BLOG

The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

Written by Nymity
on January 18, 2018

The Nymity Privacy Management Accountability Framework™ is an easy-to-read, menu-style visual tool that identifies operational and practical measures that, if implemented and maintained, may provide evidence of GDPR compliance.

After years of research and on-the-ground workshops around the globe learning which activities organisations put in place to develop and implement a privacy infrastructure, Nymity developed the Framework™ as a comprehensive list of these technical and organisational measures, structured into 13 categories. It has been mapped to hundreds of laws and privacy frameworks, including the GDPR. When mapped to the GDPR, Nymity research experts identified 39 GDPR articles that create obligations to put in place technical or organisational measures to demonstrate compliance. Those articles map to 55 measures within the Framework. Organisations can use the Framework to implement those 55 measures, enabling them to produce appropriate evidence of GDPR compliance.

This free tool is available on our website, and has been used by many of our clients in preparation for GDPR compliance this coming May.

Today, in the first of a two-part series, we will provide an “at-a-glance” view of the Framework™, and in particular, the technical and organizational measures that, when implemented, may help achieve ongoing compliance with the GDPR and produce evidence-based documentation.

 

1) Maintain Governance Structure
Here, the emphasis is placed on the act of identifying individuals who will be responsible for data privacy, accountable management, and management reporting procedures.

Privacy Management Activities include:

  • Assign responsibility for data privacy to an individual
  • Appoint a DPO in an independent oversight role
  • Maintain roles and responsibilities for individuals responsible for data privacy
  • Conduct regular communication between privacy office, privacy network, and others responsible for data privacy
  • Conduct an Enterprise Privacy Risk Assessment

 

2) Maintain Personal Data Inventory and Data Transfer Mechanisms
Rather than capturing the data itself, here we look at maintaining an inventory of the location of key personal data storage or flows, including cross-border, with defined classes of personal data.

Privacy Management Activities include:

  • Maintain an inventory of personal data holdings (what data is held, and where?)
  • Maintain records of the transfer mechanism used for cross-border data flows
  • Use Binding Corporate Rules as a data transfer mechanism
  • Use the EU-US Privacy Shield as a data transfer mechanism
  • Use regulator approval as a data transfer mechanism
  • Use adequacy or one of the derogations from adequacy as a data transfer mechanism

 

3) Maintain Internal Data Privacy Policy
Your organization should maintain a data privacy policy that meets the legal requirements and addresses operational risk, and risk of harm to individuals.

Privacy Management Activities include:

  • Maintain a data privacy policy

 

4) Embed Data Privacy into Operations
You will need to maintain operational policies and procedures consistent with the data privacy policy, legal requirements, and operational risk management objections.

Privacy Management Activities include:
Maintain policies/procedures for:

  • sensitive personal data
  • children and minors’ personal data
  • maintaining data quality
  • de-identification of personal data
  • review processing conducted wholly or partially by automated means
  • secondary uses of personal data
  • obtaining valid consent

Integrate data privacy into:

  • records retention practices
  • direct marketing practices
  • use of social media
  • research practices

 

5) Maintain Training and Awareness Program
You must provide ongoing training and awareness to promote compliance with the data privacy policy, and to mitigate operational risks.

Privacy Management Activities include:

  • Conduct privacy training

 

6) Manage Information Security Risk
Your organization will need to maintain an information security program based on legal requirements and ongoing risk assessments.

Privacy Management Activities include:

  • Integrate data privacy risk into security risk assessments
  • Integrate data privacy info into an information security policy
  • Maintain technical security measures
  • Maintain measures to encrypt personal data
  • Maintain procedures to restrict access to personal data
  • Conduct regular testing of data security posture

 

7) Manage Third Party Risk
Ensure that your organization is maintaining contracts and agreements with third-parties and affiliates consistent with the data privacy policy, legal requirements, and operational risk tolerance.

Privacy Management Activities include:

  • Maintain data privacy requirements for third parties
  • Maintain procedures to execute contracts or agreements with all processors
  • Conduct due diligence around the data privacy and security posture of potential vendors/processors

 

A Framework for Success
In part two of this series, we will summarize the remaining most important technical and organizational measures for demonstrable GDPR compliance. To view the Framework in full, click here.

Download the Nymity Framework

You may also like:

GDPR DSR

Data Subject Rights: How to Authenticate a Data Subject’s Identity and Remain Compliant, Part II

When a data subject requests access to their own data, an accountable organisation should have policies and procedures i...

GDPR DSR

Data Subject Rights: How to Authenticate a Data Subject’s Identity and Remain Compliant

The EU GDPR has brought greater transparency and control to how organisations process and use personal data. Under the G...

GDPR Demonstrating Compliance

From Privacy Project to Privacy Program: Learn How GM, Coca-Cola European Partners and Otter Products Leverage GDPR Initiatives to Comply with the CCPA and More

To comply with obligations under the GDPR (and the 700+ other global privacy laws), it is best to take an accountability...