BLOG

The latest privacy compliance news, issues, resources and
expert advice to save you time and mitigate risk.

close
Written by Nymity
on January 25, 2018

As your organisation continues to implement technical and organisational measures for the purpose of providing evidence of GDPR compliance, the Nymity Privacy Management Accountability Framework™ can serve as a helpful tool. This free resource was developed through years of research, and has been mapped to hundreds of laws and privacy frameworks, including the GDPR.

The team at Nymity identified 39 GDPR articles that create obligations to put in place technical or organisational measures to demonstrate compliance, and those articles map to 55 measures within the Framework™.

In Part 1 of our blog series, we looked at the first 7 categories of the Framework™, and in particular, which measures directly applied to the GDPR. Today, in Part 2, we will examine the remaining 6 categories, and their GDPR-relevant activities.

 

8) Maintain Notices
Your organisation will need to maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance.

Privacy Management Activities include:

  • Maintain a data privacy notice that details the organisation’s personal data handling practices
  • Provide data privacy notice at all points where personal data is collected

 

9) Respond to Requests and Complaints from Individuals
Ensure that you maintain procedures for interactions with individuals about their personal data.

Privacy Management Activities include:

Maintain procedures to respond to requests for:

  • Access to personal data
  • Updates or corrections to personal data
  • Opt-out of, restrict, or object to processing
  • Data portability
  • Being forgotten or for erasure of data

 

10) Monitor for New Operational Practices
It is important for your organisation to monitor practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles.

Privacy Management Activities include:

  • Integrate Privacy by Design into system and product development
  • Maintain PIA/DPIA guidelines and templates
  • Conduct PIAs/DPIAs for changes to existing programs, systems, or processes
  • Engage external stakeholders (e.g. individuals, privacy advocates) as part of the PIA/DPIA process
  • Track and address data protection issues identified during PIAs/DPIAs
  • Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)

 

11) Maintain Data Privacy Breach Management Program
An effective data privacy incident and breach management program will need to be maintained for compliance.

Privacy Management Activities include:
Maintain policies/procedures for:

  • Maintain a data privacy incident/breach response plan
  • Maintain a breach notification (to affected individuals) and reporting (to regulators, credit
  • agencies, law enforcement) protocol
  • Maintain a log to track data privacy incidents/breaches

 

12) Monitor Data Handling Practices
Verification will be required to prove that your operational practices comply with the data privacy policy and the operational policies and procedures. You will also need to measure and report their effectiveness.

Privacy Management Activities include:

  • Conduct self-assessments of privacy management
  • Maintain documentation as evidence to demonstrate compliance and/or accountability

 

13) Track External Criteria
Your organisation will need to continually track new compliance requirements, expectations, and best practices.

Privacy Management Activities include:

  • Identify ongoing privacy compliance requirements (e.g. law, case law, codes, etc.)

 The Nymity Privacy Management Accountability Framework™ is a free resource available on our website. For more information, or to view the Framework™ in full, visit Nymity Privacy Management Accountability Framework™.

You may also like:

GDPR

The GDPR and Technological Innovation – Interparliamentary Committee Meeting, European Parliament

In just over a week, the GDPR will finally be in full force. The deadline was a good reason for the European Parliament’...

GDPR

Processing Personal Data Under the GDPR Part 4: Lawful Use of “Legitimate Interests”

While the “legitimate interests” ground for processing can be lawfully applied in many cases, the processing must be sub...

GDPR

Processing Personal Data Under the GDPR Part 3: Unlawful Use of “Legitimate Interests”

As is the case with any number of principles within the data privacy sector, the concept of “legitimate interests” is no...