The General Data Protection Regulation (GDPR) integrates accountability as a principle in Article 5(2) which requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organizational measures to ensure that organisations can demonstrate that the processing of personal data is performed in accordance with the GDPR. The demonstration of compliance, however, is not a “one-size-fits-all” process; rather it involves an ongoing understanding and awareness of your personal data processing operations and embedding privacy management throughout the organisation in order to develop an ongoing capacity to comply. To assist our clients in understanding this somewhat complicated responsibility, Nymity has recently authored a paper: “A Practical Guide to Demonstrating Compliance”. The guide contains an unparalleled collection of detailed, user-friendly information on how to prioritise a privacy program in order to meet GDPR accountability obligations. In the first post of this blog series, we took a look at the key concepts necessary to fully understand the capacity to comply. Today, in Part Two of the series, we will detail our straight-forward, two-step process to prioritisation: Step One- Baseline, and Step Two- Plan. This two-step approach based on years of research, can be utilized by organisations from all industries, regardless of the amount of resources available, or the level of initial expertise of the privacy office.
Step One: Baseline
In this step, we document the current status of GDPR compliance throughout the organization, including resources such as people, processes, technology, and tools. During this step, you’ll baseline the status of existing technical and organisational measures that address GDPR Compliance.
In many cases, organisations have more technical and organisational measures in place than they are aware. But how does one go about finding them? You do not need to start with a blank page. Rather, you can use the Nymity Privacy Management FrameworkÔ which has been mapped to the GDPR to assist you in identifying existing GDPR compliance measures. Nymity’s research team has identified 39 articles under the GDPR requiring evidence of a technical or organisational measure to demonstrate compliance. These have been mapped to the framework, resulting in 55 “primary” measures that, if implemented, may produce documentation to help demonstrate ongoing compliance with the GDPR. Not all 55 will apply to your organisation, as each organisation unique.
As you identify the applicable measures for your organisation, you’ll need to assign a status to each activity. We recommend organising the activities as one of the following: Implemented: Already in place, given sufficient resources. In progress: Resourced, and either in progress of being implemented, or scheduled to be implemented. Desired: Applicable, relevant measures which are not currently implemented or resourced for implementation. N/A: Measures which are not applicable to your organization.
Each technical and organisational measure will need to be assigned an owner, answerable for the management and monitoring of the measure on an ongoing basis. This may be an individual but more likely will be a department or operational unit that processes the personal data.
All privacy management requires resources to maintain. Here, you’ll need to identify the resources necessary to maintain the “implemented” and “in progress” measures. Gain an understanding of what is available now, so that in Step Two, “Plan”, you’ll be prepared to mobilise those assets.
Now is the time to identify the documentation that resulted from putting in place those technical and organisational measures which are currently implemented. This could include formal documentation such as policies, procedures, and protocols, or informal documentation such as meeting minutes, emails, and presentations.
Step Two: Plan
In the second step, you’ll define a privacy management plan for implementing the “in progress” and “desired” technical and organisational measures, in order to develop an ongoing capacity to comply with the GDPR. To prioritise your “In Progress” and “Desired” technical and organisational measures, it is important to note there are no silver bullets. What works for one organisation may not work for another. However, Nymity’s extensive research and experience working with companies implementing GDPR compliance has identified many approaches to implementing “Desired” technical and organisational measures, including the below common approaches:
- Inventory (Record of Processing Activities Register) approach
- Resource approach
- Regulator approach
- Risk approach
- Project Management approach
We will discuss each of these approaches in the next blog in our series.
Regardless of which approach is taken the final steps to complete the plan are:
- Identify Resources to Implement Document the resources required to successfully implement each “desired” or “in progress” measure. Note that many measures will require greater resources up front to implement than will be necessary for maintenance over the long term.
- Resources to Maintain Once the measure is implemented, what resources are necessary over the long-term to provide evidence of an ongoing capacity to comply? Identify all resources necessary to maintain the measure, and to perform periodic reviews and updates.
Taking a Step Back?
Privacy management obligations change frequently as new legislation, regulations, and DPA enforcement activity or guidelines are introduced. In this sense, “implemented” activities may at some point become “in progress” or “desired” once more, demanding that more resources are spent to keep the activity up to date. Therefore, ongoing reporting is important to ensure that the appropriate resources are present to maintain ongoing compliance.
Common Approaches to GDPR Compliance Planning
In Part Three of this series, we will examine the most common approaches to GDPR compliance planning.