2 p a g e a practical guide to gdpr compliance resources/a-practical-guide-to... · ownership of...

2 | P a g e A Practical Guide to GDPR Compliance Copyright © Nymity Inc. 2018

Copyright © Nymity Inc. 2018. This manual is based on research conducted by Nymity and the content is provided for educational purposes only. It is not intended to and does not constitute legal advice. Furthermore, reliance on one of the approaches to privacy management presented in this manual is not a guarantee of compliance.

If you require legal advice, you should consult with an attorney. Nymity reserves all rights in this manual, including copyright and intellectual property rights. You may use this manual for your own purposes. This manual may be freely redistributed in its entirety, provided that Nymity trademarks, logos, and this copyright notice are not removed. This manual may not be sold for profit or used in commercial documents without the written permission of Nymity.

3 | P a g e A Practical Guide to GDPR Compliance Copyright © Nymity Inc. 2018

The concept of accountability is a common principle for organisations across many disciplines. It embodies the notion that organisations live up to expectations, for example, in their behavior towards data subjects or in the delivery of their products and services. The General Data Protection Regulation (GDPR) integrates accountability as a principle in Article 5(2) which requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR. What “appropriate” means is largely dependent on the specifics of the individual company.

Expectations from regulators have shown the obligation to demonstrate compliance is more than a one-off inventory or snapshot of your operations at a certain moment in time. It is not a tick-box exercise or a one-time gap analysis. Demonstrating compliance is a journey and requires ongoing awareness and understanding of your personal data processing operations and embedding privacy management throughout your organisation. There is no more effective way to demonstrate compliance than to show a privacy program and the capacity to comply on an ongoing basis. There is no silver bullet. What works for one company does not necessarily work for another, but a structured approach to GDPR compliance works for all organisations. Those assigned responsibility for GDPR compliance may be asking: “How do I prioritise my efforts to meet GDPR accountability obligations?” It may seem there is no simple answer, as many challenges and questions arise such as:

• I have limited resources

• I don’t understand what the GDPR requires

• I’m new to privacy and privacy management

• I can’t find a checklist that meets my needs

• There is limited documentation on past privacy management

• I have limited budget

• How do I determine what is in place?

• How do I justify more resources?

• How do I maintain records?

• How do I establish and work with a privacy team that does not work for me?

• How do I report status and progress?

• How do I hold others accountable?

• How am I going to demonstrate success?

Introduction and Overview

4 | P a g e A Practical Guide to Demonstrating GDPR Compliance Copyright © Nymity Inc. 2018

Since 2002, Nymity has been conducting research on accountability in organisations and has directed dozens of workshops to over 500 privacy professionals around the world. This practical guide leverages this wealth of experience and supports a structured approach to privacy management ensuring that you:

Do not have to be a privacy expert

Quickly gain or augment your GDPR compliance expertise

Can identify and leverage your organisation’s existing privacy management program or, the absence of a program, existing privacy management activities throughout the organisation

Communicate and report effectively on the status of ongoing GDPR compliance

Scale your privacy management program based on resources available

Focus on the highest risk areas

Prioritising your Accountability Obligations in Two Steps The answer to the question, “How do I prioritise?” is broken into two steps:

Step 1: Baseline your GDPR compliance Identify, understand, and document the status of GDPR compliance throughout the organisation including resources such as people, processes, technology, and tools. See which of your existing technical and organisational measures and accountability mechanisms may be repurposed for GDPR compliance. Step 2: Plan Define a privacy management plan for implementing the “In Progress” and “Desired” technical and organisational measures to develop an ongoing capacity to comply with the GDPR.

This Guide is supported by four appendices:

Appendix A: Key Concepts This manual relies on seven key concepts. Links to the relevant key concepts are provided throughout this guide.

Appendix B: Fundamentals of Structured Privacy Management This section provides a deeper understanding of the structured approach to privacy management used in this manual.

Appendix C: Getting Started with a GDPR Compliance Strategy

In this appendix the GDPR is mapped to the Nymity Privacy Management Accountability Framework™, identifying 55 technical and organisational measures that, if put in place, may help demonstrate compliance with the GDPR.

Appendix D: Common Approaches to Prioritising GDPR Compliance Planning Approaches to Prioritising GDPR compliance planning outlines four common approaches to prioritising the implementation of “Desired” technical and organisational measures for GDPR Compliance.

The Structured Approach:

Works for any organisation, regardless of size, sector or industry;

Embeds privacy management accountability throughout the organisation;

Works with available resources;

Enables the demonstration of GDPR compliance; and

Documents the justification for resources to enhance GPDR compliance efforts.


When prioritising GDPR compliance, a wide variety of approaches are typically promoted such as beginning with a data inventory, a governance structure or conducting Data Protection Impact Assessments. The challenge with these traditional approaches is that not all organisations have the resources or the business case to begin their privacy management with these steps. The approach to prioritising details in this Guide is based on the concept of structured privacy management. Structured privacy management is a proven method for implementing an effective privacy management program that allows organisations to demonstrate an ongoing capacity to comply. It is founded on three elements: responsibility, ownership, and evidence.

Responsibility, Ownership and Evidence Structured privacy management is embedded throughout an organisation when there are three components present: responsibility, ownership, and evidence1.

1. Responsibility The organisation maintains effective privacy management consisting of ongoing privacy management activities (technical and organisational measures).

Nymity’s extensive research on privacy management programs has identified over 130 technical or organisational measures that need to take place in organisations. Technical and organisational measures are not high-level principles but constitute any activities conducted, anywhere throughout the organisation to:

Protect personal data

Respect the rights of data subjects

Comply with obligations Putting in place appropriate technical and organisational measures means implementing and maintaining ‘accountability mechanisms’.

1 For further discussion on the components of accountability, please refer to Appendix B: Fundamentals of Structured Privacy Management.

Nymity Privacy Management Accountability Framework ™

What is a Structured Approach to Privacy Management?

Structured Privacy Management is embedding ongoing technical and organisational measures throughout the organisation, resulting in the ability to demonstrate evidence-based accountability and compliance.

Accountability mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards, and other mechanisms that mitigate internal and external privacy risk.


Based on this research, Nymity developed the Nymity Privacy Management Accountability Framework™ (“Framework”). This comprehensive Framework lists the technical organisational measures in an industry and jurisdiction-neutral fashion and groups them into 13 privacy management categories. The Framework forms the foundation for the “responsibility” element in a structured approach to privacy management.

Rather than a checklist to be completed, the Framework represents a menu of options for GDPR compliance and privacy management that can be adapted for any organisation. No two organisations’ privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management for organisations of any size, across industries. The appropriate technical and organisational measures are determined based on GDPR compliance requirements, risk to data subjects, organisational risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.). Since the Framework is jurisdiction-neutral, privacy management activities implemented for GDPR will subsequently also support the demonstration of compliance in other jurisdictions.

2. Ownership An individual is accountable for the management and monitoring of privacy management activities (technical and organisational measures).

Ownership is the second element of accountability and builds upon the element of responsibility. Even if the Privacy Office is accountable for GDPR compliance, the Privacy Office itself usually processes very little, if any, personal data. As such, the effectiveness of GDPR Compliance and privacy management in general relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of many accountability mechanisms will reside within an organisation’s operational and/or business units (human resources, marketing, product development, IT, customer service, etc.) where the data is being collected and processed.

