2 p a g e a practical guide to gdpr compliance resources/a-practical-guide-to... · ownership of...
TRANSCRIPT
2 | P a g e A Practical Guide to GDPR Compliance Copyright © Nymity Inc. 2018
Copyright © Nymity Inc. 2018. This manual is based on research conducted by Nymity and the content is provided for educational purposes only. It is not intended to and does not constitute legal advice. Furthermore, reliance on one of the approaches to privacy management presented in this manual is not a guarantee of compliance.
If you require legal advice, you should consult with an attorney. Nymity reserves all rights in this manual, including copyright and intellectual property rights. You may use this manual for your own purposes. This manual may be freely redistributed in its entirety, provided that Nymity trademarks, logos, and this copyright notice are not removed. This manual may not be sold for profit or used in commercial documents without the written permission of Nymity.
3 | P a g e A Practical Guide to GDPR Compliance Copyright © Nymity Inc. 2018
The concept of accountability is a common principle for organisations across many disciplines. It embodies the notion that organisations live up to expectations, for example, in their behavior towards data subjects or in the delivery of their products and services. The General Data Protection Regulation (GDPR) integrates accountability as a principle in Article 5(2) which requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR. What “appropriate” means is largely dependent on the specifics of the individual company.
Expectations from regulators have shown the obligation to demonstrate compliance is more than a one-off inventory or snapshot of your operations at a certain moment in time. It is not a tick-box exercise or a one-time gap analysis. Demonstrating compliance is a journey and requires ongoing awareness and understanding of your personal data processing operations and embedding privacy management throughout your organisation. There is no more effective way to demonstrate compliance than to show a privacy program and the capacity to comply on an ongoing basis. There is no silver bullet. What works for one company does not necessarily work for another, but a structured approach to GDPR compliance works for all organisations. Those assigned responsibility for GDPR compliance may be asking: “How do I prioritise my efforts to meet GDPR accountability obligations?” It may seem there is no simple answer, as many challenges and questions arise such as:
• I have limited resources
• I don’t understand what the GDPR requires
• I’m new to privacy and privacy management
• I can’t find a checklist that meets my needs
• There is limited documentation on past privacy management
• I have limited budget
• How do I determine what is in place?
• How do I justify more resources?
• How do I maintain records?
• How do I establish and work with a privacy team that does not work for me?
• How do I report status and progress?
• How do I hold others accountable?
• How am I going to demonstrate success?
Introduction and Overview
4 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Since 2002, Nymity has been conducting research on accountability in organisations and has directed dozens of workshops to over 500 privacy professionals around the world. This practical guide leverages this wealth of experience and supports a structured approach to privacy management ensuring that you:
Do not have to be a privacy expert
Quickly gain or augment your GDPR compliance expertise
Can identify and leverage your organisation’s existing privacy management program or, the absence of a program, existing privacy management activities throughout the organisation
Communicate and report effectively on the status of ongoing GDPR compliance
Scale your privacy management program based on resources available
Focus on the highest risk areas
Prioritising your Accountability Obligations in Two Steps The answer to the question, “How do I prioritise?” is broken into two steps:
Step 1: Baseline your GDPR compliance Identify, understand, and document the status of GDPR compliance throughout the organisation including resources such as people, processes, technology, and tools. See which of your existing technical and organisational measures and accountability mechanisms may be repurposed for GDPR compliance. Step 2: Plan Define a privacy management plan for implementing the “In Progress” and “Desired” technical and organisational measures to develop an ongoing capacity to comply with the GDPR.
This Guide is supported by four appendices:
Appendix A: Key Concepts This manual relies on seven key concepts. Links to the relevant key concepts are provided throughout this guide.
Appendix B: Fundamentals of Structured Privacy Management This section provides a deeper understanding of the structured approach to privacy management used in this manual.
Appendix C: Getting Started with a GDPR Compliance Strategy
In this appendix the GDPR is mapped to the Nymity Privacy Management Accountability Framework™, identifying 55 technical and organisational measures that, if put in place, may help demonstrate compliance with the GDPR.
Appendix D: Common Approaches to Prioritising GDPR Compliance Planning Approaches to Prioritising GDPR compliance planning outlines four common approaches to prioritising the implementation of “Desired” technical and organisational measures for GDPR Compliance.
The Structured Approach:
Works for any organisation, regardless of size, sector or industry;
Embeds privacy management accountability throughout the organisation;
Works with available resources;
Enables the demonstration of GDPR compliance; and
Documents the justification for resources to enhance GPDR compliance efforts.
5 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
When prioritising GDPR compliance, a wide variety of approaches are typically promoted such as beginning with a data inventory, a governance structure or conducting Data Protection Impact Assessments. The challenge with these traditional approaches is that not all organisations have the resources or the business case to begin their privacy management with these steps. The approach to prioritising details in this Guide is based on the concept of structured privacy management. Structured privacy management is a proven method for implementing an effective privacy management program that allows organisations to demonstrate an ongoing capacity to comply. It is founded on three elements: responsibility, ownership, and evidence.
Responsibility, Ownership and Evidence Structured privacy management is embedded throughout an organisation when there are three components present: responsibility, ownership, and evidence1.
1. Responsibility The organisation maintains effective privacy management consisting of ongoing privacy management activities (technical and organisational measures).
Nymity’s extensive research on privacy management programs has identified over 130 technical or organisational measures that need to take place in organisations. Technical and organisational measures are not high-level principles but constitute any activities conducted, anywhere throughout the organisation to:
Protect personal data
Respect the rights of data subjects
Comply with obligations Putting in place appropriate technical and organisational measures means implementing and maintaining ‘accountability mechanisms’.
1 For further discussion on the components of accountability, please refer to Appendix B: Fundamentals of Structured Privacy Management.
Nymity Privacy Management Accountability Framework ™
What is a Structured Approach to Privacy Management?
Structured Privacy Management is embedding ongoing technical and organisational measures throughout the organisation, resulting in the ability to demonstrate evidence-based accountability and compliance.
Accountability mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards, and other mechanisms that mitigate internal and external privacy risk.
6 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Based on this research, Nymity developed the Nymity Privacy Management Accountability Framework™ (“Framework”). This comprehensive Framework lists the technical organisational measures in an industry and jurisdiction-neutral fashion and groups them into 13 privacy management categories. The Framework forms the foundation for the “responsibility” element in a structured approach to privacy management.
Rather than a checklist to be completed, the Framework represents a menu of options for GDPR compliance and privacy management that can be adapted for any organisation. No two organisations’ privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management for organisations of any size, across industries. The appropriate technical and organisational measures are determined based on GDPR compliance requirements, risk to data subjects, organisational risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.). Since the Framework is jurisdiction-neutral, privacy management activities implemented for GDPR will subsequently also support the demonstration of compliance in other jurisdictions.
2. Ownership An individual is accountable for the management and monitoring of privacy management activities (technical and organisational measures).
Ownership is the second element of accountability and builds upon the element of responsibility. Even if the Privacy Office is accountable for GDPR compliance, the Privacy Office itself usually processes very little, if any, personal data. As such, the effectiveness of GDPR Compliance and privacy management in general relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of many accountability mechanisms will reside within an organisation’s operational and/or business units (human resources, marketing, product development, IT, customer service, etc.) where the data is being collected and processed.
