The EPA invites tenders from suitably qualified providers for the provision of a range of professional services in relation to preparing for and implementing the new General Data Protection Regulations. The European General Data Protection Regulation (GDPR) replaces the existing Data Protection Directive and comes into force with immediate effect in May 2018.
The accountability principle is central to the GDPR. It refers to the various obligations the EPA will have to follow in order to demonstrate data protection compliance. Article 22 requires that organisations implement ‘appropriate technical and organisational measures’ to be able to ‘demonstrate’ their compliance with the Regulation, which shall also include ‘the implementation of appropriate data protection policies’. Therefore the EPA will have to implement not only internal and publicly-facing policies, records and notices, but also technical measures, and personnel and strategic changes to their processing operations.
A key shift in the Regulation is towards a risk-based model surrounding the fundamental principles (rather than a prescriptive model) where organisations who are processing personal data need to actively and constantly assess the level of risk to fundamental rights and the privacy of the individual with regard to how they are processing personal data. Consent, legitimate interest and data protection by design and default are of fundamental importance to the EPA.
This Regulation applies to data controllers or data processors that keep or process any information about living people referred to as data subjects. The General Data Protection Regulation (GDPR) significantly increases the obligations and responsibilities for the EPA in how we collect, use and protect personal data.