3. Evidence Documentation that is a by-product of accountability mechanisms is made available by the owner.

When accountability mechanisms are being maintained, documentation is produced. That documentation can be used as evidence of accountability, ownership and GDPR compliance. Evidence can be formal (e.g. policies, procedures) or informal (e.g. communications, workflows). When using a structured approach to GDPR Compliance, evidence is always a by-product of an accountability mechanism, e.g. evidence is not produced for the sake of documentation but because of an activity.

As noted above, there are a wide variety of approaches traditionally promoted to prioritise your GDPR compliance initiatives, such as beginning with a data inventory, an enterprise-wide risk assessment or conducting data protection impact assessments. However, not all organisations have the resources or the business case to support the ability to begin their privacy management with these activities. Based on our research, Nymity has developed a two-step process for getting started with GDPR compliance that works for all organisations. This two-step approach is independent of the amount of resources available or the level of initial expertise of the Privacy Office/DPO.

In a structured approach to privacy management, responsibility means the appropriate technical and organisational measures have been implemented and are maintained on an ongoing basis, resulting in the creation of appropriate accountability mechanisms.

http://www.nymity.com/pmaf


By the time you have completed Step 1 (Baseline), your knowledge of GDPR compliance obligations and accountability will have increased significantly.

Two Steps to Prioritising

Step 1 – Baseline Baseline existing GDPR

Compliance obligations and resources available in the organisation.

Step 2 – Plan Create a plan to implement your

“In Progress” and “Desired” technical and organisational

measures


The first step to prioritising GDPR compliance is to baseline the status of existing technical and organisational measures that address GDPR compliance obligations. You may have more measures in place than you are aware.

Primary for GDPR Compliance

Using the Nymity Privacy Management Framework™ for Identifying GDPR Compliance measures The Privacy Office does not need to start with a blank page when baselining GDPR compliance in the organisation. Instead, the Privacy Office can simply use the Framework adapted for GDPR.

Nymity Research has identified 39 Articles under the GDPR, requiring evidence of a technical or organisational measure to demonstrate compliance. These have been mapped to the Framework resulting in the identification of 55 “primary” technical or organisational measures. If implemented, these measures may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations (some measures may not apply to your organisation2). In this step, you identify the status for each of these 55 activities.

1. Assign Status

To baseline existing GDPR privacy management, you must first identify which technical or organisational measures are already

“Implemented” or “In Progress”.

Implemented: Technical or organisational measures that are already in place and have sufficient resources to be maintained are categorised as “Implemented”. Note: If the measure is not being maintained, supported by appropriate

2 See Appendix C for this mapping

Step 1 – Baseline your Existing Privacy

Program for GDPR Compliance

Print Full Scope Each technical and organisational measure is supported by a scope and it is recommended to have the scope document available. The scopes can be found at www.nymity.com/pmaf.




accountability mechanisms, or if there are insufficient resources to maintain it, then the measure is categorised as “In Progress”.

In Progress: If the technical or organisational measure is resourced and is in progress of being implemented, or is scheduled to be implemented, it is categorised as “In Progress”. For larger organisations that are implementing a technical or organisational measure in multiple countries or multiple divisions, the status of the activity remains “In Progress” until the activity is implemented in every country, or function, for which the Privacy Office/DPO has decided it is required. Note: If the technical or organisational measure is neither “Implemented” nor “In Progress”, it will be categorised as “Desired”

Desired: Technical or organisational measures which are determined to be applicable or relevant for GDPR compliance but

are not currently Implemented or resourced for implementation (In Progress) are categorised as “Desired”.

Not Applicable (N/A): Some of the 55 technical or organisational measures identified for GDPR compliance may not be applicable to the organisation. These are categorised as “N/A”.

“In Progress” and “Desired” technical or organisational measures are addressed in detail in Step 2: Plan. This section addresses the selection, prioritisation, and resourcing of these desired measures which is the foundation of planning.

Initial Status of Identified Technical or Organisational Measures As stated above, responsible organisations will already have privacy management embedded throughout the organisation prior to a formal GDPR implementation plan. It is recommended that the technical and organisational measures that have been identified as existing in the organisation be categorised with a status of “In Progress” until they have been reviewed by the Privacy Officer for compliance with GDPR.

2. Ownership: An owner is an individual who is answerable for the management and monitoring of the technical and organisational measures. In some cases, the owner will be the Privacy Officer who is completing the baseline exercise. However, in many instances the technical and organisational measures will reside within the operational or business units, including, human resources, marketing, product development, IT or customer service (where the data is being collected and processed). For example:

Technical or organisational measures that may be maintained by the Privacy Office are: Maintain a data privacy policy Conduct privacy training Maintain a data privacy notice that details the organisation’s personal data handling practices Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

Technical or organisational measures maintained by the operational unit, are: Integrate data privacy into direct marketing practices Integrate data privacy into hiring practices

Next, identify the owners for the technical and organisational measures and record them.

3. Resources to Maintain: It takes resources to implement and maintain effective privacy management. Resources include people, processes, technology, and tools. One challenge with traditional approaches (such as “start with a data inventory”) is they generally assume resources are available, or that management will provide the resources, once requested, to maintain the inventory. This is often not the case. Without an early focus on understanding what resources are available for GDPR compliance and ongoing privacy management, prioritising can quickly turn into a frustrating experience for the Privacy Officer.

Completing your baseline exercise will likely require working with the operational units and business units such as HR, IT, Customer Service, Security, Procurement, Legal, Marketing, Product Development and all departments that process personal data or impact the processing of personal data.

Resources Examples If you are looking for a deeper understanding of resources and more examples, please review Appendix A: Key Concepts: Resources


In the next part of this step you will identify the resources to maintain the “Implemented” and “In Progress” technical or organisational measures and understand available resources. If you discover there are no resources allocated to maintaining a privacy management activity you have identified as “Implemented”, then the Status should be changed to “In Progress” until sufficient resources are allocated and the measure is maintained. In this step, it is likely resources will be identified that can help enhance privacy management. For example, you may discover the marketing manager is willing to support enhancement of privacy management in the marketing department. It is best to identify all resources available to best prepare for Step 2: Plan.

4. Evidence The next phase of the Baseline step is to record evidence of technical or organisational measures. For all “Implemented” measures, identify the existing documentation that resulted from putting in place technical or organisational measures and record it.

Create a documentation list that can be used as evidence. This could include formal documentation such as policies, procedures, and protocols, or it could be informal documentation, such as emails, meeting minutes, presentations, hyperlinks to internal documents and screenshots. For each document, it is helpful to not only note the name and location of the document, but also when it was last updated. It is important to review all existing documentation with your Privacy Office to determine its compliance with GDPR obligations. If it does not, then the status may shift back to “In Progress”.

To help identify what you might have in place, the Nymity GDPR Accountability Handbook™ provides hundreds of examples of accountability mechanisms related to technical and organisational measures specific to GDPR obligations and lists example evidence for each. See example below:

Evidence Examples If you are looking for a deeper understanding of evidence, and more examples, please review Nymity’s GDPR Accountability Handbook ™


The next step in prioritising your GDPR accountability obligations is to create a plan for addressing all “In Progress” and “Desired” technical and organisational measures in order to attain the ongoing capacity for compliance.

