The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

Written by Nymity
on January 25, 2018

As your organisation continues to implement technical and organisational measures for the purpose of providing evidence of GDPR compliance, the Nymity Privacy Management Accountability Framework™ can serve as a helpful tool. This free resource was developed through years of research, and has been mapped to hundreds of laws and privacy frameworks, including the GDPR.

The team at Nymity identified 39 GDPR articles that create obligations to put in place technical or organisational measures to demonstrate compliance, and those articles map to 55 measures within the Framework™.

In Part 1 of our blog series, we looked at the first 7 categories of the Framework™, and in particular, which measures directly applied to the GDPR. Today, in Part 2, we will examine the remaining 6 categories, and their GDPR-relevant activities.


8) Maintain Notices
Your organisation will need to maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance.

Privacy Management Activities include:

  • Maintain a data privacy notice that details the organisation’s personal data handling practices
  • Provide data privacy notice at all points where personal data is collected


9) Respond to Requests and Complaints from Individuals
Ensure that you maintain procedures for interactions with individuals about their personal data.

Privacy Management Activities include:

Maintain procedures to respond to requests for:

  • Access to personal data
  • Updates or corrections to personal data
  • Opt-out of, restrict, or object to processing
  • Data portability
  • Being forgotten or for erasure of data


10) Monitor for New Operational Practices
It is important for your organisation to monitor practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles.

Privacy Management Activities include:

  • Integrate Privacy by Design into system and product development
  • Maintain PIA/DPIA guidelines and templates
  • Conduct PIAs/DPIAs for changes to existing programs, systems, or processes
  • Engage external stakeholders (e.g. individuals, privacy advocates) as part of the PIA/DPIA process
  • Track and address data protection issues identified during PIAs/DPIAs
  • Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)


11) Maintain Data Privacy Breach Management Program
An effective data privacy incident and breach management program will need to be maintained for compliance.

Privacy Management Activities include:
Maintain policies/procedures for:

  • Maintain a data privacy incident/breach response plan
  • Maintain a breach notification (to affected individuals) and reporting (to regulators, credit
  • agencies, law enforcement) protocol
  • Maintain a log to track data privacy incidents/breaches


12) Monitor Data Handling Practices
Verification will be required to prove that your operational practices comply with the data privacy policy and the operational policies and procedures. You will also need to measure and report their effectiveness.

Privacy Management Activities include:

  • Conduct self-assessments of privacy management
  • Maintain documentation as evidence to demonstrate compliance and/or accountability


13) Track External Criteria
Your organisation will need to continually track new compliance requirements, expectations, and best practices.

Privacy Management Activities include:

  • Identify ongoing privacy compliance requirements (e.g. law, case law, codes, etc.)

 The Nymity Privacy Management Accountability Framework™ is a free resource available on our website. For more information, or to view the Framework™ in full, click here.

Download the Nymity Framework

You may also like:



I don’t think any of us will soon forget May 25th, 2018. The EU GDPR was the first law with global repercussions, and it...


Understanding the Brazilian Data Protection Act

On 15 February 2020, the Lei Geral de Proteção de Dados Pessoais (LGPD), or the General Law on the Protection of Persona...


Tracking The GDPR: How to Keep Up with National Law Developments, Q4 2018

To assist organisations in their ongoing compliance with the GDPR, we held the third in our series of webinars on keepin...