3. Evidence Documentation that is a by-product of accountability mechanisms is made available by the owner.
When accountability mechanisms are being maintained, documentation is produced. That documentation can be used as evidence of accountability, ownership and GDPR compliance. Evidence can be formal (e.g. policies, procedures) or informal (e.g. communications, workflows). When using a structured approach to GDPR Compliance, evidence is always a by-product of an accountability mechanism, e.g. evidence is not produced for the sake of documentation but because of an activity.
As noted above, there are a wide variety of approaches traditionally promoted to prioritise your GDPR compliance initiatives, such as beginning with a data inventory, an enterprise-wide risk assessment or conducting data protection impact assessments. However, not all organisations have the resources or the business case to support the ability to begin their privacy management with these activities. Based on our research, Nymity has developed a two-step process for getting started with GDPR compliance that works for all organisations. This two-step approach is independent of the amount of resources available or the level of initial expertise of the Privacy Office/DPO.
In a structured approach to privacy management, responsibility means the appropriate technical and organisational measures have been implemented and are maintained on an ongoing basis, resulting in the creation of appropriate accountability mechanisms.
7 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
By the time you have completed Step 1 (Baseline), your knowledge of GDPR compliance obligations and accountability will have increased significantly.
Two Steps to Prioritising
Step 1 – Baseline Baseline existing GDPR
Compliance obligations and resources available in the organisation.
Step 2 – Plan Create a plan to implement your
“In Progress” and “Desired” technical and organisational
measures
8 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
The first step to prioritising GDPR compliance is to baseline the status of existing technical and organisational measures that address GDPR compliance obligations. You may have more measures in place than you are aware.
Primary for GDPR Compliance
Using the Nymity Privacy Management Framework™ for Identifying GDPR Compliance measures The Privacy Office does not need to start with a blank page when baselining GDPR compliance in the organisation. Instead, the Privacy Office can simply use the Framework adapted for GDPR.
Nymity Research has identified 39 Articles under the GDPR, requiring evidence of a technical or organisational measure to demonstrate compliance. These have been mapped to the Framework resulting in the identification of 55 “primary” technical or organisational measures. If implemented, these measures may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations (some measures may not apply to your organisation2). In this step, you identify the status for each of these 55 activities.
1. Assign Status
To baseline existing GDPR privacy management, you must first identify which technical or organisational measures are already
“Implemented” or “In Progress”.
Implemented: Technical or organisational measures that are already in place and have sufficient resources to be maintained are categorised as “Implemented”. Note: If the measure is not being maintained, supported by appropriate
2 See Appendix C for this mapping
Step 1 – Baseline your Existing Privacy
Program for GDPR Compliance
Print Full Scope Each technical and organisational measure is supported by a scope and it is recommended to have the scope document available. The scopes can be found at www.nymity.com/pmaf.
9 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
accountability mechanisms, or if there are insufficient resources to maintain it, then the measure is categorised as “In Progress”.
In Progress: If the technical or organisational measure is resourced and is in progress of being implemented, or is scheduled to be implemented, it is categorised as “In Progress”. For larger organisations that are implementing a technical or organisational measure in multiple countries or multiple divisions, the status of the activity remains “In Progress” until the activity is implemented in every country, or function, for which the Privacy Office/DPO has decided it is required. Note: If the technical or organisational measure is neither “Implemented” nor “In Progress”, it will be categorised as “Desired”
Desired: Technical or organisational measures which are determined to be applicable or relevant for GDPR compliance but
are not currently Implemented or resourced for implementation (In Progress) are categorised as “Desired”.
Not Applicable (N/A): Some of the 55 technical or organisational measures identified for GDPR compliance may not be applicable to the organisation. These are categorised as “N/A”.
“In Progress” and “Desired” technical or organisational measures are addressed in detail in Step 2: Plan. This section addresses the selection, prioritisation, and resourcing of these desired measures which is the foundation of planning.
Initial Status of Identified Technical or Organisational Measures As stated above, responsible organisations will already have privacy management embedded throughout the organisation prior to a formal GDPR implementation plan. It is recommended that the technical and organisational measures that have been identified as existing in the organisation be categorised with a status of “In Progress” until they have been reviewed by the Privacy Officer for compliance with GDPR.
2. Ownership: An owner is an individual who is answerable for the management and monitoring of the technical and organisational measures. In some cases, the owner will be the Privacy Officer who is completing the baseline exercise. However, in many instances the technical and organisational measures will reside within the operational or business units, including, human resources, marketing, product development, IT or customer service (where the data is being collected and processed). For example:
Technical or organisational measures that may be maintained by the Privacy Office are: Maintain a data privacy policy Conduct privacy training Maintain a data privacy notice that details the organisation’s personal data handling practices Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.
Technical or organisational measures maintained by the operational unit, are: Integrate data privacy into direct marketing practices Integrate data privacy into hiring practices
Next, identify the owners for the technical and organisational measures and record them.
3. Resources to Maintain: It takes resources to implement and maintain effective privacy management. Resources include people, processes, technology, and tools. One challenge with traditional approaches (such as “start with a data inventory”) is they generally assume resources are available, or that management will provide the resources, once requested, to maintain the inventory. This is often not the case. Without an early focus on understanding what resources are available for GDPR compliance and ongoing privacy management, prioritising can quickly turn into a frustrating experience for the Privacy Officer.
Completing your baseline exercise will likely require working with the operational units and business units such as HR, IT, Customer Service, Security, Procurement, Legal, Marketing, Product Development and all departments that process personal data or impact the processing of personal data.
Resources Examples If you are looking for a deeper understanding of resources and more examples, please review Appendix A: Key Concepts: Resources
10 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
In the next part of this step you will identify the resources to maintain the “Implemented” and “In Progress” technical or organisational measures and understand available resources. If you discover there are no resources allocated to maintaining a privacy management activity you have identified as “Implemented”, then the Status should be changed to “In Progress” until sufficient resources are allocated and the measure is maintained. In this step, it is likely resources will be identified that can help enhance privacy management. For example, you may discover the marketing manager is willing to support enhancement of privacy management in the marketing department. It is best to identify all resources available to best prepare for Step 2: Plan.
4. Evidence The next phase of the Baseline step is to record evidence of technical or organisational measures. For all “Implemented” measures, identify the existing documentation that resulted from putting in place technical or organisational measures and record it.
Create a documentation list that can be used as evidence. This could include formal documentation such as policies, procedures, and protocols, or it could be informal documentation, such as emails, meeting minutes, presentations, hyperlinks to internal documents and screenshots. For each document, it is helpful to not only note the name and location of the document, but also when it was last updated. It is important to review all existing documentation with your Privacy Office to determine its compliance with GDPR obligations. If it does not, then the status may shift back to “In Progress”.
To help identify what you might have in place, the Nymity GDPR Accountability Handbook™ provides hundreds of examples of accountability mechanisms related to technical and organisational measures specific to GDPR obligations and lists example evidence for each. See example below:
Evidence Examples If you are looking for a deeper understanding of evidence, and more examples, please review Nymity’s GDPR Accountability Handbook ™
11 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
The next step in prioritising your GDPR accountability obligations is to create a plan for addressing all “In Progress” and “Desired” technical and organisational measures in order to attain the ongoing capacity for compliance.
