Do you understand the minimum documentation requirements that a regulator will want to see if/when they come knocking on your door? Beyond minimum compliance requirements, do you know what else will be beneficial to report on to a regulator? It’s time to get regulatory ready.
Regulatory Ready Reporting
Demonstrating compliance to regulators is an important pillar of the GDPR. Organisations need to be ready to report on compliance and provide on-request explanations. Regulator Ready Reporting™means you have the capacity to efficiently generate reports that clearly tell a story reflecting your organisation’s compliance and accountability.
There are three main components to Regulator Ready Reporting:
- Accountability is the cornerstone
- Articles 5, 24 (demonstrate compliance and put in place appropriate technical and organisational measures)
- Leverage existing technical and organisational measures and accountability mechanisms and embed into projects to meet additional compliance requirements:
- Article 30 – records of processing activities
- Article 35 – data protection impact assessments
- Article 25 – data protection by design
- Article 6(1)(f) – assessment to show legitimate interests as lawful basis for processing
- Generate reports that tell your organisations accountability and compliance story
What documentation does the GDPR require to demonstrate compliance to regulators? If a Regulator comes knocking on your door, they will want to see evidence of key requirements. The following Articles under the GDPR specifically indicate that documentation of some type must be made available, to supervisory authorities.
As part of your compliance efforts, the following documentation is required under the GDPR:
- Article 5, Article 24– The need to be accountable and to demonstrate compliance is codified in the GDPR and at a minimum, a regulator would want to see evidence that appropriate technical and organizational measures that have been put in place at an organisational level.
- Article 30– Records of Processing: make records available on request
- Article 35– DPIAs: prior to processing, carry out a Data Protection Impact Assessment
Additional documentation that may be beneficial:
- Article 25– Reports on the operationalizing of Data Protection by Design
- Article 6(1)(f)– An assessment that demonstrates the balancing test required for using legitimate Interests as a lawful basis for processing
Accountability Approach to Regulator Ready Reporting
Accountability is the cornerstone of Regulator Ready Reporting. As seen in Articles 5 and 24, the GDPR calls for organisations to put in place appropriate technical and organisational measures. Those measures can be leveraged and integrated into documentation for compliance with additional requirements such as Articles 30, 35, 25, and 6(1)(f).
How does an organisation comply?
Our research on accountability shows that accountability can be broken down into three components which are foundational for a privacy program infrastructure:
- Responsibility – putting in place and maintaining appropriate technical and organisational measures
- Ownership – assigning ownership to the technical and organisational measures (someone is answerable for the maintenance of these measures)
- Evidence – ensuring the evidence of the technical and organisational measures is in place to show compliance
Minimum Compliance Reporting Requirements
1. Enterprise Level
Enterprise level compliance and accountability obligations are:
Article 5: Principles Relating to Personal Data Processing
The Controller shall be responsible for, and be able to demonstrate, compliance with paragraph 1, which relates to accountability.
Article 24: Responsibility of the Controller
The Controller shall implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing is performed in accordance with the GDPR.
Showing accountability and compliance is not a one-off inventory or snapshot at a certain moment in time. It requires putting in place a privacy program made up of appropriate technical and organisational measures, continuing awareness, and an ability to demonstrate an ongoing capacity to comply with the GPDR. For Articles 5 and 24 compliance and reporting, organisations can:
- Coordinate enterprise-level compliance by the privacy office/DPO
- Focus on implementing the appropriate technical and organisational measures and ensure they are operationalised
- Require privacy liaisons in the business to report on their privacy management activities on a regular basis
- Include self-reporting in their privacy program
By working top-down, organisations will be able to show how they have implemented their core privacy infrastructure which creates an ongoing capacity to comply.
2. Project Level
By putting in place in appropriate technical and organisational measures as required by Articles 5 and 24, those measures can be leveraged and integrated into projects for project level reporting:
Article 30 GDPR: Records of processing activities register and reporting requirements.
Article 35 GDPR: If data processing represents a high risk to the rights and freedoms of data subjects, a Data Protection Impact Assessment (DPIA) must be completed.
Additional Compliance Reporting Requirements (Project Level)
From an accountability standpoint, it may also be beneficial to report on compliance with other key provisions is in the GDPR. Continuing to leverage and integrate technical and organisational measures into projects, additional compliance and accountability obligations can be met and reports generated for the following compliance obligations:
Article 25 GDPR: Data Protection by Design and by default. This means organisations must implement appropriate technical and organisational measures, such as pseudonymization, designed to implement the data protection principles as well as integrate the necessary processing safeguards to meet the requirements of the Regulation.
Article 6(1)(f) GDPR: Legitimate Interests assessments as a lawful basis for processing data. In order to report on the use of Legitimate Interests, organisations can leverage their technical and organisational measures to complete a balancing exercise showing processing risks mitigated and data subjects protected.
Regulator Ready Reporting Summarised
- Accountability is the cornerstone:
Articles 5 and 24: put in place appropriate technical and organisational measures
- Leverage existing measures/accountability mechanisms and embed into projects to meet additional requirements:
Articles 30, 35, 25, 6(1)(f)
- Generate reports that tell your organisation’s accountability and compliance story.
To learn more about regulator ready reporting click below:
Or, contact a Nymity team member to request a free trial of our privacy software.