been breached, then the individuals do not have to be notified.
Sign up for CIO Asia eNewsletters.