Prioritise “In Progress” and “Desired” Technical and Organisational Measures To begin this step it is necessary to identify the required technical and organisational measures “In Progress” and “Desired” to achieve GDPR compliance.
Plan GDPR Compliance
Appendix D: Common Approaches for Prioritising GDPR Compliance Planning To prioritise your “In Progress” and “Desired” technical and organisational measures, it is important to note there are no silver bullets. What works for one organisation may not work for another. However, Nymity’s extensive research and experience working with companies implementing GDPR compliance has identified many approaches to implementing “Desired” technical and organisational measures, including the below common approaches:
• Inventory (Record of Processing Activities Register) approach • Resource approach • Regulator approach • Risk approach • Project Management approach
Use this Appendix for ideas on GDPR Compliance prioritisation approaches that may best align with your business.
Update “In Progress” and “Desired” status A review of the “Desired” privacy management activities is only required to ensure the technical and organisational measures identified in your approach are accurately reflected in your documentation.
Priorities The priority for your approach may be defined by the resources available.
It is now time to complete this step.
1. Resources to Implement For “In Progress” and “Desired” technical and organisational measures it is important to document the required resources to ensure a successful implementation. This will help assess the viability of the organisation implementing the technical or organisational measures and changing the status.
2. Implement when it can be maintained
Demonstrating compliance with the GDPR is an ongoing effort – not a point-in-time status. It is recommended you first consider the resources available. In many cases, the initial effort to implement an activity will be higher than the effort to keep an activity up-to-date (“maintain” it). However, it is important for maintenance to be considered right from the start. For example, with the
Resources Examples If you are looking for a deeper understanding of the resources and more examples, please review Appendix A: Key Concepts: Resources.
Step 2 – Plan
12 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
technical and organisational measure ‘Maintain a data privacy policy’, the initial effort required to draft a policy may require a medium level of resources. Also, the policy must be socialised with key stakeholders to achieve buy-in and improve the chances of adoption and, ultimately, it should be approved by executive leadership. Publishing or issuing the policy is just the first step. It must then be reviewed on a periodic basis to ensure it is still aligned with legislative requirements and the business environment, and should be updated as needed to reflect changes. A failure to keep the policy up-to-date will result in increased privacy risk. Although the effort to carry out these periodic reviews and updates requires lower resources, it should be factored into the planning and prioritisation. If not enough resources are available to maintain the measure, it is important to note this, as this becomes a justification to make the case for appropriate resources.
3. Resources to Maintain As described when completing Baseline step, the resources required to maintain activities need to be identified. It is important to secure the resources to maintain a technical or organisational measure prior to the implementation. Without adequate maintenance, it could have limited effectiveness.
The Baseline and Plan steps described above provide a structured privacy management approach to getting started with GDPR compliance. After those steps are implemented, privacy management becomes an ongoing process. Once a technical and organisational measure is implemented it then needs to be maintained. If there are sufficient resources available after a measure is implemented, the resources can be re-directed to other “In Progress” or “Desired” measures.
In practice, “Implemented” technical and organisational measures status may change back to “In Progress” for a variety of reasons, including new legislation, regulations, DPA enforcement activity and guidelines or court decisions. At all stages of privacy management, it is important to report on your progress. In the beginning of your compliance efforts, it is important to build the business case to justify the resources required for GDPR compliance. As privacy management matures, ongoing reporting is important to ensure there are resources to maintain the implemented technical and organisational measures. Maintaining this workbook becomes a technical or organisational measure that enables your privacy management and reporting purposes for years to come.
NOTE: Nymity has several resources to assist organisations in this structured approach to GDPR Compliance.
Free Resources:
Nymity Privacy Management Accountability Framework™,
Framework for Demonstrable GDPR Compliance
GDPR Accountability Handbook™
https://www.nymity.com/data-privacy-resources.aspx
What’s Next?
13 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Nymity’s Privacy Office Support Software:
Quickly build or enhance privacy management throughout your organisation with over 700 downloadable expert resources associated with 130+ privacy management activities. https://www.nymity.com/products/privacy-management-templates.aspx
Take control of privacy management with Nymity Planner™, the ideal solution for the privacy office looking to build, enhance, and structure privacy management throughout the organisation. https://www.nymity.com/products/privacy-management-planner.aspx
Understand and compare privacy management and GDPR Compliance across your organisation to other organisations with Nymity Benchmarks™. https://www.nymity.com/products/privacy-program-metrics.aspx
To fully maximise the approach in this Guide, it is best to understand underlying key concepts leveraged in this Guide.
1. Privacy Officer 2. Resources 3. Context 4. Stand-Ready to Demonstrate On-Demand
1. Privacy Office The Privacy Office is all the individuals responsible for privacy management. One of the key roles in privacy management is the individual within the organisation responsible for privacy management, which in this manual is called the Privacy Officer. The role can go by many titles including Privacy Counsel, Privacy Officer, Chief Privacy Officer, Data Protection Officer, or could even be an individual that does not have privacy in their title such as a CISO. These individuals can reside in many departments, for example, legal, compliance, and risk.
2. Resources Resources are what is available to the privacy office to implement and maintain the technical and organisational measure. Nymity’s research has identified four categories of resources and the following table provides several examples:
Appendix A: Key Concepts
14 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Table 0.1 provides examples of Privacy Management Program Resources
People Processes Technology Tools
Employees – full or partial headcount
Buy-in or support from Executives/ Senior Management
Other departments or groups such as Internal Audit, Compliance, ERM
Shared Services (Info Sec, IT, Legal, Procurement)
External Consultants/ Advisors/ Auditors/ Service Providers
Data Protection Authority
Workflows for approval/sign-off
Monitoring/Reviewing controls or mechanisms
Communications/ Meetings
Training/knowledge sharing
Escalation paths
File/document sharing platforms
Collaboration tools
Information Security/Data Protection controls
ERP Systems
Ticketing Systems
E-Learning System
Compliance research subscriptions
Subscription newsletters to stay informed
Templates and samples
Privacy management systems
Privacy/ Risk/ Compliance Reporting Software
PIA solutions
Rationalised rules table generators
Benchmarking solutions
Table 1: Examples of Privacy Management Program Resources
3. Context Privacy is contextual, and thus, privacy management must be contextual. Therefore, there are no standard checklists to which a Privacy Officer can point and say, “We are responsible”. To articulate how the organisation’s data processing activities are carried out in compliance with the Rules (e.g. to demonstrate compliance), one must understand the activities themselves, the motivations behind them, how the Rules apply, along with many other factors. Privacy officers are uniquely positioned to demonstrate compliance and accountability. They have the expertise to interpret requirements, the knowledge to understand how they apply to each type of processing, and can communicate the context of compliance. Privacy context includes:
1. Rules3 Organisations in most jurisdictions are required to comply with privacy laws and regulations – over 770 privacy laws exist around the world. In addition, they must often comply with policies or other commitments such as privacy notices or codes of conduct. These requirements are collectively referred to as Rules. The Privacy Officer understands the Rules and therefore can provide context for how they apply to each type of data processing.
