While the GDPR may appear extremely prescriptive in comparison to the current Data Protection Directive (95/46/EC), the objective does not deviate far from the current Directive - assuring individuals' fundamental right of personal data protection.
Multinational companies should focus on devising a systematic approach that fosters a culture of accountability, privacy by design and by default (PbD), to meet the rapidly changing technological challenges, such as Big Data and Internet of Things, while remaining compliant with the GDPR.
Particularly, we recommend companies to focus on the five areas below when planning their GDPR implementation strategy.
1. Data Protection (Privacy) By Design And By Default
"The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed; this applies to the amount of data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of individuals." - Article 23, GDPR
At any given time, controllers should be able to identify the 5 W's (Who/Where/What/When/Why) of personal data under their control. By maintaining accurate data maps in real time, controllers can demonstrate that they have a comprehensive understanding of their data protection risks and the measures they are taking to mitigate them. Further, the data maps will contribute to creating the mandatory records required by the GDPR (Article 28). Companies must also consider implementing a comprehensive global records management program to help them meet their records retention requirements in a global context without compromising compliance with the GDPR.
2. Accountability - Obligations of the Controller
"Taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation. These measures shall be reviewed and updated where necessary." - Article 22, GDPR
It will no longer be sufficient to simply have a policy in place, and review it every other year. To ensure compliance with the GDPR, controllers must adopt a consistent mechanism to monitor compliance with and evaluate the effectiveness of the data protection policies they put in place. By regularly reviewing the compliance evidence against each policy, controllers will be able to demonstrate their accountability in an organised and effective manner.
3. Data Protection Impact Assessment (PIA)
"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data." - Article 33, GDPR
The PIA process needs to be embedded within the organisation's operation strategy. While it is incumbent upon the data protection officer to support his or her organisation's PIAs, controllers should establish general PIA training programmes and threshold analysis mechanisms to allow all individuals with access to personal data to be able to determine when and how a PIA should be carried out.
4. Cross-Border Data Transfer Standards
"In the absence of [an adequacy decision] […] a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, and on condition that enforceable data subjects rights and effective legal remedies for data subjects are available."- Article 42, GDPR
As the data economy grows exponentially, controllers and processors face increasing challenges when transferring personal data to countries not yet recognised by the European Union as providing an "adequate level of protection" of personal data. Controllers and processors should carefully assess and identify the compliant mechanisms provided by the GDPR, and adopt a consistent approach which best meets their organisation's needs.
5. Data Breach Incident Management (DBIM)
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […], unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” – Article 31, GDPR
“When the personal data breach is likely to result in a high risk for the rights and freedoms of individuals, the controller shall communicate the personal data breach to the data subject without undue delay.” – Article 32, GDPR
It is no longer a matter of if but when a controller may experience a data breach. Controllers should devise a DBIM Plan that is effective and efficient in case of all eventualities. The DBIM Plan must include specific protocols that correspond with all requirements under the GDPR. A successful DBIM Plan will demonstrate to supervisory authorities the controller's accountability and the maturity level of the controller's data protection compliance framework.