Prioritise “In Progress” and “Desired” Technical and Organisational Measures To begin this step it is necessary to identify the required technical and organisational measures “In Progress” and “Desired” to achieve GDPR compliance.

Plan GDPR Compliance

Appendix D: Common Approaches for Prioritising GDPR Compliance Planning To prioritise your “In Progress” and “Desired” technical and organisational measures, it is important to note there are no silver bullets. What works for one organisation may not work for another. However, Nymity’s extensive research and experience working with companies implementing GDPR compliance has identified many approaches to implementing “Desired” technical and organisational measures, including the below common approaches:

• Inventory (Record of Processing Activities Register) approach • Resource approach • Regulator approach • Risk approach • Project Management approach

Use this Appendix for ideas on GDPR Compliance prioritisation approaches that may best align with your business.

Update “In Progress” and “Desired” status A review of the “Desired” privacy management activities is only required to ensure the technical and organisational measures identified in your approach are accurately reflected in your documentation.

Priorities The priority for your approach may be defined by the resources available.

It is now time to complete this step.

1. Resources to Implement For “In Progress” and “Desired” technical and organisational measures it is important to document the required resources to ensure a successful implementation. This will help assess the viability of the organisation implementing the technical or organisational measures and changing the status.

2. Implement when it can be maintained

Demonstrating compliance with the GDPR is an ongoing effort – not a point-in-time status. It is recommended you first consider the resources available. In many cases, the initial effort to implement an activity will be higher than the effort to keep an activity up-to-date (“maintain” it). However, it is important for maintenance to be considered right from the start. For example, with the

Resources Examples If you are looking for a deeper understanding of the resources and more examples, please review Appendix A: Key Concepts: Resources.

Step 2 – Plan


technical and organisational measure ‘Maintain a data privacy policy’, the initial effort required to draft a policy may require a medium level of resources. Also, the policy must be socialised with key stakeholders to achieve buy-in and improve the chances of adoption and, ultimately, it should be approved by executive leadership. Publishing or issuing the policy is just the first step. It must then be reviewed on a periodic basis to ensure it is still aligned with legislative requirements and the business environment, and should be updated as needed to reflect changes. A failure to keep the policy up-to-date will result in increased privacy risk. Although the effort to carry out these periodic reviews and updates requires lower resources, it should be factored into the planning and prioritisation. If not enough resources are available to maintain the measure, it is important to note this, as this becomes a justification to make the case for appropriate resources.

3. Resources to Maintain As described when completing Baseline step, the resources required to maintain activities need to be identified. It is important to secure the resources to maintain a technical or organisational measure prior to the implementation. Without adequate maintenance, it could have limited effectiveness.

The Baseline and Plan steps described above provide a structured privacy management approach to getting started with GDPR compliance. After those steps are implemented, privacy management becomes an ongoing process. Once a technical and organisational measure is implemented it then needs to be maintained. If there are sufficient resources available after a measure is implemented, the resources can be re-directed to other “In Progress” or “Desired” measures.

In practice, “Implemented” technical and organisational measures status may change back to “In Progress” for a variety of reasons, including new legislation, regulations, DPA enforcement activity and guidelines or court decisions. At all stages of privacy management, it is important to report on your progress. In the beginning of your compliance efforts, it is important to build the business case to justify the resources required for GDPR compliance. As privacy management matures, ongoing reporting is important to ensure there are resources to maintain the implemented technical and organisational measures. Maintaining this workbook becomes a technical or organisational measure that enables your privacy management and reporting purposes for years to come.

NOTE: Nymity has several resources to assist organisations in this structured approach to GDPR Compliance.

Free Resources:

Nymity Privacy Management Accountability Framework™,

Framework for Demonstrable GDPR Compliance

GDPR Accountability Handbook™

https://www.nymity.com/data-privacy-resources.aspx

What’s Next?

https://www.nymity.com/data-privacy-resources.aspx


Nymity’s Privacy Office Support Software:

Quickly build or enhance privacy management throughout your organisation with over 700 downloadable expert resources associated with 130+ privacy management activities. https://www.nymity.com/products/privacy-management-templates.aspx

Take control of privacy management with Nymity Planner™, the ideal solution for the privacy office looking to build, enhance, and structure privacy management throughout the organisation. https://www.nymity.com/products/privacy-management-planner.aspx

Understand and compare privacy management and GDPR Compliance across your organisation to other organisations with Nymity Benchmarks™. https://www.nymity.com/products/privacy-program-metrics.aspx

To fully maximise the approach in this Guide, it is best to understand underlying key concepts leveraged in this Guide.

1. Privacy Officer 2. Resources 3. Context 4. Stand-Ready to Demonstrate On-Demand

1. Privacy Office The Privacy Office is all the individuals responsible for privacy management. One of the key roles in privacy management is the individual within the organisation responsible for privacy management, which in this manual is called the Privacy Officer. The role can go by many titles including Privacy Counsel, Privacy Officer, Chief Privacy Officer, Data Protection Officer, or could even be an individual that does not have privacy in their title such as a CISO. These individuals can reside in many departments, for example, legal, compliance, and risk.

2. Resources Resources are what is available to the privacy office to implement and maintain the technical and organisational measure. Nymity’s research has identified four categories of resources and the following table provides several examples:

Appendix A: Key Concepts

https://www.nymity.com/products/privacy-management-templates.aspx

https://www.nymity.com/products/privacy-management-templates.aspx

https://www.nymity.com/products/privacy-management-planner.aspx

https://www.nymity.com/products/privacy-management-planner.aspx

https://www.nymity.com/products/privacy-program-metrics.aspx

https://www.nymity.com/products/privacy-program-metrics.aspx


Table 0.1 provides examples of Privacy Management Program Resources

People Processes Technology Tools

Employees – full or partial headcount

Buy-in or support from Executives/ Senior Management

Other departments or groups such as Internal Audit, Compliance, ERM

Shared Services (Info Sec, IT, Legal, Procurement)

External Consultants/ Advisors/ Auditors/ Service Providers

Data Protection Authority

Workflows for approval/sign-off

Monitoring/Reviewing controls or mechanisms

Communications/ Meetings

Training/knowledge sharing

Escalation paths

File/document sharing platforms

Collaboration tools

Information Security/Data Protection controls

ERP Systems

Ticketing Systems

E-Learning System

Compliance research subscriptions

Subscription newsletters to stay informed

Templates and samples

Privacy management systems

Privacy/ Risk/ Compliance Reporting Software

PIA solutions

Rationalised rules table generators

Benchmarking solutions

Table 1: Examples of Privacy Management Program Resources

3. Context Privacy is contextual, and thus, privacy management must be contextual. Therefore, there are no standard checklists to which a Privacy Officer can point and say, “We are responsible”. To articulate how the organisation’s data processing activities are carried out in compliance with the Rules (e.g. to demonstrate compliance), one must understand the activities themselves, the motivations behind them, how the Rules apply, along with many other factors. Privacy officers are uniquely positioned to demonstrate compliance and accountability. They have the expertise to interpret requirements, the knowledge to understand how they apply to each type of processing, and can communicate the context of compliance. Privacy context includes:

1. Rules3 Organisations in most jurisdictions are required to comply with privacy laws and regulations – over 770 privacy laws exist around the world. In addition, they must often comply with policies or other commitments such as privacy notices or codes of conduct. These requirements are collectively referred to as Rules. The Privacy Officer understands the Rules and therefore can provide context for how they apply to each type of data processing.

