a structured approach to gdpr compliance and ... pages/gdpr toolkit/getting... · when getting...

Last Updated: July 28, 2017

Copyright © Nymity Inc. 2017. This manual is based on research conducted by Nymity and the content is provided for educational purposes only. It is not intended to and does not constitute legal advice. Furthermore, reliance on one of the approaches to privacy management presented in this manual is not a guarantee of compliance.

If you require legal advice, you should consult with an attorney. Nymity reserves all rights in this manual, including copyright and intellectual property rights. You may use this manual for your own purposes. This manual may be freely redistributed in its entirety, provided that Nymity trademarks, logos, and this copyright notice are not removed. This manual may not be sold for profit or used in commercial documents without the written permission of Nymity.

A Structured Approach to GDPR Compliance and Accountability:

Getting Started Manual for GDPR

2 | P a g e A Structured Approach to Privacy Management: Getting Started Copyright © Nymity Inc. 2017

The accountability principle in Article 5(2) of the GDPR requires organisations to demonstrate compliance with the principles of the GDPR. Article 24 sets out how organisations can do this by requiring the implementation of appropriate technical and organisational measures to ensure that organisations can demonstrate the processing of personal data is performed in accordance with the GDPR. What “appropriate” means is largely dependent on the specifics of the individual company. There is no silver bullet. What works for one company does not necessarily work for another, but the obligation to demonstrate compliance exists in all instances and a structured approach to GDPR compliance works for all organisations. Expectations from regulators have shown the obligation to demonstrate compliance is more than a one-off inventory or snapshot of your operations at a certain moment in time. It is not a tick-box exercise or a one-time gap analysis. Demonstrating compliance requires ongoing awareness and understanding of your personal data processing operations and embedding privacy management throughout your organisation. Those assigned responsibility for GDPR compliance may be asking: “Where do I start?” It may seem there is no simple answer as many challenges and questions arise such as:

• I have limited resources

• I don’t understand what the GDPR requires

• I’m new to privacy and privacy management

• I can’t find a checklist that meets my needs

• There is limited documentation on past privacy management

• I have limited budget

• How do I determine what is in place?

• How do I justify more resources?

• How do I maintain records?

• How do I establish and work with a privacy team that does not work for me?

• How do I report status and progress?

• How do I hold others accountable?

• How am I going to demonstrate success?

Introduction and Overview


Since 2002, Nymity has been conducting research on accountability in organisations and has directed dozens of workshops to over 500 privacy professionals around the world. This Manual leverages a culmination of these experiences and is adapted to address GDPR compliance. This manual also integrates the Nymity GDPR Accountability Handbook.

The manual supports a structured approach to privacy management ensuring you:

✓ do not have to be a privacy expert

✓ quickly gain privacy management expertise

✓ can identify and leverage your organisation’s existing privacy management program

✓ scale your privacy management program based on resources available

✓ focus on the highest risk areas

✓ communicate and report effectively on the status of ongoing GDPR compliance

Getting Started in Two Steps The answer to the question, “Where do I start?” is broken into two steps:

Step 1: Baseline your GDPR compliance Identify, understand, and document the status of GDPR compliance throughout the organisation including resources such as people, processes, technology, and tools. See which of your existing technical and organisational measures and accountability mechanisms may be repurposed for GDPR compliance. Step 2: Plan Define a privacy management plan for implementing the desired technical and organisational measures to develop an ongoing capacity to comply with the GDPR.

This Getting Started Manual is supported by four appendices:

• Appendix A: Key Concepts This manual relies on seven key concepts. Links to the relevant key concepts are provided throughout this manual.

• Appendix B: Fundamentals of Structured Privacy Management This section provides a deeper understanding of the structured approach to privacy management used in this manual.

• Appendix C: Getting Started with a GDPR Compliance Strategy In this appendix the GDPR is mapped to the Nymity Privacy Management Accountability Framework, identifying 55 technical and organisational measures that, if put in place, may help demonstrate compliance with the GDPR.

• Appendix D: Common Approaches to Prioritising GDPR Compliance Planning Approaches to Prioritising GDPR compliance planning outlines four common approaches to prioritising the implementation of desired technical and organisational measures for GDPR Compliance.

