Business-Side Compliance: Controller Obligations Under Data Privacy Law
Data privacy laws typically contain many complex rules and requirements, which makes the task of navigating them to understand and comply difficult.
To tackle that problem, we’ve recommended breaking down data privacy rules into “component parts”—the logical categories of types of rights, requirements, and standards involved.
Last week’s feature of the Echo address consumer rights—powers given to individuals and users to shape how their information is collected and used. These rights frequently include abilities such as to opt-out of collection, access, modify, or delete collected data, or take data with them from one provider to the next (known as “portability”).
This week, we’ll be covering another common aspect of law: controller obligations. We’ll discuss what they are and what they mean for you.
Let’s get started.
Defining Controller Obligations
Under privacy law, “data controllers” are the entities that determine the purpose and means of processing personal data. In plain language, “controllers” are the businesses or organisations that collect data (through their website, upon check-in, etc.). “Controllers” stand in contrast to “data subjects,” the individuals whose data is collected (such as guests).
Thus, “controller obligations” are the comprehensive suite of legal duties that are placed upon those that collect data. Practically, this means that they are the part of privacy laws that are most relevant to hoteliers because they set the standards for what actions compliant businesses must take and what activities are (and are not) lawful.
The purposes of controller obligations are to ensure that data controllers not only act legally, but also in a manner that respects the privacy and autonomy of the consumers and individuals they serve.
Common Obligations
Now that they’ve been defined, what are the typical controller obligations found in privacy law?
There are several types:
1. Privacy Notices
Privacy notices are formal communications that inform individuals about how their personal data is being collected, processed, and managed by an entity.
They serve to provide transparency regarding data processing activities and articulate the privacy practices of the data controller in clear terms. They ensure individuals are aware of the processing of their personal data and understand their rights in relation to that data.
Notices may cover several different types of activity. The list below details their usual forms and whether they are commonly found in modern privacy regulations.
Data Breach Notification – sent to individuals and authorities in the event of a data breach that poses a risk to data subjects.
Inferential Notice – notices about data that has been inferred or derived from the analysis of collected data.
Initial Notice – provided at the time personal data is collected, detailing how and why data will be processed.
Internal Notice – communications within an organisation about general data handling practices not specifically directed at data subjects.
Updated Policy Notice – issued when there are significant changes to data processing activities or policies.
Third-Party Marketing Notice – specific disclosures to individuals regarding the use of their data for third-party marketing when the data has not been shared with the marketer.
2. Consumer Consent
Consent is defined as a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data.
This means that individuals must be provided with a clear choice regarding whether their data is used and for what purposes, without being subjected to any form of coercion, undue pressure, or deception.
For consent to be valid, it must be given through an affirmative action that signifies agreement, such as checking a box on a website, choosing technical settings, or another statement that clearly indicates acceptance of the proposed processing of personal data. Silence, pre-ticked boxes, or inactivity generally do not constitute valid consent under stringent data protection regimes like the GDPR.
3. Purpose Limitations
In addition to precise requirements, many privacy laws include principles that serve as overarching guidance for ethical and legal behavior. One such example is the “purpose limitation” principle, first established by the GDPR (Article 5 (1) (b)).
Put simply, this principle states that:
“Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
This principle ensures that organisations are transparent about their reasons for processing data and restricts them from using the data for new, unrelated, or unlawful purposes without obtaining consent or establishing another legitimate basis.
4. DPIA
A Data Protection Impact Assessment (DPIA) is a systematic and comprehensive analysis of how a particular project or system will affect the privacy of the individuals involved.
DPIAs are often required by data privacy law to help identify and minimize the data protection risks of a project.
For example, laws may make DPIAs mandatory when certain triggers occur, such as processing that involves systematic and extensive evaluation of personal aspects based on automated decision-making, large-scale processing of sensitive data, widespread surveillance of public areas, or other high-risk events.
***
Feeling overwhelmed? Don’t be. VENZA is here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team.
Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.
***
Take VENZA’s free Phishing Test to assess gaps in your human firewall today!
Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.
***
Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.