The demonstration of compliance with a regulation like the GDPR is, by nature, an ongoing process that must be tailored to the unique functions of each organisation. There is no “silver bullet”; what works for one organisation may not work for another. In this respect, it is helpful to customize your approach to implementing the appropriate technical and organisational measures according to your company’s needs.
In our recently released paper, “A Practical Guide to Demonstrating Compliance”, we have detailed an easy-to-follow, two-step process to prioritising accountability obligations. We also provided an extensive series of appendices explaining many of the key concepts integral to privacy management. We took a look at both these aspects of the paper in Parts One and Two of this blog series. Today, in our conclusion, we will examine the last facet of the paper: Common approaches to GDPR compliance planning.
Common Approaches to Prioritising GDPR Compliance Planning
Nymity’s extensive research and experience working with hundreds of companies as they implement GDPR compliance obligations has identified several common approaches to implementing desired technical and organisational measures:
Inventory (Records of Processing Activities) Approach
Article 30 of the GDPR (Records of processing activities) requires organisations with more than 250 employees, and those processing large volumes and/or sensitive data, to create a record of processing activities. Many organisations, especially those processing “high risk” data, have found it beneficial to begin their GDPR compliance planning by completing a Records of Processing Activities Register. We refer to this as an Inventory Approach.
It is worth noting here that the register is more concerned with the details of processing activities, rather than the details of a data holding repository. It is not necessary to document every data element forming part of the data repository, but instead to document the activities, and the technical and organisational measures that reduce their risk.
Completing this exercise can act as the basis for compliance with multiple obligations because the same information is required to address the following obligations:
- Record of Processing Activities (Article 30)
- Transparency (Articles 12 and 13)
- Data Protection Impact Assessments (Article 35)
- Data Subject Access Rights (Article 15)
- Processor (Article 28)
Organisations that take a Regulator Approach to privacy management closely follow the guidance that has been produced by data protection authorities on various aspects of GDPR compliance. This guidance is helpful for data controllers and data processors by providing a little more legal certainty. In general, data protection authorities have indicated that they expect organisations to prioritise Awareness, Inventory, Impact Assessments, Procedures for Data Subjects, Notice/Communications, Consent, Children, and DPO.
It is important to note that risk is contextual and is not clearly defined by the GDPR, instead referenced as the “likelihood and severity” of a negative impact on the rights and freedoms of data subjects. This extends beyond privacy and data protection to include other fundamental rights like the freedom of expression and the right to non-discrimination. Organisations conducting processing that is considered “high risk” may take a Risk Approach to privacy management, focusing first on measures to address and mitigate risk.
”In 2017, the Article 29 Data Protection Working Partyreleased guidelines for the GDPR’s DPIA requirements. These guidelines shed some light on what will be considered “high-risk” processing. Ask yourself:
- Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
- Does the processing involve automated decision making producing significant effect on the data subject?
- Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
- Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?
- Is the data being processed on a large scale?
- Have datasets been matched or combined?
- Does the data concern vulnerable data subjects (as laid out in Recital 75)?
- Is this an innovative use or does it apply technological or organisational solutions (for example, combining use of finger print and facial recognition)?
- Are you transferring data outside the European Union?
- Will the processing itself prevent data subjects from exercising a right or using a service or a contract?
Project Management Approach
For organisations with ample time to address all GDPR obligations, or where the Privacy Officer has experience with project management, the Project Management Approach may be the right choice. This approach considers the time it takes to complete a task, and the availability of resources, and uses this information to prioritise activities and then follow a general sequence of steps including: 1. Task Dependency; 2. Resources and timing and 3. Roadmap sequence.
A Practical Guide to Demonstrating Compliance
Our guide is the first ever comprehensive handbook to implementing the measures needed to demonstrate ongoing GDPR compliance. In anticipation of the May implementation date of the GDPR, this paper is an invaluable tool for the privacy office and business operations alike.