BLOG

The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

Written by Nymity
on January 25, 2018

As your organisation continues to implement technical and organisational measures for the purpose of providing evidence of GDPR compliance, the Nymity Privacy Management Accountability Framework™ can serve as a helpful tool. This free resource was developed through years of research, and has been mapped to hundreds of laws and privacy frameworks, including the GDPR.

The team at Nymity identified 39 GDPR articles that create obligations to put in place technical or organisational measures to demonstrate compliance, and those articles map to 55 measures within the Framework™.

In Part 1 of our blog series, we looked at the first 7 categories of the Framework™, and in particular, which measures directly applied to the GDPR. Today, in Part 2, we will examine the remaining 6 categories, and their GDPR-relevant activities.

 

8) Maintain Notices
Your organisation will need to maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance.

Privacy Management Activities include:

  • Maintain a data privacy notice that details the organisation’s personal data handling practices
  • Provide data privacy notice at all points where personal data is collected

 

9) Respond to Requests and Complaints from Individuals
Ensure that you maintain procedures for interactions with individuals about their personal data.

Privacy Management Activities include:

Maintain procedures to respond to requests for:

  • Access to personal data
  • Updates or corrections to personal data
  • Opt-out of, restrict, or object to processing
  • Data portability
  • Being forgotten or for erasure of data

 

10) Monitor for New Operational Practices
It is important for your organisation to monitor practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles.

Privacy Management Activities include:

  • Integrate Privacy by Design into system and product development
  • Maintain PIA/DPIA guidelines and templates
  • Conduct PIAs/DPIAs for changes to existing programs, systems, or processes
  • Engage external stakeholders (e.g. individuals, privacy advocates) as part of the PIA/DPIA process
  • Track and address data protection issues identified during PIAs/DPIAs
  • Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)

 

11) Maintain Data Privacy Breach Management Program
An effective data privacy incident and breach management program will need to be maintained for compliance.

Privacy Management Activities include:
Maintain policies/procedures for:

  • Maintain a data privacy incident/breach response plan
  • Maintain a breach notification (to affected individuals) and reporting (to regulators, credit
  • agencies, law enforcement) protocol
  • Maintain a log to track data privacy incidents/breaches

 

12) Monitor Data Handling Practices
Verification will be required to prove that your operational practices comply with the data privacy policy and the operational policies and procedures. You will also need to measure and report their effectiveness.

Privacy Management Activities include:

  • Conduct self-assessments of privacy management
  • Maintain documentation as evidence to demonstrate compliance and/or accountability

 

13) Track External Criteria
Your organisation will need to continually track new compliance requirements, expectations, and best practices.

Privacy Management Activities include:

  • Identify ongoing privacy compliance requirements (e.g. law, case law, codes, etc.)

 The Nymity Privacy Management Accountability Framework™ is a free resource available on our website. For more information, or to view the Framework™ in full, click here.

Download the Nymity Framework

You may also like:

GDPR Demonstrating Compliance Accountability CIPL

Accountability – It is more relevant than ever

The discussion on accountability is heating up around the globe. On the edges of the recent IAPP Asia Forum in Singapore...

GDPR Demonstrating Compliance Legitimate Interests

Applying “Legitimate Interests” in Practice under the GDPR

In previous blogs, we have discussed the legitimate interests as a lawful ground for processing data under the GDPR. Org...

GDPR regulator ready

Are You Ready to Report on GDPR Compliance? Part 2: Project Level Reporting

Accountability is the cornerstone of Regulatory Ready reporting, and it means effectively operationalising the use of ap...