2. Data Processing Practices The Privacy Officer understands the organisation’s practices that involve the processing of personal data, including business operations and back office functions, such as human resources, marketing, and finance. Working with stakeholders throughout the organisation, the Privacy Officer can understand and provide context for how the Rules apply to organisational practices.
3. Privacy Management The Privacy Officer understands the privacy management activities that have been implemented throughout the organisation and how they are maintained. Many decisions related to privacy management are influenced by the Rules and how they apply to data processing. Explaining these decisions is a key element of providing context.
3 Rules: Requirements of a law, regulation, policy, or other commitment such as a privacy notice or code of conduct
15 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
4. Privacy Risk The Privacy Officer understands the risk of harm to individuals and to the organisation4. The Privacy Officer can explain how privacy risk can influence decisions related to which privacy management activities to implement and why. Related to privacy risk, another element of context is the decision to prioritise one risk mitigation activity over another, when resources are limited.
For some technical and organisational measures, it is obvious how the evidence can be used to demonstrate compliance. For example, if a Rule requires that a privacy notice contains certain elements5, it is easy to determine the elements are present when the privacy notice is provided. This would not require the Privacy Officer to contextualise the evidence. In other cases, it is not obvious. For example, Rules often require that data is not processed for purposes beyond those for which it was collected. In this scenario, Evidence may include policies and guidance instructing employees of the requirement and explaining how to assess if processing is carried out within the boundaries of the original data collection purpose. These are simple to map to the Rule, which is a good start, but doesn’t go far enough. Just issuing the guidance, does not yet ensure that data is not processed beyond what is allowed. To demonstrate privacy is effectively embedded, the privacy office might show Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) are required for all new collection and use of personal data6; part of the (D)PIA includes identifying the original purpose for collection and determining if this use is consistent. This Evidence likely requires contextualisation.
The following example provides a more in-depth explanation of how Evidence can be contextualised to answer the question: How does the organisation comply with the Rules? The Privacy Officer may want to demonstrate how the outbound telemarketing team within a call centre complies with a requirement to obtain consent to collect and use data for selling a product. The Privacy Officer can use existing privacy management documentation (e.g. Evidence) and provide context to demonstrate compliance as follows:
4 Conduct an Enterprise Privacy Risk Assessment found in Maintain Governance Structure in the Nymity Privacy Management Accountability Framework™. 5 “Maintain a data privacy notice that details the organisation’s personal data handling practices” found in 8. Maintain Notices in the Nymity Privacy Management Accountability Framework™. 6 “Maintain PIA/DPIA guidelines and templates” found in 10. Monitor for New Operational Practices in the Nymity Privacy Management Accountability Framework™. 7 Maintain a data privacy policy” found in 3. Maintain a Data Privacy Policy in the Nymity Privacy Management Accountability Framework™. 8 “Maintain a data privacy policy found” in 3. Maintain Data Privacy Policy in the Nymity Privacy Management Accountability Framework™. 9 “Conduct privacy training” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™. 10 “Conduct privacy training reflecting job specific content” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™.
Privacy Management Activity: Maintain a Data Privacy Policy7 Evidence: Privacy Policy The data privacy policy8 contains a provision which states the organisation must obtain consent for all types of data processing that cannot be carried out under one of the five other legal basis enshrined in the GDPR. Context: Rules, Data Processing, Privacy Management Having identified the call centre as a point of data collection and use [Data Processing] for marketing purposes, the privacy office determines consent is required. The data privacy policy is a privacy management activity which sets the expectation for obtaining consent [Rules, Privacy Management].
Evidence: Data Privacy Training Materials The general data privacy training curriculum for all employees with access to personal data9 contains general guidance for obtaining consent. The role specific privacy training for call centre employees10 contains more specific guidance for when and how to obtain and record consent when collecting data.
16 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
11 “Integrate data privacy into telemarketing practices” found in 4. Embed Data Privacy into Operational Practices Program in the Nymity Privacy Management Accountability Framework™. 12 “Conduct internal Audits of the privacy program (e.g., operational audit of the Privacy Office)” found in 12. Monitor Data Handling Practices in the Nymity Privacy Management Accountability Framework™.
Context: Privacy Management The Privacy Office can show, using general and role specific privacy training, the expectation to obtain consent is reinforced and communicated proactively [Privacy Management].
Evidence: Call Centre Scripts The call centre utilises scripts for outbound telemarketing which guide the employees on how to obtain unambiguous consent for processing11. Context: Rules, Privacy Management The Privacy Office can demonstrate employees are provided with tools to help them comply with the policy [Rules] as the scripts include a statement explaining the privacy notice and obtaining unambiguous consent. It also explains language on how to react in case the customer does not want to provide consent [Privacy Management].
Evidence: CRM Screen Shots The Customer Relationship Management (CRM) system contains a field where consent and opt-out requests are recorded. Validation mechanisms prevent the user from extracting a record for a purpose for which consent has not been obtained. Context: Data Processing Because the Privacy Officer understands how data is collected and flows throughout the organisation [Data Processing], he or she can use the CRM to demonstrate consent is being collected and managed.
Evidence: Privacy Office Consultation The Call Centre Director reached out to the privacy office via email to inquire about how the organisation’s policy around obtaining unambiguous consent should be applied in a jurisdiction where law permits implied consent. These emails and follow-up discussions show how the Privacy Officer assisted the call centre to address consent requirements.
Context: Rules, Privacy Risk The privacy office can explain that even though the law does not require unambiguous consent in all cases [Rules], they have made the decision to obtain unambiguous consent. By simplifying the process and defaulting to the most restrictive requirement, the organisation is less likely to be non-compliant [Privacy Risk].
Evidence: Audit Results An internal audit of call centre operations included listening to a selection of recorded calls to determine if the process for obtaining consent was followed12. No exceptions were reported. Context: Privacy Management, Privacy Risk Although the Privacy Office did not conduct the internal audit, it becomes documentation that can be used as evidence of privacy accountability and compliance. The report shows the selected calls followed the requirements in the data privacy policy [Rules]. As the policy exceeds the requirements of the law
17 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
The privacy office could answer the question: how does the organisation comply with the rules around consent? Note that in the above example, the Privacy Office could demonstrate compliance using existing privacy management documentation - no additional documentation was produced. Also note the documentation alone would not be sufficient to demonstrate compliance to someone who did not understand the Rules applied to the organisation, the way data is processed, how privacy management is embedded in the organisation, or the privacy risk profile. The demonstration of compliance required the context provided by the Privacy Officer.
4. Stand-Ready to Demonstrate On-Demand Organisations who keep the Workbook up-to-date with documentation serving as evidence have the capacity to stand-ready to demonstrate responsible privacy management (that is, accountability and/or compliance) on-demand. Some organisations will take more of an assessment-based approach and update the workbook on an annual basis. Being able to stand-ready to demonstrate compliance on-demand, allows the privacy office to contextualise responsible privacy management (accountability) at any time. Also, the Privacy Officer can contextualise compliance to a Regulator at any time (for example, if there was an investigation or they were to proactively reach out to a Privacy or Data Protection Regulator).