2. Data Processing Practices The Privacy Officer understands the organisation’s practices that involve the processing of personal data, including business operations and back office functions, such as human resources, marketing, and finance. Working with stakeholders throughout the organisation, the Privacy Officer can understand and provide context for how the Rules apply to organisational practices.

3. Privacy Management The Privacy Officer understands the privacy management activities that have been implemented throughout the organisation and how they are maintained. Many decisions related to privacy management are influenced by the Rules and how they apply to data processing. Explaining these decisions is a key element of providing context.

3 Rules: Requirements of a law, regulation, policy, or other commitment such as a privacy notice or code of conduct


4. Privacy Risk The Privacy Officer understands the risk of harm to individuals and to the organisation4. The Privacy Officer can explain how privacy risk can influence decisions related to which privacy management activities to implement and why. Related to privacy risk, another element of context is the decision to prioritise one risk mitigation activity over another, when resources are limited.

For some technical and organisational measures, it is obvious how the evidence can be used to demonstrate compliance. For example, if a Rule requires that a privacy notice contains certain elements5, it is easy to determine the elements are present when the privacy notice is provided. This would not require the Privacy Officer to contextualise the evidence. In other cases, it is not obvious. For example, Rules often require that data is not processed for purposes beyond those for which it was collected. In this scenario, Evidence may include policies and guidance instructing employees of the requirement and explaining how to assess if processing is carried out within the boundaries of the original data collection purpose. These are simple to map to the Rule, which is a good start, but doesn’t go far enough. Just issuing the guidance, does not yet ensure that data is not processed beyond what is allowed. To demonstrate privacy is effectively embedded, the privacy office might show Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) are required for all new collection and use of personal data6; part of the (D)PIA includes identifying the original purpose for collection and determining if this use is consistent. This Evidence likely requires contextualisation.

The following example provides a more in-depth explanation of how Evidence can be contextualised to answer the question: How does the organisation comply with the Rules? The Privacy Officer may want to demonstrate how the outbound telemarketing team within a call centre complies with a requirement to obtain consent to collect and use data for selling a product. The Privacy Officer can use existing privacy management documentation (e.g. Evidence) and provide context to demonstrate compliance as follows:

4 Conduct an Enterprise Privacy Risk Assessment found in Maintain Governance Structure in the Nymity Privacy Management Accountability Framework™. 5 “Maintain a data privacy notice that details the organisation’s personal data handling practices” found in 8. Maintain Notices in the Nymity Privacy Management Accountability Framework™. 6 “Maintain PIA/DPIA guidelines and templates” found in 10. Monitor for New Operational Practices in the Nymity Privacy Management Accountability Framework™. 7 Maintain a data privacy policy” found in 3. Maintain a Data Privacy Policy in the Nymity Privacy Management Accountability Framework™. 8 “Maintain a data privacy policy found” in 3. Maintain Data Privacy Policy in the Nymity Privacy Management Accountability Framework™. 9 “Conduct privacy training” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™. 10 “Conduct privacy training reflecting job specific content” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™.

Privacy Management Activity: Maintain a Data Privacy Policy7 Evidence: Privacy Policy The data privacy policy8 contains a provision which states the organisation must obtain consent for all types of data processing that cannot be carried out under one of the five other legal basis enshrined in the GDPR. Context: Rules, Data Processing, Privacy Management Having identified the call centre as a point of data collection and use [Data Processing] for marketing purposes, the privacy office determines consent is required. The data privacy policy is a privacy management activity which sets the expectation for obtaining consent [Rules, Privacy Management].

Evidence: Data Privacy Training Materials The general data privacy training curriculum for all employees with access to personal data9 contains general guidance for obtaining consent. The role specific privacy training for call centre employees10 contains more specific guidance for when and how to obtain and record consent when collecting data.


11 “Integrate data privacy into telemarketing practices” found in 4. Embed Data Privacy into Operational Practices Program in the Nymity Privacy Management Accountability Framework™. 12 “Conduct internal Audits of the privacy program (e.g., operational audit of the Privacy Office)” found in 12. Monitor Data Handling Practices in the Nymity Privacy Management Accountability Framework™.

Context: Privacy Management The Privacy Office can show, using general and role specific privacy training, the expectation to obtain consent is reinforced and communicated proactively [Privacy Management].

Evidence: Call Centre Scripts The call centre utilises scripts for outbound telemarketing which guide the employees on how to obtain unambiguous consent for processing11. Context: Rules, Privacy Management The Privacy Office can demonstrate employees are provided with tools to help them comply with the policy [Rules] as the scripts include a statement explaining the privacy notice and obtaining unambiguous consent. It also explains language on how to react in case the customer does not want to provide consent [Privacy Management].

Evidence: CRM Screen Shots The Customer Relationship Management (CRM) system contains a field where consent and opt-out requests are recorded. Validation mechanisms prevent the user from extracting a record for a purpose for which consent has not been obtained. Context: Data Processing Because the Privacy Officer understands how data is collected and flows throughout the organisation [Data Processing], he or she can use the CRM to demonstrate consent is being collected and managed.

Evidence: Privacy Office Consultation The Call Centre Director reached out to the privacy office via email to inquire about how the organisation’s policy around obtaining unambiguous consent should be applied in a jurisdiction where law permits implied consent. These emails and follow-up discussions show how the Privacy Officer assisted the call centre to address consent requirements.

Context: Rules, Privacy Risk The privacy office can explain that even though the law does not require unambiguous consent in all cases [Rules], they have made the decision to obtain unambiguous consent. By simplifying the process and defaulting to the most restrictive requirement, the organisation is less likely to be non-compliant [Privacy Risk].

Evidence: Audit Results An internal audit of call centre operations included listening to a selection of recorded calls to determine if the process for obtaining consent was followed12. No exceptions were reported. Context: Privacy Management, Privacy Risk Although the Privacy Office did not conduct the internal audit, it becomes documentation that can be used as evidence of privacy accountability and compliance. The report shows the selected calls followed the requirements in the data privacy policy [Rules]. As the policy exceeds the requirements of the law


The privacy office could answer the question: how does the organisation comply with the rules around consent? Note that in the above example, the Privacy Office could demonstrate compliance using existing privacy management documentation - no additional documentation was produced. Also note the documentation alone would not be sufficient to demonstrate compliance to someone who did not understand the Rules applied to the organisation, the way data is processed, how privacy management is embedded in the organisation, or the privacy risk profile. The demonstration of compliance required the context provided by the Privacy Officer.

4. Stand-Ready to Demonstrate On-Demand Organisations who keep the Workbook up-to-date with documentation serving as evidence have the capacity to stand-ready to demonstrate responsible privacy management (that is, accountability and/or compliance) on-demand. Some organisations will take more of an assessment-based approach and update the workbook on an annual basis. Being able to stand-ready to demonstrate compliance on-demand, allows the privacy office to contextualise responsible privacy management (accountability) at any time. Also, the Privacy Officer can contextualise compliance to a Regulator at any time (for example, if there was an investigation or they were to proactively reach out to a Privacy or Data Protection Regulator).

Since 2002, Nymity has been conducting global research and on-the-ground workshops with privacy and Data Protection Regulators to examine what it takes for organisations to “demonstrate” accountability through effective privacy management. One outcome is the understanding that structured privacy management has three key elements: 1. responsibility, 2. ownership, and 3. evidence.

