OneTrust GDPR Deep Dive Series
Chapter 4: Controller and Processor

Chapter 4 of the GDPR not only contains the first mention of data protection by design and by default (Article 25), but also houses Article 30, which outlines record keeping requirements for both data controllers and processors; Article 32, which requires the implementation of appropriate technical and organisational security measures; and Article 35, which sets out the requirements for conducting Data Protection Impact Assessments (DPIAs).

Under Article 32, data controllers and processors will be responsible for considering the nature, scope, context, purposes, and risks associated with processing personal data, and will be required to implement technical and organisational measures to ensure protection.

The most effective way for controllers to comply with this is through implementation of data protection by design and by default, a critical aspect of any privacy program. Data controllers must also ensure that, by default, only personal data which are necessary for a specific purpose are processed—this applies to the amount of data collected, the accessibility of the data, storage length, and the extent of data processing.

Article 30 explains that both controllers and processors need to maintain records of processing activities — a new requirement for data processors. It is also expected that these records will be critical to organisations in successfully meeting other requirements of the GDPR, such as identifying and understanding the flow of international data and ensuring that adequate safeguards are in place.

Article 35 addresses the necessity to evaluate the impact that a specific data processing activity might have on the rights and freedoms of individuals. Data Privacy Impact Assessments (DPIAs) are a crucial element of privacy by design and are vital to identifying potential risks and certifying the accountability of a controller’s efforts to safeguard personal data.

Privacy professionals seeking reinforcement for their efforts to comply with the new policies outlined in Chapter 4 can leverage OneTrust’s free offerings here:


Chapter 4 Sections, Articles & Descriptions

Section 1 –– General Obligations

Article 24: Responsibility of the controller
Article 25: Data protection by design and by default
Article 26: Joint controllers
Article 27: Representatives of controllers not established in the Union
Article 28: Processor
Article 29: Processing under the authority of the controller or processor
Article 30: Records of processing activities
Article 31: Cooperation with the supervisory authority

Section 2 –– Security of personal data

Article 32: Security of processing
Article 33: Notification of a personal data breach to the supervisory authority
Article 34: Communication of a personal data breach to the data subject

Section 3 –– Data protection impact assessment and prior consultation

Article 35: Data protection impact assessment
Article 36: Prior Consultation

Section 4 –– Data protection officer

Article 37: Designation of the data protection officer
Article 38: Position of the data protection officer
Article 39: Tasks of the data protection officer

Section 5 –– Codes of conduct and certification

Article 40: Codes of Conduct
Article 41: Monitoring of approved codes of conduct
Article 42: Certification
Article 43: Certification Bodies


GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.