The Structured Approach:

• works for any organisation, regardless of size, sector or industry;

• embeds privacy management accountability throughout the organisation;

• works with available resources;

• enables the demonstration of GDPR compliance; and

• documents the justification for resources to enhance GPDR compliance efforts.

What is a Structured Approach to Privacy Management?

https://www.nymity.com/data-privacy-resources.aspx


When getting started with GDPR compliance, a wide variety of approaches are typically promoted such as beginning with a data inventory, a governance structure or conducting Data Protection Impact Assessments. The challenge with these traditional approaches is that not all organisations have the resources or the business case to begin their privacy management with these steps.

The approach to getting started detailed in this Manual is based on the concept of Structured Privacy Management.

The Structured Privacy Management approach is founded on three elements: responsibility, ownership, and evidence. It will help you implement structured privacy management throughout your organisation so you can demonstrate an ongoing capacity to comply with the GDPR. This approach scales to all sizes of organisation.

Responsibility, Ownership and Evidence Structured privacy management is embedded throughout an organisation when there are three components present: responsibility, ownership, and evidence1.

1. Responsibility

The organisation maintains effective privacy management consisting of ongoing privacy management activities (technical and organisational measures).

Nymity’s extensive research on privacy management programs, has identified over 130 technical or organisational measures that need to take place in organisations. Technical and organisational measures are not high-level principles but constitute any activities conducted, anywhere throughout the organisation to:

• Protect personal data

• Respect the rights of data subjects

• Comply with obligations Putting in place appropriate technical and organisational measures means implementing and maintaining ‘accountability mechanisms.’

1 For further discussion on the components of accountability, please refer to Appendix B: Fundamentals of Structured Privacy Management.

Privacy Management Accountability Framework

Structured Privacy Management is embedding ongoing technical and organisational measures throughout the organisation resulting in the ability to demonstrate evidence-based accountability and compliance.

Accountability mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards, and other mechanisms that mitigate internal and external privacy risk.


Based on this research, Nymity developed the Nymity Privacy Management Accountability Framework™ (“Framework”). This comprehensive Framework lists the technical organisational measures in an industry and jurisdiction-neutral fashion and groups them into 13 privacy management categories. The Framework forms the foundation for the “responsibility” element in a structured approach to privacy management.

Rather than a checklist to be completed, the Framework represents a menu of options for GDPR compliance and privacy management that can be adapted for any organisation. No two organisations’ privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management for organisations of any size, across industries. The appropriate technical and organisational measures are determined based on GDPR compliance requirements, risk to data subjects, organisational risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).

2. Ownership

An individual is accountable for the management and monitoring of privacy management activities (technical and organisational measures).

Ownership is the second element of accountability and builds upon the element of responsibility. Even if the Privacy Office is accountable for GDPR compliance, the Privacy Office itself usually processes very little, if any, personal data. As such, the effectiveness of GDPR Compliance and privacy management in general relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction. Ownership of many accountability mechanisms will reside within an organisation’s operational and/or business units (human resources, marketing, product development, IT, customer service, etc.) where the data is being collected and processed.

3. Evidence

Documentation that is a by-product of accountability mechanisms is made available by the owner.

When accountability mechanisms are being maintained, documentation is produced. That documentation can be used as evidence of accountability, ownership and GDPR compliance. Evidence can be formal (e.g. policies, procedures) or informal (e.g. communications, workflows). When using a structured approach to GDPR Compliance, evidence is always a by-product of an accountability mechanism, i.e. evidence is not produced for the sake of documentation but because of an activity.

In a structured approach to privacy management, responsibility means the appropriate technical and

organisational measures have been implemented and are maintained on an ongoing basis, resulting in

the creation of appropriate accountability mechanisms.

http://www.nymity.com/pmaf


As noted above, there are a wide variety of approaches traditionally promoted to start with GDPR compliance, such as beginning with a data privacy inventory, an enterprise-wide risk assessment or conducting data protection impact assessments. However, not all organisations have the resources or the business case to support the ability to begin their privacy management with these activities. Based on our research, Nymity has developed a two-step process for getting started with GDPR compliance that works for all organisations. This two-step approach is independent of the amount of resources available or the level of initial expertise of the Privacy Office/DPO.