1. Responsibility

Responsible organisations maintain the right set of privacy management activities.

Nymity’s research has resulted in the Nymity Privacy Management Accountability Framework™ (“Framework”). It is this Framework that forms the foundation for the “responsibility” element in a structured approach to privacy management.

The Framework is not a checklist of activities that must be completed, it is a menu for privacy management activities that can be adapted to any organisation. No two organisation’s privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management. The Framework is not based on principles or controls, but on privacy management activities that can be monitored and tracked. It is a comprehensive, jurisdiction- and industry-neutral listing of 130+ privacy management activities within 13 Privacy Management Categories.

In a structured approach to privacy management, responsibility means appropriate technical and organisational measures have been implemented and are maintained on an ongoing basis. The appropriate measures are determined based on the organisation’s compliance requirements, risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).

2. Ownership

An individual is answerable for the management and monitoring of each of the privacy management activities.

Ownership is the second element of structured privacy management and builds upon the element of responsibility. Even if the Privacy Officer is accountable for data privacy or compliance, the privacy office itself usually processes very little, if any, personal data. As such, effectiveness relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of some privacy management

[Rules], the privacy office can explain why they determined there is a minimal risk of non-compliance with legal requirements for consent [Rules].

Privacy Management Categories

1. Maintain Governance Structure

2. Maintain Personal Data Inventory

3. Maintain Data Privacy Policy

4. Embed Data Privacy into Operations

5. Maintain Training and Awareness Program

6. Manage Information Security Risk

7. Manage Third-Party Risk

8. Maintain Notices

9. Maintain Procedures for Inquiries and Complaints

10. Monitor for New Operational Practices

11. Maintain Data Privacy Breach Management Program

12. Monitor Data Handling Practices

13. Track External Criteria


activities will reside within the operational and business units where data is being collected and processed, for example, human resources, marketing, product development, IT, customer service, etc.

Privacy management activities may be:

Maintained by the Privacy Officer. For example: Maintain a data privacy policy Conduct privacy training Maintain a data privacy notice detailing the organisation’s personal data handling practices Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

Influenced or observed by the Privacy Officer. For example: Integrate data privacy into direct marketing practices Integrate data privacy into an information security policy Conduct due diligence around the data privacy and security posture of potential vendors/processors

Table 0.2 provides examples of technical and organisational measures within each of the 13 Privacy Management Categories performed by various stakeholders within the organisation.


Activities Owned by the Privacy Office (Examples)

Activities Owned by Operational Units (Examples)


Maintain a Privacy Strategy

Owner: Human Resources Require employees to acknowledge and agree to adhere to data privacy policies


Maintain an inventory of key personal data and/or processing activities

Owner: Corporate Records Management Classify personal data holdings by type (e.g. sensitive, confidential, public)


Maintain a data privacy policy Owner: Human Resources Maintain an employee data privacy policy


Maintain policies/procedures for collection and use of children and minors’ personal data

Owner: Marketing Integrate data privacy into direct marketing practices


Conduct privacy training

Owner: Customer Service Incorporate data privacy into operational training, such as HR, security, call centre


Maintain an acceptable use of information resources policy

Owner: Information Security Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring)


Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)

Owner: Legal Maintain procedures to execute contracts or agreements with all processors

8. Maintain Notices Maintain a data privacy notice Owner: Facilities/Corporate Security Provide notice by means of on-location signage, posters

9. Maintain Procedures for Inquiries and Complaints

Investigate root causes of data protection complaints

Owner: Call Centre Maintain procedures to address complaints



Activities Owned by the Privacy Office (Examples)

Activities Owned by Operational Units (Examples)


Maintain PIA/DPIA guidelines and templates

Owner: Information Technology Conduct PIAs/DPIAs for new programs, systems, processes


Maintain a data privacy incident/breach response plan

Owner: Legal: Engage a forensic investigation team


Monitor and report privacy management metrics

Owner: Internal Audit: Conduct internal audits of the privacy program (e.g., operational audit of the Privacy Office)

13. Track External Criteria Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

Owner: Compliance: Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes

Table 0.2 – Examples of Activities Owned by the Privacy Office and Operational Units

3. Evidence

Documentation that is a by-product of privacy management activities is made available by the owner.

The third element of structured privacy management is evidence. In responsible organisations, the Owner of a privacy management activity provides supporting evidence that the activity is being maintained.

When privacy management activities are performed on an ongoing basis evidence is produced as a by-product. Evidence is documentation which may be formal (e.g., policies, procedures, reports) or informal (e.g., communication, agendas, system logs) and can be used with context by the privacy office to show a privacy management activity is being performed. For example, the technical and organisational measure “Maintain PIA/DPIA guidelines and templates” produces several forms of evidence, including: policies requiring (D)PIAs, procedures and workflows documenting the approval process, (D)PIA guidelines and templates, training documents on how to conduct (D)PIAs, logs of (D)PIAs, etc. This documentation serves as evidence of accountability.

Refer to Table 0.3 for the characteristics of formal and informal documentation and corresponding examples:

Documentation Characteristics Examples

Formal Typically published, maintained, and communicated to designated groups

Policies, Procedures, Reports

Informal May show an example of an activity having occurred, such as an e-mail conversation between two key individuals or a record of participation in a webinar

Email communication, meeting agendas, system logs

Table 0.3 – Characteristics of Formal and Informal Documentation


Table 0.4 describes the role the privacy office plays depending on the source of the documentation, as well as corresponding examples of the document types:

Source Privacy Office Role Example Documents

Produced Generated by the privacy office with input from other key stakeholders

The privacy office performs the activity

Data Privacy Policy Privacy Notice Data Privacy Training Curriculum Privacy Impact Assessment Guidelines Policy/procedure for secondary uses of personal data

Influenced Influenced by the privacy office but created by other stakeholders

The privacy office provides input or opinions

Direct Marketing Procedures Privacy Impact Assessments Employment Policies Records retention schedules

Collected Provided to the privacy office by other stakeholders

The privacy office is kept up-to-date on progress, often only upon completion

Internal Audit Results IT Security Assessment Results Business Continuity Plans

Table 0.4 – The Privacy Office’s Role in Production of Documentation

Table 0.5 outlines how formal and informal documentation can be produced, influenced, or collected by the privacy office as evidence of the Technical and Organisational Measures.

Technical or Organisational Measure

Evidence/ Documentation Source/ Role Formal/ Informal

Maintain a data privacy policy Data Privacy Policy Produced by privacy office Formal

Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)

E-mail monitoring policy and procedure

Influenced by privacy office Produced by information technology

Formal

Measure participation in data privacy training activities (e.g. numbers of participants, scoring)

System generated report of data privacy exam scores

Collected by privacy office Produced by human resources

Informal

Provide notice in marketing communications (e.g. emails, flyers, offers)

Examples of e-mail marketing communications

Influenced by privacy office Produced by marketing

Informal

Table 0.5 - Formal and Informal Documentation

4. Frequency: Technical and Organisational Measures are Ongoing In the past, in many organisations privacy management may have started as a project. However, under the GDPR, the law requires organisations to keep their “appropriate technical and organisational measures” up to date and review them on a regular basis. Responsible organisations already did so, but now all organisations will need to comply with this requirement. This includes a need to allocate sufficient resources to privacy management and continually re-evaluate the organisation’s privacy management needs to ensure activities are aligned.

https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-activities.aspx?utm_source=Book&utm_medium=pdf&utm_content=PMA&utm_campaign=PMA


A privacy management program should never be considered a finished product; it requires ongoing assessment and revision to be effective and relevant. The building blocks must be monitored and assessed on a regular basis and be updated accordingly. – Getting Accountability Right13

Privacy management is a set of ongoing technical or organisational measures performed either periodically or continuously.

Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.

Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, where adjustments are made continuously toward the desired outcome.

Table 0.6 reviews privacy management activities to show how the two frequency of activities approaches might differ:

Technical or Organisational Measure

Periodic Continuous

Maintain documentation of data flows (e.g. between systems, between processes, between countries)

On an annual basis, require key stakeholders to review the flow charts for accuracy and update diagrams as necessary

Proposed changes to data flows are identified and the flow charts are updated as a condition of project sign-off and implemented as part of the project management requirements


Each quarter, review reports generated by the e-Learning system to determine whether all employees have completed required training

Configure the e-Learning system to generate alerts when an employee has not completed training by the required date and notify the employee’s manager suggesting he or she follow up immediately

Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)

Establish a cross-functional committee of privacy stakeholders (e.g. IT, marketing, legal, HR, etc.) who meet on a quarterly basis to discuss data privacy matters

Create an email alias or group discussion to facilitate communication amongst group members, on data privacy matters

Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)

On a monthly basis, review reports of active system users to ensure their access is still appropriate and sign-off to indicate approval

Configure HR system to send alerts to information security when employees are terminated or when there are changes to the job title, department, or reporting structure

Table 0.6 - Examples of Periodic and Continuous Approaches to Privacy Management Activities

Whether the activity should be performed periodically or continuously, depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.

An organisation with embedded responsibility, ownership, and evidence into the privacy program has implemented accountability and is now equipped to demonstrate accountability.

13 Office of the Information and Privacy Commissioner of Alberta. (2012). Getting Accountability Right with a Privacy Management Program. Alberta, Canada.


Privacy Management

Categories Privacy Management Activities

GDPR Article Reference


Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO, CISO, EU Representative)

27

Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)

Appoint a Data Protection Officer (DPO) in an independent oversight role 37, 38

Assign responsibility for data privacy throughout the organisation (e.g. Privacy Network)

Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions)

39

Conduct regular communication between the Privacy Office, privacy network and others responsible/accountable for data privacy

38


Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)

Report to external stakeholders on the status of privacy management (e.g., regulators, third-parties, clients)

Conduct an Enterprise Privacy Risk Assessment 24, 39

Integrate data privacy into business risk assessments/reporting

Maintain a privacy strategy

Maintain a privacy program charter/mission statement

Require employees to acknowledge and agree to adhere to the data privacy policies


Maintain an inventory of personal data and/or processing activities 30

Classify personal data by type (e.g. sensitive, confidential, public)

Obtain regulatory approval for data processing (where prior approval is required)

Register databases with regulators (where registration is required)

Maintain documentation of data flows (e.g. between systems, between processes, between countries)

Maintain documentation of the transfer mechanism used for cross-border data flows (e.g., model clauses, BCRs, regulator approvals )

45, 46, 49

Use Binding Corporate Rules as a data transfer mechanism 46, 47

Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 46

Use APEC Cross Border Privacy Rules as a data transfer mechanism

Use regulatory approval as a data transfer mechanism 46

Use adequacy or one of the derogations (e.g. consent, performance of a contract, public interest) as a data transfer mechanism

45, 49, 48

Use the Privacy Shield as a data transfer mechanism 46


Maintain a data privacy policy 5, 24, 91

Maintain an employee data privacy policy

Document legal basis for processing personal data 6, 9, 10

Integrate ethics into data processing (Codes of Conduct, policies, and other measures)

Maintain an organisational code of conduct that includes privacy

Appendix C: Prioritising GDPR Compliance

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-governance-structure.aspx?a=1





















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-personal-data-inventory.aspx?a=1















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-policy.aspx?a=1







Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)

9

Maintain policies/procedures for collection and use of children’s and minors’ personal data

8, 12

Maintain policies/procedures for maintaining data quality 5

Maintain policies/procedures for the de-identification of personal data 89

Maintain policies/procedures to review processing conducted wholly or partially by automated means

12, 22

Maintain policies/procedures for secondary uses of personal data 6, 13, 14

Maintain policies/procedures for obtaining valid consent 6, 7, 8

Maintain policies/procedures for secure destruction of personal data

Integrate data privacy into use of cookies and tracking mechanisms

Integrate data privacy into records retention practices 5

Integrate data privacy into direct marketing practices 21

Integrate data privacy into e-mail marketing practices

Integrate data privacy into telemarketing practices

Integrate data privacy into digital marketing practices (e.g., mobile, social media, behavioural advertising)

Integrate data privacy into hiring practices

Integrate data privacy into the organisation’s use of social media practices 8

Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures

Integrate data privacy into health & safety practices

Integrate data privacy into interactions with works councils

Integrate data privacy into practices for monitoring employees

Integrate data privacy into use of CCTV/video surveillance

Integrate data privacy into use of geo-location (tracking and or location) devices

Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)

Integrate data privacy into e-discovery practices

Integrate data privacy into conducting internal investigations

Integrate data privacy into practices for disclosure to and for law enforcement purposes

Integrate data privacy into research practices 21, 89


Conduct privacy training 39

Conduct privacy training reflecting job specific content

Conduct regular refresher training

Incorporate data privacy into operational training (e.g. HR, marketing, call centre

Deliver training/awareness in response to timely issues/topics

Deliver a privacy newsletter, or incorporate privacy into existing corporate communications

Provide a repository of privacy information, e.g., an internal data privacy intranet

Maintain privacy awareness material (e.g. posters and videos)

Conduct privacy awareness events (e.g., an annual data privacy day/week)


Enforce the Requirement to Complete Privacy Training

Provide ongoing education and training for the Privacy Office and/or DPOs (e.g. conferences, webinars, guest speakers)

Maintain qualifications for individuals responsible for data privacy, including certifications

Integrate data privacy risk into security risk assessments 32

Integrate data privacy into an information security policy 5, 32

https://www.nymity.com/data-privacy-resources/privacy-management-tools/embed-data-privacy-into-operations.aspx?a=1
































https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-training-awareness-program.aspx?a=1















https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-information-security-risk.aspx?a=1




Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 32

Maintain measures to encrypt personal data 32

Maintain an acceptable use of information resources policy

Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)

32

Integrate data privacy into a corporate security policy (protection of physical premises and hard assets)

Maintain human resource security measures (e.g. pre-screening, performance appraisals)

Maintain backup and business continuity plans

Maintain a data-loss prevention strategy

Conduct regular testing of data security posture 32

Maintain a security certification (e.g., ISO)


Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)

28, 32

Maintain procedures to execute contracts or agreements with all processors 28

Conduct due diligence around the data privacy and security posture of potential vendors/processors

28

Conduct due diligence on third party data sources

Maintain a vendor data privacy risk assessment process

Maintain a policy governing use of cloud providers

Maintain procedures to address instances of non-compliance with contracts and agreements

Conduct due diligence around the data privacy and security posture of existing vendors/processors