Since 2002, Nymity has been conducting global research and on-the-ground workshops with privacy and Data Protection Regulators to examine what it takes for organisations to “demonstrate” accountability through effective privacy management. One outcome is the understanding that structured privacy management has three key elements: 1. responsibility, 2. ownership, and 3. evidence.
1. Responsibility
Responsible organisations maintain the right set of privacy management activities.
Nymity’s research has resulted in the Nymity Privacy Management Accountability Framework™ (“Framework”). It is this Framework that forms the foundation for the “responsibility” element in a structured approach to privacy management.
The Framework is not a checklist of activities that must be completed, it is a menu for privacy management activities that can be adapted to any organisation. No two organisation’s privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management. The Framework is not based on principles or controls, but on privacy management activities that can be monitored and tracked. It is a comprehensive, jurisdiction- and industry-neutral listing of 130+ privacy management activities within 13 Privacy Management Categories.
In a structured approach to privacy management, responsibility means appropriate technical and organisational measures have been implemented and are maintained on an ongoing basis. The appropriate measures are determined based on the organisation’s compliance requirements, risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).
2. Ownership
An individual is answerable for the management and monitoring of each of the privacy management activities.
Ownership is the second element of structured privacy management and builds upon the element of responsibility. Even if the Privacy Officer is accountable for data privacy or compliance, the privacy office itself usually processes very little, if any, personal data. As such, effectiveness relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of some privacy management
[Rules], the privacy office can explain why they determined there is a minimal risk of non-compliance with legal requirements for consent [Rules].
Privacy Management Categories
1. Maintain Governance Structure
2. Maintain Personal Data Inventory
3. Maintain Data Privacy Policy
4. Embed Data Privacy into Operations
5. Maintain Training and Awareness Program
6. Manage Information Security Risk
7. Manage Third-Party Risk
8. Maintain Notices
9. Maintain Procedures for Inquiries and Complaints
10. Monitor for New Operational Practices
11. Maintain Data Privacy Breach Management Program
12. Monitor Data Handling Practices
13. Track External Criteria
18 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
activities will reside within the operational and business units where data is being collected and processed, for example, human resources, marketing, product development, IT, customer service, etc.
Privacy management activities may be:
Maintained by the Privacy Officer. For example: Maintain a data privacy policy Conduct privacy training Maintain a data privacy notice detailing the organisation’s personal data handling practices Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.
Influenced or observed by the Privacy Officer. For example: Integrate data privacy into direct marketing practices Integrate data privacy into an information security policy Conduct due diligence around the data privacy and security posture of potential vendors/processors
Table 0.2 provides examples of technical and organisational measures within each of the 13 Privacy Management Categories performed by various stakeholders within the organisation.
Privacy Management Categories
Activities Owned by the Privacy Office (Examples)
Activities Owned by Operational Units (Examples)
1. Maintain Governance Structure
Maintain a Privacy Strategy
Owner: Human Resources Require employees to acknowledge and agree to adhere to data privacy policies
2. Maintain Personal Data Inventory
Maintain an inventory of key personal data and/or processing activities
Owner: Corporate Records Management Classify personal data holdings by type (e.g. sensitive, confidential, public)
3. Maintain Data Privacy Policy
Maintain a data privacy policy Owner: Human Resources Maintain an employee data privacy policy
4. Embed Data Privacy into Operations
Maintain policies/procedures for collection and use of children and minors’ personal data
Owner: Marketing Integrate data privacy into direct marketing practices
5. Maintain Training and Awareness Program
Conduct privacy training
Owner: Customer Service Incorporate data privacy into operational training, such as HR, security, call centre
6. Manage Information Security Risk
Maintain an acceptable use of information resources policy
Owner: Information Security Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring)
7. Manage Third-Party Risk
Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)
Owner: Legal Maintain procedures to execute contracts or agreements with all processors
8. Maintain Notices Maintain a data privacy notice Owner: Facilities/Corporate Security Provide notice by means of on-location signage, posters
9. Maintain Procedures for Inquiries and Complaints
Investigate root causes of data protection complaints
Owner: Call Centre Maintain procedures to address complaints
19 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Privacy Management Categories
Activities Owned by the Privacy Office (Examples)
Activities Owned by Operational Units (Examples)
10. Monitor for New Operational Practices
Maintain PIA/DPIA guidelines and templates
Owner: Information Technology Conduct PIAs/DPIAs for new programs, systems, processes
11. Maintain Data Privacy Breach Management Program
Maintain a data privacy incident/breach response plan
Owner: Legal: Engage a forensic investigation team
12. Monitor Data Handling Practices
Monitor and report privacy management metrics
Owner: Internal Audit: Conduct internal audits of the privacy program (e.g., operational audit of the Privacy Office)
13. Track External Criteria Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.
Owner: Compliance: Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes
Table 0.2 – Examples of Activities Owned by the Privacy Office and Operational Units
3. Evidence
Documentation that is a by-product of privacy management activities is made available by the owner.
The third element of structured privacy management is evidence. In responsible organisations, the Owner of a privacy management activity provides supporting evidence that the activity is being maintained.
When privacy management activities are performed on an ongoing basis evidence is produced as a by-product. Evidence is documentation which may be formal (e.g., policies, procedures, reports) or informal (e.g., communication, agendas, system logs) and can be used with context by the privacy office to show a privacy management activity is being performed. For example, the technical and organisational measure “Maintain PIA/DPIA guidelines and templates” produces several forms of evidence, including: policies requiring (D)PIAs, procedures and workflows documenting the approval process, (D)PIA guidelines and templates, training documents on how to conduct (D)PIAs, logs of (D)PIAs, etc. This documentation serves as evidence of accountability.
Refer to Table 0.3 for the characteristics of formal and informal documentation and corresponding examples:
Documentation Characteristics Examples
Formal Typically published, maintained, and communicated to designated groups
Policies, Procedures, Reports
Informal May show an example of an activity having occurred, such as an e-mail conversation between two key individuals or a record of participation in a webinar
Email communication, meeting agendas, system logs
Table 0.3 – Characteristics of Formal and Informal Documentation
20 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Table 0.4 describes the role the privacy office plays depending on the source of the documentation, as well as corresponding examples of the document types:
Source Privacy Office Role Example Documents
Produced Generated by the privacy office with input from other key stakeholders
The privacy office performs the activity
Data Privacy Policy Privacy Notice Data Privacy Training Curriculum Privacy Impact Assessment Guidelines Policy/procedure for secondary uses of personal data
Influenced Influenced by the privacy office but created by other stakeholders
The privacy office provides input or opinions
Direct Marketing Procedures Privacy Impact Assessments Employment Policies Records retention schedules
Collected Provided to the privacy office by other stakeholders
The privacy office is kept up-to-date on progress, often only upon completion
Internal Audit Results IT Security Assessment Results Business Continuity Plans
Table 0.4 – The Privacy Office’s Role in Production of Documentation
Table 0.5 outlines how formal and informal documentation can be produced, influenced, or collected by the privacy office as evidence of the Technical and Organisational Measures.