By the time you have completed Step 1 (Baseline), your knowledge of GDPR compliance obligations and accountability will have increased significantly.

Two Steps to Getting Started

Step 1 – Baseline Baseline existing GDPR

Compliance obligations and resources available in the organisation.

Step 2 – Plan Create a plan to implement your

desired technical and organisational measures


The first step to getting started with GDPR compliance is to baseline the status of existing technical and organisational measures that address GDPR compliance obligations.

Mandatory for GDPR Compliance

Using the Nymity Privacy Management Framework for Identifying GDPR Compliance measures

The Privacy Office does not need to start with a blank page when baselining GDPR compliance in the organisation. Instead, the Privacy Office can simply use the Framework adapted for GDPR.

Nymity Research has identified 39 Articles under the GDPR requiring evidence of a technical or organisational measure to

demonstrate compliance. These have been mapped to the Framework resulting in the identification of 55 “mandatory” technical or

organisational measures that. If implemented, these measures may produce documentation that will help demonstrate ongoing

compliance with your GDPR compliance obligations (some measures may not apply to your organisation2. In this step, you identify

the status for each of these 55 activities (note, some measures may not apply to your organisation).

2 ). See Appendix C for this mapping

Step 1 – Baseline GDPR

Print Full Scope Each technical and organisational measure is supported by a scope and it is recommended to have the scope document available. The scopes can be found at www.nymity.com/pmaf.




4. Assign Status

To baseline existing GDPR privacy management, you must first identify which technical or organisational measures are already

“Implemented” or “In Progress”.

• Implemented: Technical or organisational measures that are already in place and have sufficient resources to be maintained are categorised as “Implemented”. Note: if the measure is not being maintained by appropriate accountability mechanisms, or if there are insufficient resources to maintain it, then the measure is categorised as “In Progress”.

• In Progress: If the technical or organisational measure is resourced and is in progress of being implemented, or is scheduled to be implemented, it is categorised as “In Progress”. For larger organisations that are implementing a technical or organisational measure in multiple countries or multiple divisions, the status of the activity remains “In Progress” until the

activity is implemented in every country, or function, for which the Privacy Office/DPO has decided it is required. Note: If the technical or organisational measure is neither “Implemented” nor “In Progress”, it will be categorised as “Desired”

• Desired: Technical or organisational measures which are determined to be applicable or relevant for GDPR compliance but are not currently Implemented or resourced for implementation (In Progress) are categorised as “Desired”.

• Not Applicable (N/A): Some of the 55 technical or organisational measures identified for GDPR compliance may not be applicable to the organisation. These are categorised as “N/A”.

Desired technical or organisational measures are addressed in detail in Step 2: Plan., as the selection, prioritisation, and resourcing of these desired measures is the foundation of planning.

Initial Status of Identified Technical or Organisational Measures As stated above, responsible organisations will have privacy management embedded throughout the organisation prior to a formal GDPR implementation plan. It is recommended these identified technical and organisational measures be categorised with a status of “In Progress” until they have been reviewed by the Privacy Officer.

2. Ownership: An owner is an individual who is answerable for the management and monitoring of the technical and organisational measures. In some cases, the owner will be the Privacy Officer who is completing the baseline exercise. However, in many instances the technical and organisational measures will reside within the operational or business units, for example, human resources, marketing, product development, IT or customer service (where the data is being collected and processed). For example, technical or organisational measures that may be maintained by the Privacy Office are:

o Maintain a data privacy policy o Conduct privacy training o Maintain a data privacy notice that details the organisation’s personal data handling practices o Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

While technical or organisational measures maintained by the operational unit, are:

o Integrate data privacy into direct marketing practices o Integrate data privacy into hiring practices

Next, identify the owners for the technical and organisational measures and record them.

Completing your baseline exercise will likely require working with the operational units and business units such as HR, IT, Customer Service, Security, Procurement, Legal, Marketing, Product Development and all departments that process personal data or impact the processing of personal data.


