4Technical and Organizational Requirements under GDPR

To create something exceptional, your mindset must be relentlessly focused on the smallest detail.

— Giorgio Armani

GDPR secures a system of accountability for the protection of personal data by creating rules, bodies, and responsibilities entrusted to certain specific actors in the market. Accountability requires compliance in implementing technical and organizational measures within a business. The Controller and Processor have been defined briefly in the previous chapter we now examine the responsibilities of these bodies and the technical and organizational measures that form part of a coherent framework under GDPR.

4.1 Accountability

In the early years of the internet, it was difficult to hold businesses accountable for misconduct in their data collection and protection practices. This was partly because the law was not sufficiently developed to hold Data Collectors responsible for duties that did not exist at the time. Gradually, legal trends changed, with courts recognizing the value of data and its connection with privacy. However, Data Controllers and Processors managed to evade, or at least dilute, responsibility by hiding behind the complications created by technology.

For example, a business could allocate blame on their decisions to AI or a Subprocessor they were unaware of. Controllers could justify not mentioning a breach by placing blame on the Processor’s inaction. GDPR creates a chain of accountability ...

Get Data Privacy and GDPR Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.