Technical or Organisational Measure
Evidence/ Documentation Source/ Role Formal/ Informal
Maintain a data privacy policy Data Privacy Policy Produced by privacy office Formal
Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)
E-mail monitoring policy and procedure
Influenced by privacy office Produced by information technology
Formal
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
System generated report of data privacy exam scores
Collected by privacy office Produced by human resources
Informal
Provide notice in marketing communications (e.g. emails, flyers, offers)
Examples of e-mail marketing communications
Influenced by privacy office Produced by marketing
Informal
Table 0.5 - Formal and Informal Documentation
4. Frequency: Technical and Organisational Measures are Ongoing In the past, in many organisations privacy management may have started as a project. However, under the GDPR, the law requires organisations to keep their “appropriate technical and organisational measures” up to date and review them on a regular basis. Responsible organisations already did so, but now all organisations will need to comply with this requirement. This includes a need to allocate sufficient resources to privacy management and continually re-evaluate the organisation’s privacy management needs to ensure activities are aligned.
21 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
A privacy management program should never be considered a finished product; it requires ongoing assessment and revision to be effective and relevant. The building blocks must be monitored and assessed on a regular basis and be updated accordingly. – Getting Accountability Right13
Privacy management is a set of ongoing technical or organisational measures performed either periodically or continuously.
Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.
Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, where adjustments are made continuously toward the desired outcome.
Table 0.6 reviews privacy management activities to show how the two frequency of activities approaches might differ:
Technical or Organisational Measure
Periodic Continuous
Maintain documentation of data flows (e.g. between systems, between processes, between countries)
On an annual basis, require key stakeholders to review the flow charts for accuracy and update diagrams as necessary
Proposed changes to data flows are identified and the flow charts are updated as a condition of project sign-off and implemented as part of the project management requirements
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
Each quarter, review reports generated by the e-Learning system to determine whether all employees have completed required training
Configure the e-Learning system to generate alerts when an employee has not completed training by the required date and notify the employee’s manager suggesting he or she follow up immediately
Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)
Establish a cross-functional committee of privacy stakeholders (e.g. IT, marketing, legal, HR, etc.) who meet on a quarterly basis to discuss data privacy matters
Create an email alias or group discussion to facilitate communication amongst group members, on data privacy matters
Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)
On a monthly basis, review reports of active system users to ensure their access is still appropriate and sign-off to indicate approval
Configure HR system to send alerts to information security when employees are terminated or when there are changes to the job title, department, or reporting structure
Table 0.6 - Examples of Periodic and Continuous Approaches to Privacy Management Activities
Whether the activity should be performed periodically or continuously, depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.
An organisation with embedded responsibility, ownership, and evidence into the privacy program has implemented accountability and is now equipped to demonstrate accountability.
13 Office of the Information and Privacy Commissioner of Alberta. (2012). Getting Accountability Right with a Privacy Management Program. Alberta, Canada.
22 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Privacy Management
Categories Privacy Management Activities
GDPR Article Reference
1. Maintain Governance Structure
Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO, CISO, EU Representative)
27
Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)
Appoint a Data Protection Officer (DPO) in an independent oversight role 37, 38
Assign responsibility for data privacy throughout the organisation (e.g. Privacy Network)
Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions)
39
Conduct regular communication between the Privacy Office, privacy network and others responsible/accountable for data privacy
38
Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)
Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)
Report to external stakeholders on the status of privacy management (e.g., regulators, third-parties, clients)
Conduct an Enterprise Privacy Risk Assessment 24, 39
Integrate data privacy into business risk assessments/reporting
Maintain a privacy strategy
Maintain a privacy program charter/mission statement
Require employees to acknowledge and agree to adhere to the data privacy policies
2. Maintain Personal Data Inventory
Maintain an inventory of personal data and/or processing activities 30
Classify personal data by type (e.g. sensitive, confidential, public)
Obtain regulatory approval for data processing (where prior approval is required)
Register databases with regulators (where registration is required)
Maintain documentation of data flows (e.g. between systems, between processes, between countries)
Maintain documentation of the transfer mechanism used for cross-border data flows (e.g., model clauses, BCRs, regulator approvals )
45, 46, 49
Use Binding Corporate Rules as a data transfer mechanism 46, 47
Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 46
Use APEC Cross Border Privacy Rules as a data transfer mechanism
Use regulatory approval as a data transfer mechanism 46
Use adequacy or one of the derogations (e.g. consent, performance of a contract, public interest) as a data transfer mechanism
45, 49, 48
Use the Privacy Shield as a data transfer mechanism 46
3. Maintain Data Privacy Policy
Maintain a data privacy policy 5, 24, 91
Maintain an employee data privacy policy
Document legal basis for processing personal data 6, 9, 10
Integrate ethics into data processing (Codes of Conduct, policies, and other measures)
Maintain an organisational code of conduct that includes privacy
Appendix C: Prioritising GDPR Compliance
23 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
4. Embed Data Privacy into Operations
Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)
9
Maintain policies/procedures for collection and use of children’s and minors’ personal data
8, 12
Maintain policies/procedures for maintaining data quality 5
Maintain policies/procedures for the de-identification of personal data 89
Maintain policies/procedures to review processing conducted wholly or partially by automated means
12, 22
Maintain policies/procedures for secondary uses of personal data 6, 13, 14
Maintain policies/procedures for obtaining valid consent 6, 7, 8
Maintain policies/procedures for secure destruction of personal data
Integrate data privacy into use of cookies and tracking mechanisms
Integrate data privacy into records retention practices 5
Integrate data privacy into direct marketing practices 21
Integrate data privacy into e-mail marketing practices
Integrate data privacy into telemarketing practices
Integrate data privacy into digital marketing practices (e.g., mobile, social media, behavioural advertising)
Integrate data privacy into hiring practices
Integrate data privacy into the organisation’s use of social media practices 8
Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures
Integrate data privacy into health & safety practices
Integrate data privacy into interactions with works councils
Integrate data privacy into practices for monitoring employees
Integrate data privacy into use of CCTV/video surveillance
Integrate data privacy into use of geo-location (tracking and or location) devices
Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)
Integrate data privacy into e-discovery practices
Integrate data privacy into conducting internal investigations
Integrate data privacy into practices for disclosure to and for law enforcement purposes
Integrate data privacy into research practices 21, 89
5. Maintain Training and Awareness Program
Conduct privacy training 39
Conduct privacy training reflecting job specific content
Conduct regular refresher training
Incorporate data privacy into operational training (e.g. HR, marketing, call centre
Deliver training/awareness in response to timely issues/topics
Deliver a privacy newsletter, or incorporate privacy into existing corporate communications
Provide a repository of privacy information, e.g., an internal data privacy intranet
Maintain privacy awareness material (e.g. posters and videos)
Conduct privacy awareness events (e.g., an annual data privacy day/week)
Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
Enforce the Requirement to Complete Privacy Training
Provide ongoing education and training for the Privacy Office and/or DPOs (e.g. conferences, webinars, guest speakers)
Maintain qualifications for individuals responsible for data privacy, including certifications
Integrate data privacy risk into security risk assessments 32
Integrate data privacy into an information security policy 5, 32
24 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
6. Manage Information Security Risk
Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 32
Maintain measures to encrypt personal data 32
Maintain an acceptable use of information resources policy
Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)
32
Integrate data privacy into a corporate security policy (protection of physical premises and hard assets)
Maintain human resource security measures (e.g. pre-screening, performance appraisals)
Maintain backup and business continuity plans
Maintain a data-loss prevention strategy
Conduct regular testing of data security posture 32
Maintain a security certification (e.g., ISO)
7. Manage Third-Party Risk
Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)
28, 32
Maintain procedures to execute contracts or agreements with all processors 28
Conduct due diligence around the data privacy and security posture of potential vendors/processors
28