3. Resources to Maintain: It takes resources to implement and maintain effective privacy management. Resources include people, processes, technology, and tools. One challenge with traditional approaches (such as “start with a data inventory”) is they generally assume resources are available, or that management will provide the resources, once requested, to maintain the inventory. This is often not the case. Without an early focus on understanding what resources are available for GDPR compliance and ongoing privacy management, getting started can quickly turn into a frustrating experience for the Privacy Officer. In the next part of this step you will identify the resources to maintain the “Implemented” and “In Progress” technical or organisational measures and understand available resources. If you discover there are no resources allocated to maintaining a privacy management activity you have identified as “Implemented”, then the Status should be changed to “In Progress” until sufficient resources are allocated and the measure is maintained. In this step, it is likely resources will be identified that can help enhance privacy management. For example, you may discover the marketing manager is willing to support enhancement of privacy management in the marketing department. It is best to identify all resources available to best prepare for Step 2: Plan.

4. Evidence The next phase of the Baseline step is to record evidence of technical or organisational measures. For all “Implemented” measures, identify the existing documentation that resulted from putting in place technical or organisational and record it.

Create a documentation list that can be used as evidence. This could include formal documentation such as policies, procedures, and protocols, or it could be informal documentation, such as emails, presentations, hyperlinks to internal documents and screenshots. It is important to review all existing documentation with your Privacy Officer to determine its compliance with GDPR obligations. If it does not, then the status may shift back to In Progress.

To help identify what you might have in place, the Nymity GDPR Accountability Handbook provides hundreds of examples of accountability mechanisms related to technical and organisational measures specific to GDPR obligations and lists example evidence for each. See example below:

Resources Examples If you are looking for a deeper understanding of resources and more examples, please review Appendix A: Key Concepts: Resources

Evidence Examples If you are looking for a deeper understanding of Evidence, and more examples, please review Nymity’s GDPR Accountability Handbook


The next step in Getting Started with GDPR Compliance is to create a plan for addressing all desired technical and organisational measures in order to attain the ongoing capacity for compliance.

Prioritise “Desired” Technical and Organisational Measures To begin this step it is necessary to identify the required technical and organisational measures desired to achieve GDPR compliance.

Plan GDPR Compliance

Appendix D: Common Approaches for Prioritising GDPR Compliance Planning To prioritise your desired technical and organisational measures, it is important to note there are no silver bullets. What works for one organisation may not work for another. However, Nymity’s extensive research and experience working with companies implementing GDPR compliance has identified many approaches to implementing desired technical and organisational measures, including the below common approaches: • Inventory (Record of Processing Activities) approach • Resource approach • Risk Approach • Project Management Approach Use this Appendix for ideas on GDPR Compliance prioritisation approaches that may best align with your business.

Update “Desired” status A review of the “Desired” privacy management activities is only required to ensure the technical and organisational measures identified in your approach are accurately reflected in your documentation..

Getting Started Priorities The priority for your approach may be defined by the resources available.

It is now time to complete this step.

1. Resources to Implement For Desired technical and organisational measures it is important to document the required resources to ensure a successful implementation. This will help assess the viability of the organisation implementing the technical or organisational measures and changing the status to “In Progress”.

Implement when it can be maintained Demonstrating compliance with the GDPR is an ongoing state – not a point-in-time status. It is recommended you first consider the resources available. In many cases, the initial effort to implement an activity will be higher than the effort to maintain an activity. However, it is important for maintenance to be considered right from the start. For example, with the technical and organisational measure ‘Maintain a data privacy policy’, the initial effort required to draft a policy may require a medium level of resources. Also, the policy must be socialised with key stakeholders to achieve buy-in and improve the chances of adoption and, ultimately, it should be approved by executive leadership. Publishing or issuing the policy is just the first step. It must then be reviewed on a periodic basis to ensure it is still aligned with legislative requirements and the business environment, and should be updated as needed to reflect changes. A failure to keep the policy up-to-date will result in increased privacy risk. Although the effort to carry out these periodic reviews and updates requires lower resources, it should be factored into the planning and

Resources Examples If you are looking for a deeper understanding of the resources and more examples, please review Appendix A: Key Concepts: Resources.