Review long-term contracts for new or evolving data privacy risks

8. Maintain Notices

Maintain a data privacy notice 8, 13, 14

Provide data privacy notice at all points where personal data is collected 13, 14, 21

Provide notice by means of on-location signage, posters

Provide notice in marketing communications (e.g. emails, flyers, offers)

Provide notice in contracts and terms

Maintain scripts for use by employees to explain or provide the data privacy notice

Maintain a privacy Seal or Trustmark to increase customer trust

9. Respond to Requests and Complaints from Individuals

Maintain procedures to address complaints

Maintain procedures to respond to requests for access to personal data 15

Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data

16, 19

Maintain procedures to respond to requests to opt-out of, restrict or object to processing

7, 18, 21

Maintain procedures to respond to requests for information

Maintain procedures to respond to requests for data portability 20

Maintain procedures to respond to requests to be forgotten or for erasure of data 17, 19

Maintain Frequently Asked Questions to respond to queries from individuals

Investigate root causes of data protection complaints

Monitor and report metrics for data privacy complaints (e.g. number, root cause)


Integrate Privacy by Design into data processing operations 25

Maintain PIA/DPIA guidelines and templates 35

Conduct PIAs/DPIAs for innovative programs, systems, processes 5, 6, 25, 35

Conduct PIAs or DPIAs for changes to existing programs, systems, or processes 5, 6, 25, 35

Engage external stakeholders (e.g., individuals, privacy advocates) as part of the PIA/DPIA process

35














https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-third-party-risk.aspx?a=1




















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-procedures-privacy-inquiries-complaints.aspx?a=1












https://www.nymity.com/data-privacy-resources/privacy-management-tools/monitor-new-operational-practices.aspx?a=1







Track and address data protection issues identified during PIAs/DPIAs 35

Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)

36


Maintain a data privacy incident/breach response plan 33, 34

Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol

12, 33, 34

Maintain a log to track data privacy incidents/breaches 33

Monitor and report data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)

Conduct periodic testing of data privacy incident/breach plan

Engage a breach response remediation provider

Engage a forensic investigation team

Obtain data privacy breach insurance coverage


Conduct self-assessments of privacy management 25, 39

Conduct Internal Audits of the privacy program (e.g., operational audit of the Privacy Office)

Conduct ad-hoc walk-throughs

Conduct ad-hoc assessments based on external events, such as complaints/breaches

Engage a third-party to conduct audits/assessments

Monitor and report privacy management metrics

Maintain documentation as evidence to demonstrate compliance and/or accountability 5, 24

Maintain certifications, accreditations, or data protection seals for demonstrating compliance to regulators

13. Track External Criteria

Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc. 39

Maintain subscriptions to compliance reporting service/law firm updates to stay informed of new developments

Attend/participate in privacy conferences, industry associations, or think-tank events

Record/report on the tracking of new laws, regulations, amendments, or other rule sources

Seek legal opinions regarding recent developments in law

Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes

Identify and manage conflicts in law

There are no silver bullets to prioritising GDPR compliance planning; what works for one company does not necessarily work for another. Nymity’s extensive research and experience with hundreds of companies implementing GDPR compliance has identified many common approaches to implementing “Desired” technical and organisational measures, including:

Governance Approach

Inventory (Record of Processing Activities) first approach

Regulator Approach

Risk Approach

Project Management Approach

Governance Approach The GDPR is an accountability based law requiring organisations to demonstrate compliance on an ongoing basis. Some organisations begin their prioritisation efforts by focusing on activities with the greatest impact overall on governance in their organisation.

Appendix D: Common Approaches to Prioritising GDPR Compliance Planning

111111




https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-breach-management-program.aspx?a=1










https://www.nymity.com/data-privacy-resources/privacy-management-tools/monitor-data-handling-practices.aspx?a=1










https://www.nymity.com/data-privacy-resources/privacy-management-tools/track-external-criteria.aspx?a=1












Common Governance Related Technical and Organisational Measures

Assign responsibility for data privacy to an individual (e.g. General Counsel, CPO, CISO, EU Representative)

Appoint a Data Protection Officer in an independent oversight role

Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)


Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)

Maintain a data privacy policy


Maintain a data privacy notice

Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)

Conduct self-assessments of privacy management

Inventory (Record of Processing Activities) Approach Article 30 of the GDPR (Records of processing activities) requires organisations with more than 250 employees, and those processing large volumes and/or sensitive data, to create a record of processing activities. Many organisations, especially those who process data are considered “high risk”, have found it beneficial to begin their GDPR compliance planning by completing a Records of Processing Activities Register. If an organisation has fewer than 250 employees and resources are available, this exercise will still be useful and, in general, not onerous.

In your Step 1 “Baseline Exercise Revealed” you have an existing data inventory or processing activities register. Review it to ensure it captures the required information outlined in Article 30 GDPR and that all your processing activities are indeed included. In general, Nymity research has found organisations completing or attempting to complete traditional data inventories may not have captured the GDPR required information but, in many cases, have far more other information than is required.

What is a Record of Processing Activities Register?

For organisations operating in the EU, a requirement of the Directive 95/46/EC was to notify and register processing activities with local Data Protection Authorities (DPAs). Article 30 replaces this requirement. The French Data Protection Authority (CNIL) in 2017 published a six-step methodology for complying with the GDPR14 which includes a template for a Processing Activities Register. This template highlights a traditional data inventory is not the intent of Article 30 GDPR.15 In general, these records must contain:

The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the Data Protection Officer;

The purpose(s) of the processing;

A description of the categories of data subjects and personal data;

The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

14 www.cnil.fr/fr/comment-se-preparer-au-reglementeuropeen-sur-la-protection-des-donnees 15 www.cnil.fr/fr/cartographier-vos-traitements-de-donneespersonnelles

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-policy.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP3PMA1&utm_campaign=PMP3PMA1

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-notices.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP8PMA1&utm_campaign=PMP8PMA1

https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-third-party-risk.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP7PMA1&utm_campaign=PMP7PMA1


http://www.cnil.fr/fr/comment-se-preparer-au-reglementeuropeen-sur-la-protection-des-donnees

http://www.cnil.fr/fr/cartographier-vos-traitements-de-donneespersonnelles


Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

Where possible, the envisaged time limits for erasure of the different categories of data;

Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

It is important to note this list is first concerned with the details of processing activities versus the details of a data holding repository and does not require the onerous process of documenting every data element forming part of the data repository (though in practice, some companies will want to do this).