Conduct due diligence on third party data sources
Maintain a vendor data privacy risk assessment process
Maintain a policy governing use of cloud providers
Maintain procedures to address instances of non-compliance with contracts and agreements
Conduct due diligence around the data privacy and security posture of existing vendors/processors
Review long-term contracts for new or evolving data privacy risks
8. Maintain Notices
Maintain a data privacy notice 8, 13, 14
Provide data privacy notice at all points where personal data is collected 13, 14, 21
Provide notice by means of on-location signage, posters
Provide notice in marketing communications (e.g. emails, flyers, offers)
Provide notice in contracts and terms
Maintain scripts for use by employees to explain or provide the data privacy notice
Maintain a privacy Seal or Trustmark to increase customer trust
9. Respond to Requests and Complaints from Individuals
Maintain procedures to address complaints
Maintain procedures to respond to requests for access to personal data 15
Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data
16, 19
Maintain procedures to respond to requests to opt-out of, restrict or object to processing
7, 18, 21
Maintain procedures to respond to requests for information
Maintain procedures to respond to requests for data portability 20
Maintain procedures to respond to requests to be forgotten or for erasure of data 17, 19
Maintain Frequently Asked Questions to respond to queries from individuals
Investigate root causes of data protection complaints
Monitor and report metrics for data privacy complaints (e.g. number, root cause)
10. Monitor for New Operational Practices
Integrate Privacy by Design into data processing operations 25
Maintain PIA/DPIA guidelines and templates 35
Conduct PIAs/DPIAs for innovative programs, systems, processes 5, 6, 25, 35
Conduct PIAs or DPIAs for changes to existing programs, systems, or processes 5, 6, 25, 35
Engage external stakeholders (e.g., individuals, privacy advocates) as part of the PIA/DPIA process
35
25 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Track and address data protection issues identified during PIAs/DPIAs 35
Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)
36
11. Maintain Data Privacy Breach Management Program
Maintain a data privacy incident/breach response plan 33, 34
Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol
12, 33, 34
Maintain a log to track data privacy incidents/breaches 33
Monitor and report data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
Conduct periodic testing of data privacy incident/breach plan
Engage a breach response remediation provider
Engage a forensic investigation team
Obtain data privacy breach insurance coverage
12. Monitor Data Handling Practices
Conduct self-assessments of privacy management 25, 39
Conduct Internal Audits of the privacy program (e.g., operational audit of the Privacy Office)
Conduct ad-hoc walk-throughs
Conduct ad-hoc assessments based on external events, such as complaints/breaches
Engage a third-party to conduct audits/assessments
Monitor and report privacy management metrics
Maintain documentation as evidence to demonstrate compliance and/or accountability 5, 24
Maintain certifications, accreditations, or data protection seals for demonstrating compliance to regulators
13. Track External Criteria
Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc. 39
Maintain subscriptions to compliance reporting service/law firm updates to stay informed of new developments
Attend/participate in privacy conferences, industry associations, or think-tank events
Record/report on the tracking of new laws, regulations, amendments, or other rule sources
Seek legal opinions regarding recent developments in law
Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes
Identify and manage conflicts in law
There are no silver bullets to prioritising GDPR compliance planning; what works for one company does not necessarily work for another. Nymity’s extensive research and experience with hundreds of companies implementing GDPR compliance has identified many common approaches to implementing “Desired” technical and organisational measures, including:
Governance Approach
Inventory (Record of Processing Activities) first approach
Regulator Approach
Risk Approach
Project Management Approach
Governance Approach The GDPR is an accountability based law requiring organisations to demonstrate compliance on an ongoing basis. Some organisations begin their prioritisation efforts by focusing on activities with the greatest impact overall on governance in their organisation.
Appendix D: Common Approaches to Prioritising GDPR Compliance Planning
111111
26 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Common Governance Related Technical and Organisational Measures
Assign responsibility for data privacy to an individual (e.g. General Counsel, CPO, CISO, EU Representative)
Appoint a Data Protection Officer in an independent oversight role
Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)
Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)
Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)
Maintain a data privacy policy
Conduct privacy training
Maintain a data privacy notice
Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)
Conduct self-assessments of privacy management
Inventory (Record of Processing Activities) Approach Article 30 of the GDPR (Records of processing activities) requires organisations with more than 250 employees, and those processing large volumes and/or sensitive data, to create a record of processing activities. Many organisations, especially those who process data are considered “high risk”, have found it beneficial to begin their GDPR compliance planning by completing a Records of Processing Activities Register. If an organisation has fewer than 250 employees and resources are available, this exercise will still be useful and, in general, not onerous.
In your Step 1 “Baseline Exercise Revealed” you have an existing data inventory or processing activities register. Review it to ensure it captures the required information outlined in Article 30 GDPR and that all your processing activities are indeed included. In general, Nymity research has found organisations completing or attempting to complete traditional data inventories may not have captured the GDPR required information but, in many cases, have far more other information than is required.
What is a Record of Processing Activities Register?
For organisations operating in the EU, a requirement of the Directive 95/46/EC was to notify and register processing activities with local Data Protection Authorities (DPAs). Article 30 replaces this requirement. The French Data Protection Authority (CNIL) in 2017 published a six-step methodology for complying with the GDPR14 which includes a template for a Processing Activities Register. This template highlights a traditional data inventory is not the intent of Article 30 GDPR.15 In general, these records must contain:
The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the Data Protection Officer;
The purpose(s) of the processing;
A description of the categories of data subjects and personal data;
The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
14 www.cnil.fr/fr/comment-se-preparer-au-reglementeuropeen-sur-la-protection-des-donnees 15 www.cnil.fr/fr/cartographier-vos-traitements-de-donneespersonnelles
27 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
Where possible, the envisaged time limits for erasure of the different categories of data;
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
It is important to note this list is first concerned with the details of processing activities versus the details of a data holding repository and does not require the onerous process of documenting every data element forming part of the data repository (though in practice, some companies will want to do this).
Completing this exercise can act as the basis for compliance with multiple obligations because the same information is required to address the following obligations:
Record of Processing Activities (Article 30)
Transparency (Articles 12 and 13)
Data Protection Impact Assessments (Article 35)
Data Subject Access Rights (Article 15)
Processor (Article 28)
Regulator Approach Over the past year, Data Protection Authorities have released guidance on various aspects of GDPR Compliance.16 This guidance may help you to better understand your organisation’s compliance requirements. It is also important to note that Data Protection Authorities themselves have indicatedi that maybe the most important reason to produce the guidance is to streamline their own position and ideas. The guidelines may help data controllers and data processors around the world by providing a little bit more legal certainty. Note that no matter how extensive they may be, they are not always conclusive in every situation. In general, Data Protection Authorities have indicated that they expect organisations to prioritise their compliance initiatives in the following areas:
Awareness
Inventory / Article 30 Register
Impact Assessments for key projects
Procedures for Data subject rights and breaches
Notice / Communication
Consent & other legal grounds
Children
DPO
16 For example, the Article 29 Working Party has issued guidance on various concepts including Data Portability, Profiling, Breaches, DPIAs, Fines Breaches. http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1308
28 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Awareness According to many Data Protection Authorities, GDPR compliance starts with raising awareness on the requirements of the new law within an organisation. That way, the minds can be prepared for the work to be done, including the reasons why an organisation may have a new or renewed focus on privacy and data protection. Inventory / Article 30 Register This is the same requirement as described above under the “Governance Approach”. Many DPAs agree that in order to have a good overview of what is going on in an organisation, the Processing Activities Register is a vital element. It will not only provide the overview of the ongoing data processing operations, but will also help organisations to decide which are the appropriate technical and organisational measures that need to be implemented. Furthermore, it supports the drafting or updating of privacy notices, which will need to include a lot of information already included in the Register. Last but not least, the information included in the Register allows to assess if processing activities are “high risk” and thus need to be part of a DPIA.