Step 2 – Plan


prioritisation. If not enough resources are available to maintain the measure, it is important to note this, as this becomes a justification to make the case for appropriate resources.

2. Resources to Maintain

As described when completing Baseline step, the resources required to maintain activities need to be identified. It is important to secure the resources to maintain a technical or organisational measure prior to the implementation. Without adequate maintenance, it could have limited effectiveness.

The Baseline and Plan steps described above provide a structured privacy management approach to getting started with GDPR compliance. After those steps are implemented, privacy management becomes an ongoing process. Once a technical and organisational measure is implemented it then needs to be maintained. If there are sufficient resources available after a measure is implemented, the resources can be re-directed to a desired measure.

In practice, “Implemented” technical and organisational measures status may change back to “In Progress” for a variety of reasons, including new GDPR Acts, regulations, DPA enforcement activity and guidelines. At all stages of privacy management, it is important to report on your progress. In the beginning of your compliance efforts, it is important to build the business case to justify the resources required for GDPR compliance. As privacy management matures, ongoing reporting is important ensure there are resources to maintain the implemented technical and organisational measures. Maintaining this workbook becomes a technical or organisational measure that enables your privacy management and reporting purposes for years to come.

NOTE: Nymity has several resources to assist organisations in this structured approach to GDPR Compliance.

Free Resources:

Nymity Privacy Management Accountability Framework,

Nymity Privacy Management Workbook, and

Demonstrating Compliance Manual


Automated Solutions:

Take control of privacy management with Nymity Planner™, the ideal solution for the privacy office looking to build, enhance, and

structure privacy management throughout the organisation.

https://www.nymity.com/products/privacy-management-planner.aspx

Understand and compare privacy management and GDPR Compliance across your organisation to other organisations with Nymity

Benchmarks™.

https://www.nymity.com/products/privacy-program-metrics.aspx

What’s Next?


https://www.nymity.com/products/privacy-management-planner.aspx

https://www.nymity.com/products/privacy-program-metrics.aspx


To fully maximise the use of the Privacy Management Workbook it is best to understand underlying key concepts leveraged in this

structured approach to getting started.

1. Privacy Officer 2. Resources 3. Context 4. Stand-Ready to Demonstrate On-Demand

1. Privacy Officer

The Privacy Office is all the individuals responsible for privacy management. One of the key roles in privacy management is the individual within the organisation responsible for privacy management, which in this manual is called the privacy officer. The role can go by many titles including Privacy Counsel, Privacy Officer, Chief Privacy Officer, or could even be an individual that does not have privacy in their title. These individuals can reside in many departments, for example, legal, compliance, and risk.

2. Resources

Resources are what are available to the privacy office to implement and maintain the privacy management activity. Nymity’s research has identified four categories of resources with the following table provides several examples:

People Processes Technology Tools

• Employees – full or partial headcount

• Buy-in or support from Executives/ Senior Management

• Other departments or groups such as Internal Audit, Compliance, ERM

• Shared Services (Info Sec, IT, Legal, Procurement)

• External Consultants/ Advisors/ Auditors/ Service Providers

• Data Protection Authority

• Workflows for approval/sign-off

• Monitoring/ Reviewing controls or mechanisms

• Communications/ Meetings

• Training/knowledge sharing

• Escalation paths

• File/document sharing platforms

• Collaboration tools

• Information Security/Data Protection controls

• ERP Systems

• Ticketing Systems

• E-Learning System

• Compliance research subscriptions

• Subscription newsletter to stay informed

• Templates and samples

• Privacy management systems

• Privacy/ Risk/ Compliance Reporting Software

• PIA solutions

• Rationalised rules table generators

• Benchmarking solutions

Table 1: Privacy Management Program Resources (partial list)

3. Context

Privacy is contextual, and thus, privacy management must be contextual. Therefore, there are no standard checklists to which a privacy officer can point and say, “we are responsible.” To articulate how the organisation’s data processing activities are carried out in compliance with the Rules (i.e. to demonstrate compliance), one must understand the activities themselves, the motivations behind them, how the Rules apply, along with many other factors. Privacy officers are uniquely positioned to demonstrate compliance and accountability. They have the expertise to interpret requirements, the knowledge to understand how they apply to each type of processing, and can communicate the context of compliance.