Completing this exercise can act as the basis for compliance with multiple obligations because the same information is required to address the following obligations:

Record of Processing Activities (Article 30)

Transparency (Articles 12 and 13)

Data Protection Impact Assessments (Article 35)

Data Subject Access Rights (Article 15)

Processor (Article 28)

Regulator Approach Over the past year, Data Protection Authorities have released guidance on various aspects of GDPR Compliance.16 This guidance may help you to better understand your organisation’s compliance requirements. It is also important to note that Data Protection Authorities themselves have indicatedi that maybe the most important reason to produce the guidance is to streamline their own position and ideas. The guidelines may help data controllers and data processors around the world by providing a little bit more legal certainty. Note that no matter how extensive they may be, they are not always conclusive in every situation. In general, Data Protection Authorities have indicated that they expect organisations to prioritise their compliance initiatives in the following areas:

Awareness

Inventory / Article 30 Register

Impact Assessments for key projects

Procedures for Data subject rights and breaches

Notice / Communication

Consent & other legal grounds

Children

DPO

16 For example, the Article 29 Working Party has issued guidance on various concepts including Data Portability, Profiling, Breaches, DPIAs, Fines Breaches. http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1308



Awareness According to many Data Protection Authorities, GDPR compliance starts with raising awareness on the requirements of the new law within an organisation. That way, the minds can be prepared for the work to be done, including the reasons why an organisation may have a new or renewed focus on privacy and data protection. Inventory / Article 30 Register This is the same requirement as described above under the “Governance Approach”. Many DPAs agree that in order to have a good overview of what is going on in an organisation, the Processing Activities Register is a vital element. It will not only provide the overview of the ongoing data processing operations, but will also help organisations to decide which are the appropriate technical and organisational measures that need to be implemented. Furthermore, it supports the drafting or updating of privacy notices, which will need to include a lot of information already included in the Register. Last but not least, the information included in the Register allows to assess if processing activities are “high risk” and thus need to be part of a DPIA.

Impact Assessments for key projects All “high risk” processing operations, including those in which sensitive data are processed, need to undergo a data protection impact assessment. Organisations are free to decide if they wish to extend this obligation to more project. If a DPIA is completed, the organisation will make an inventory of the risks to the rights and freedoms of the data subject, including, but not limited to, privacy and data protection. These risks will subsequently need to be mitigated, for example by applying specific safeguards to a processing operation. Procedures for Data subject rights and breaches Where they have not yet been established before, DPAs recommend to develop internal procedures on how to deal with the rights attributed to data subjects (including the right to information, access, rectification and erasure) and data breaches. Should procedures already be in place, they would in any case need to be reviewed to ensure they are in line with the requirements of the GDPR and, when available, the guidance of the Article 29 Working Party. Notice / Communication The GDPR imposes strict obligations on the information to be provided to data subjects when their personal data is processed. That information shall be included in one, or multiple, privacy notices or statements, which need to be written in plain language. Organisations will need to review their current notices and/or draft new ones. The Processing Activities Register could help to include many details of the processing operation in the notice.

Consent & other legal grounds The DPAs remind organisations that all processing operations require one of six legal grounds: consent, performance of a contract, a legal obligation, a public interest, a vital interest of a data subject or other data subject, or a legitimate interest. Without any of these legal grounds, personal data cannot be legally processed. For each (purpose of) a processing operation, the applicable legal ground is to be documented. Furthermore, where legitimate interest or consent are being used, organisations should stand ready to provide further explanations on how these legal grounds apply in the specific situation and if the criteria imposed by the GDPR are met.


Children Although the GDPR does not contain many provisions on processing personal data of minor’s, most DPAs recommend to take extra care when dealing with data from children. Organisations are recommended to put in place specific safeguards where possible. Also compliance with the minimum age for consent in an online environment, which may vary from 13 to 16 depending on the EU Member State, needs to be clearly documented. DPO The final step recommended by most Data Protection Authorities is to verify whether a Data Protection Officer needs to be appointed. This is a prescribed role under the GDPR, for example for all public authorities and organisatons that are processing sensitive data at a large scale.

Common Technical and Organisational Measures Related to Regulatory Guidance

Assign responsibility for data privacy to an individual (e.g. General Counsel, CPO, CISO, EU Representative) Appoint a Data Protection Officer Maintain a data privacy policy Maintain policies/procedures for collection and use of children and minors’ personal data Maintain policies/procedures for obtaining valid consent Maintain privacy awareness materials (e.g. posters and videos) Conduct privacy awareness events Maintain a data privacy notice Maintain scripts for use by employees to explain or provide the data privacy notice Maintain procedures to respond to requests for access to personal data Maintain PIA/DPIA guidelines and templates Conduct PIAs for new programs, systems, processes

Risk Approach The GDPR is a risk-based law requiring data controllers to engage in risk analysis and adopt risk-measured responses. The GDPR imposes additional obligations for data processing activities posing a high risk to individuals. Organisations engaging in low-risk processing activities, or adequately addressing risk, may avoid specific obligations such as to notify a Data Protection Authority of a data breach.

Risk is contextual and is not clearly defined by the GDPR. Where the concept of risk appears in the GDPR, it is defined by reference to the “likelihood and severity” of a negative impact on the rights and freedoms of data subjects. This goes beyond just privacy and data protection, and also includes other fundamental rights like the freedom of expression and the right to non-discrimination. Organisations should account for the “nature, scope, context and purpose of processing.” In 2017, the Article 29 Data Protection Working Partyreleased guidelines17 for the GDPR’s DPIA requirements. These guidelines shed some light on what will be considered “high-risk” processing. Ask yourself:

17 WP248 rev01 – Guidelines on high risk processing and data protection impact assessments: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711



Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?

Does the processing involve automated decision making producing significant effect on the data subject?

Are you performing systematic monitoring of data subjects, including in a publicly accessible area?

Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?

Is the data being processed on a large scale?

Have datasets been matched or combined?

Does the data concern vulnerable data subjects (as laid out in Recital 75)?

Is this an innovative use or does it apply technological or organisational solutions (for example, combining use of finger print and facial recognition)?

Are you transferring data outside the European Union?

Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

Common Technical and Organisational Measures to Address High-Risk Processing

Conduct an Enterprise Privacy Risk Assessment

Maintain an inventory of personal data and/or processing activities Classify personal data by type (e.g. sensitive,

confidential, public)

Maintain flow charts for data flows (e.g. between systems, between processes, between countries)

Maintain a data privacy policy

Maintain policies/procedures for secure destruction of personal data

Integrate data privacy into records retention practices


Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)

Conduct due diligence around the data privacy and security posture of potential vendors/processors

Maintain a vendor data privacy risk assessment process

Integrate Privacy by Design into data processing operations

Maintain PIA/DPIA guidelines and templates

Conduct PIAs for new programs, systems, processes

Maintain a Privacy by Design framework for all system and product development

Maintain a documented data privacy incident/breach response protocol

Conduct self-assessments of privacy management

Project Management Approach This approach works well for organisations with ample time to address all GDPR compliance obligations and one in which the Privacy Officer has experience with project management or has access to internal employee resources around project management. Organisations taking this approach consider the time it would take to complete a task and availability of resources to prioritise, then follow the below general sequence of steps:

Step 1: Task Dependency Determine if any technical or organisational measures are dependent on completing another measure. For example, some organisations determine data inventory/records or processing inventory/data flow maps need to be completed before beginning items such as Data Subject Access requests or an Information Security Assessment. This step will provide a high-level overview of the order to work on tasks.



Step 2: Resources and timing Work with applicable resources for each task to determine roughly how long it will take to complete the required measure and identify if there are specific times of year where resources will or will not be available to help (e.g., working on other business projects, vacations, leaves). Step 3: Roadmap sequence Build a roadmap starting with the tasks in sequence. Then, overlap items not dependent on other tasks and make sure the resources have bandwidth. Add extra time into the roadmap for every task (things always happen).

Step 4: Buy-in When the roadmap is complete, obtain buy-in from senior management (general counsel, managers of departments/resources). Adjust the plan accordingly.

i Comments made at the 2018 Computers, Privacy and Data Protection Conference in Brussels. http://www.cpdpconferences.org/