Impact Assessments for key projects All “high risk” processing operations, including those in which sensitive data are processed, need to undergo a data protection impact assessment. Organisations are free to decide if they wish to extend this obligation to more project. If a DPIA is completed, the organisation will make an inventory of the risks to the rights and freedoms of the data subject, including, but not limited to, privacy and data protection. These risks will subsequently need to be mitigated, for example by applying specific safeguards to a processing operation. Procedures for Data subject rights and breaches Where they have not yet been established before, DPAs recommend to develop internal procedures on how to deal with the rights attributed to data subjects (including the right to information, access, rectification and erasure) and data breaches. Should procedures already be in place, they would in any case need to be reviewed to ensure they are in line with the requirements of the GDPR and, when available, the guidance of the Article 29 Working Party. Notice / Communication The GDPR imposes strict obligations on the information to be provided to data subjects when their personal data is processed. That information shall be included in one, or multiple, privacy notices or statements, which need to be written in plain language. Organisations will need to review their current notices and/or draft new ones. The Processing Activities Register could help to include many details of the processing operation in the notice.
Consent & other legal grounds The DPAs remind organisations that all processing operations require one of six legal grounds: consent, performance of a contract, a legal obligation, a public interest, a vital interest of a data subject or other data subject, or a legitimate interest. Without any of these legal grounds, personal data cannot be legally processed. For each (purpose of) a processing operation, the applicable legal ground is to be documented. Furthermore, where legitimate interest or consent are being used, organisations should stand ready to provide further explanations on how these legal grounds apply in the specific situation and if the criteria imposed by the GDPR are met.
29 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Children Although the GDPR does not contain many provisions on processing personal data of minor’s, most DPAs recommend to take extra care when dealing with data from children. Organisations are recommended to put in place specific safeguards where possible. Also compliance with the minimum age for consent in an online environment, which may vary from 13 to 16 depending on the EU Member State, needs to be clearly documented. DPO The final step recommended by most Data Protection Authorities is to verify whether a Data Protection Officer needs to be appointed. This is a prescribed role under the GDPR, for example for all public authorities and organisatons that are processing sensitive data at a large scale.
Common Technical and Organisational Measures Related to Regulatory Guidance
Assign responsibility for data privacy to an individual (e.g. General Counsel, CPO, CISO, EU Representative) Appoint a Data Protection Officer Maintain a data privacy policy Maintain policies/procedures for collection and use of children and minors’ personal data Maintain policies/procedures for obtaining valid consent Maintain privacy awareness materials (e.g. posters and videos) Conduct privacy awareness events Maintain a data privacy notice Maintain scripts for use by employees to explain or provide the data privacy notice Maintain procedures to respond to requests for access to personal data Maintain PIA/DPIA guidelines and templates Conduct PIAs for new programs, systems, processes
Risk Approach The GDPR is a risk-based law requiring data controllers to engage in risk analysis and adopt risk-measured responses. The GDPR imposes additional obligations for data processing activities posing a high risk to individuals. Organisations engaging in low-risk processing activities, or adequately addressing risk, may avoid specific obligations such as to notify a Data Protection Authority of a data breach.
Risk is contextual and is not clearly defined by the GDPR. Where the concept of risk appears in the GDPR, it is defined by reference to the “likelihood and severity” of a negative impact on the rights and freedoms of data subjects. This goes beyond just privacy and data protection, and also includes other fundamental rights like the freedom of expression and the right to non-discrimination. Organisations should account for the “nature, scope, context and purpose of processing.” In 2017, the Article 29 Data Protection Working Partyreleased guidelines17 for the GDPR’s DPIA requirements. These guidelines shed some light on what will be considered “high-risk” processing. Ask yourself:
17 WP248 rev01 – Guidelines on high risk processing and data protection impact assessments: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
30 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
Does the processing involve automated decision making producing significant effect on the data subject?
Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?
Is the data being processed on a large scale?
Have datasets been matched or combined?
Does the data concern vulnerable data subjects (as laid out in Recital 75)?
Is this an innovative use or does it apply technological or organisational solutions (for example, combining use of finger print and facial recognition)?
Are you transferring data outside the European Union?
Will the processing itself prevent data subjects from exercising a right or using a service or a contract?
Common Technical and Organisational Measures to Address High-Risk Processing
Conduct an Enterprise Privacy Risk Assessment
Maintain an inventory of personal data and/or processing activities Classify personal data by type (e.g. sensitive,
confidential, public)
Maintain flow charts for data flows (e.g. between systems, between processes, between countries)
Maintain a data privacy policy
Maintain policies/procedures for secure destruction of personal data
Integrate data privacy into records retention practices
Conduct privacy training
Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)
Conduct due diligence around the data privacy and security posture of potential vendors/processors
Maintain a vendor data privacy risk assessment process
Integrate Privacy by Design into data processing operations
Maintain PIA/DPIA guidelines and templates
Conduct PIAs for new programs, systems, processes
Maintain a Privacy by Design framework for all system and product development
Maintain a documented data privacy incident/breach response protocol
Conduct self-assessments of privacy management
Project Management Approach This approach works well for organisations with ample time to address all GDPR compliance obligations and one in which the Privacy Officer has experience with project management or has access to internal employee resources around project management. Organisations taking this approach consider the time it would take to complete a task and availability of resources to prioritise, then follow the below general sequence of steps:
Step 1: Task Dependency Determine if any technical or organisational measures are dependent on completing another measure. For example, some organisations determine data inventory/records or processing inventory/data flow maps need to be completed before beginning items such as Data Subject Access requests or an Information Security Assessment. This step will provide a high-level overview of the order to work on tasks.
31 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018
Step 2: Resources and timing Work with applicable resources for each task to determine roughly how long it will take to complete the required measure and identify if there are specific times of year where resources will or will not be available to help (e.g., working on other business projects, vacations, leaves). Step 3: Roadmap sequence Build a roadmap starting with the tasks in sequence. Then, overlap items not dependent on other tasks and make sure the resources have bandwidth. Add extra time into the roadmap for every task (things always happen).
Step 4: Buy-in When the roadmap is complete, obtain buy-in from senior management (general counsel, managers of departments/resources). Adjust the plan accordingly.
i Comments made at the 2018 Computers, Privacy and Data Protection Conference in Brussels. http://www.cpdpconferences.org/