Nymity’s approach has always been to focus on the “end goal” of the ability to demonstrate compliance. Now, with the new General Data Protection Regulation, demonstrating compliance is a legal obligation so it is only natural to start with demonstrating compliance as the “end goal”. This helps us to correctly structure our compliance objectives from the beginning. In a recent webinar, we discussed some of Nymity’s time-saving tools and methods to achieve compliance.
Understand accountability under the GDPR
Demonstrating compliance means possessing an awareness and understanding of your data processing operations, and being able to show evidence of this understanding. It is not a one-off inventory of your operations during a moment in time. Demonstrating compliance is a broad, high-level understanding that proves you are accountable.
The Nymity Privacy Management Accountability Framework™ identifies 139 technical and organisational measures that can assist your organisation in planning, structuring, and reporting GDPR compliance. Not all measures will be appropriate to your organisation, but this mapped visual can be used as a helpful “menu” of items that you may need to consider. You can download this tool by clicking this link: https://info.nymity.com/privacy-management-accountability-framework
Nymity’s Free GDPR Toolkit
When the GDPR was finalized, we enhanced the Framework to reflect the requirements of the GDPR, and in conducting this research, we also developed several additional resources to compile into a free toolkit for GDPR compliance. This useful toolkit contains five essential resources for preparing a compliance-ready infrastructure:
- GDPR Accountability Handbook - Provides a brief annotation for each GDPR article and maps compliance obligations to the Nymity Privacy Management Accountability Framework™ through technical and organisational measures enabling a roadmap to GDPR compliance.
- GDPR Readiness Assessment Questions - An assessment spreadsheet that provides two sets of questions, one for the business and one for the privacy office to to assess GDPR compliance.
- Accountability Roadmap for Demonstrable GDPR Compliance - Enables the creation of an operational GDPR compliance roadmap based on accountability mechanisms appropriate for your organisation.
- Nymity Privacy Management Accountability Framework™ (adapted for GDPR) - A comprehensive listing of over 130 technical and organisational measures structured in 13 jurisdictional and industrial neutral categories.
- Getting Started Manual for GDPR Compliance - A two-step process to help organisations prioritize their GDPR compliance efforts, and create new accountability mechanisms for an ongoing capacity to comply and demonstrate accountability under the GDPR.
Structured Privacy Management
Through your compliance efforts, you will eventually have all the information you need to provide evidence to demonstrate compliance. But how do you arrive there efficiently?
Our research has shown that Structured Privacy Management is a tried-and-true method to demonstrate compliance. Let’s take a look at a brief overview of this approach, and how it can be integrated to achieve GDPR compliance.
Structured Privacy Management is essentially embedding ongoing technical and organisational measures throughout the organisation, resulting in the ability to demonstrate accountability and compliance with evidence. It has three essential components:
Demonstrate on an ongoing basis that you have consistently maintained accountability mechanisms in place.
One or more persons in the organisation take the lead in maintaining certain technical and organisational measures.
Evidence is created as the result of existing accountability measures. It could be in the form of policies and procedures, decisions taken in the organisation, or log files.
The structured approach:
- works for any organisation, regardless of size, sector, or industry
- embeds privacy management accountability throughout the organisation
- works with available resources
- enables the demonstration of GDPR compliance, and
- documents the justification for resources to enhance GDPR compliance efforts
Use a “getting started” method that works
Whether you’re just getting started, or well on your way, our GDPR-enhanced “Getting Started” manual is an easy way to learn more about how to enhance the effectiveness your efforts.
The manual breaks the process down into two basic steps: 1) Baseline, and 2) Plan.
Step 1: Baseline
In step one, you’ll need to identify all of the activities that are applicable to your organisation, and document a status for each of them according to your progress:
- In Progress
- Not Applicable
From there, you’ll assess: Do your “Implemented” measures fully satisfy the GDPR? Are your “In Progress” measures on track for completion by spring of 2018? Once you have noted this information, you will identify owners and resources to implement and maintain effective privacy management to maintain GDPR compliance. Lastly, you will record the evidence for the measures that are implemented. This can be either formal (i.e. processes) or informal (i.e. emails), as long as evidence remains available to demonstrate compliance if so asked.
Step 2: Plan
Step two involves prioritising your “desired” technical and organisational measures to achieve GDPR compliance by the spring of 2018. There are a number of ways to approach this step, and each organisation will need to approach step two according to their unique progress and needs. Our research has identified the below common approaches:
Governance approach: Addressing the technical and organisational measures that will have the greatest impact on privacy and data protection governance.
Inventory approach: Creating a record of processing activities. Not only will this address Article 30 requirements but will contain information required for addressing Articles 12 and 13 (transparency) and Data Protection Impact assessments (Article 35).
Risk Approach: Addressing potential risks involved in any high-risk processing activities.
Project Management Approach: This approach works well for organisations that have ample time to address all GDPR compliance obligations and one in which the Privacy Officer has experience with project management or has access to internal employee resources around project management.
Nymity’s software solutions for GDPR compliance
Nymity’s award-winning research-based privacy management software solutions enable organizations to achieve and maintain compliance and to develop privacy programs that demonstrate ongoing data privacy compliance.
To learn more, and to hear a case study on their effective implementation by one of our clients, listen to our webinar, “A Time Saving Method to Prioritise your GDPR Compliance”, or contact our team to receive a demo.