Record of Data Processing Activities
In order to be able to demonstrate compliance with the GDPR (see above about the principle of accountability), both the controller and the processor shall keep a record of processing activities carried out under their responsibility. The information that needs to be included in such a record is listed in art. 30 of the GDPR, and includes (for data controllers):
• name and contact details of the data controller
• the purposes of the processing
• the description of categories of data subjects and the categories of personal data
• the categories of recipients to which the data have been or will be disclosed
• the transfers of personal data outside the European Economic Area
• the envisaged retention periods (if possible)
• a general description of the technical and organisational security measures applied to the processing.
The obligation to maintain a record of data processing activities replaced the obligation to declare the processing to a Supervisory Authority; it is supposed to be primarily a self-assessment tool. The record should be made available to the Supervisory Authority on request. In the context of scientific research, keeping such a record may be interesting from the point of view of Open Methodology and reproducibility of research.
Data Processing Impact Assessment
Art. 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), which can be described as a "process for building and demonstrating compliance [with the GDPR]". However, carrying out a DPIA is not always mandatory; rather, it is required only when the processing is "likely to result in high risk to the rights and freedoms of natural persons" (art. 35(1) of the GDPR). National Supervisory Authorities (inspired by European Guidelines) have published "black lists" of types of processing operations that always should be regarded as "likely to result in high risk"; in some countries, "white lists" of operations that never require a DPIA have been adopted as well.
It seems that processing carried out in language research would rarely result in a high risk for the subjects, unless the project involves processing of large amounts of sensitive data (such as health data in disordered speech research) or collecting data from vulnerable individuals (like children, the elderly or asylum seekers). However, the WP29 recommends to carry out a DPIA even when it is not required by law.
For more information on DPIA, see these Guidelines.
Data Protection by Design and by Default
The controller is obliged to implement data protection by design and by default.
"Data protection by design" signifies that already at the stage of planning (designing) the processing, the controller shall implement "appropriate technical and organisational measures" to ensure data protection, especially by minimising the use of personal data to what is strictly necessary. It is an important point to take into account in designing language technologies such as machine translation or voice recognition systems.
"Data protection by default" signifies in particular that in a data processing systems all the settings that may impact data protection (such as recording or sharing of personal data) shall be deactivated by default. This also means that no "pre-checked" boxes should be used in online forms that may have an impact on data protection (such pre-checked boxes, by the way, cannot be interpreted as valid consent for the processing).
Notifications of Data Breaches
The GDPR puts particular emphasis on security. Both the controller and the processor are therefore obliged to implement organisational and technical measures to ensure appropriate level of security. It shall be noted that the standard for appropriate level of security will evolve over time, and therefore the technical and organisational measures implemented shall be periodically reviewed.
If a personal data breach occurs (i.e. a loss of confidentiality/accessibility/integrity), the controller shall notify it without undue delay to the data protection authority, and the breach should be duly investigated and documented. In principle, it should be notified to a supervisory authority (many of them provide online forms for this exact purpose), unless the investigation shows that the breach is unlikely to result in a risk for the rights and freedoms of individuals. If, on the other hand, the analysis shows that the breach is likely to result in a high risk for individuals (such as risk of fraud or reputational damage), the breach should be not only notified to the supervisory authority, but also communicated to the affected data subjects.
For more information about handling data breaches, see these Guidelines.