Appendix A: Key Concepts


Privacy context includes:

1. Rules3

Organisations in many jurisdictions are required to comply with privacy laws and regulations. In addition, they must often comply

with policies or other commitments such as privacy notices or codes of conduct. These requirements are collectively referred to

as Rules. The privacy officer understands the Rules and therefore can provide context for how they apply to each type of data

processing.

2. Data Processing Practices

The privacy officer understands the organisation’s practices that involve the processing of personal data, including business

operations and back office functions, such as human resources, marketing, and finance. Working with stakeholders throughout

the organisation, the privacy officer can understand and provide context for how the Rules apply to organisational practices.

3. Privacy Management

The privacy officer understands the privacy management activities that have been implemented throughout the organisation and

how they are maintained. Many decisions related to privacy management are influenced by the Rules and how they apply to data

processing. Explaining these decisions is a key element of providing context.

4. Privacy Risk

The privacy officer understands the risk of harm to individuals and to the organisation4. The privacy officer can explain how

privacy risk can influence decisions related to which privacy management activities to implement and why. Related to privacy

risk, another element of context is the decision to prioritise one risk mitigation activity over another, when resources are limited.

For some technical and organisational measures, it is obvious how the evidence can be used to demonstrate compliance. For

example, if a Rule requires that a privacy notice contains certain elements5, it is easy to determine the elements are present when

the privacy notice can be provided and would not require the privacy officer to contextualise the evidence. In other cases, it is not

obvious. For example, Rules often require that data is not processed for purposes beyond those for which it was collected. In this

scenario, Evidence may include policies and guidance instructing employees of the requirement. These are simple to map to the

Rule, which is a good start, but doesn’t go far enough. They demonstrate guidance was issued but is not being followed. To

demonstrate privacy is effectively embedded, the privacy office might show Privacy Impact Assessments (PIAs) are required for all

new collection and use of personal data6; part of the PIA includes identifying the original purpose for collection and determining if

this use is consistent. This Evidence likely requires contextualisation.

The following example provides a more in-depth explanation of how Evidence can be contextualised to answer the question: How does the organisation comply with the Rules? The privacy officer may want to demonstrate how the outbound telemarketing team within a call centre complies with a requirement to obtain consent to collect and use data for selling a product. The privacy officer can use existing privacy management documentation (i.e. Evidence) and provide context to demonstrate compliance as follows:

3 Rules: Requirements of a law, regulation, policy, or other commitment such as a privacy notice or code of conduct 4 Conduct an Enterprise Privacy Risk Assessment found in Maintain Governance Structure in the Nymity Privacy Management Accountability Framework™. 5 “Maintain a data privacy notice that details the organisation’s personal data handling practices” found in 8. Maintain Notices in the Nymity Privacy Management Accountability Framework™. 6 “Maintain PIA/DPIA guidelines and templates” found in 10. Monitor for New Operational Practices in the Nymity Privacy Management Accountability Framework™. 7 Maintain a data privacy policy” found in 3. Maintain a Data Privacy Policy in the Nymity Privacy Management Accountability Framework™. 8 “Maintain a data privacy policy found” in 3. Maintain Data Privacy Policy in the Nymity Privacy Management Accountability Framework™.

Privacy Management Activity: Maintain a Data Privacy Policy7 Evidence: Privacy Policy The data privacy policy8 contains a provision which states the organisation must obtain consent for all types of data processing.


9 “Conduct privacy training” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™. 10 “Conduct privacy training reflecting job specific content” found in 5. Maintain Training and Awareness Program in the Nymity Privacy Management Accountability Framework™. 11 “Integrate data privacy into telemarketing practices” found in 4. Embed Data Privacy into Operational Practices Program in the Nymity Privacy Management Accountability Framework™. 12 “Conduct internal Audits of the privacy program (i.e., operational audit of the Privacy Office)” found in 12. Monitor Data Handling Practices in the Nymity Privacy Management Accountability Framework™.

Context: Rules, Data Processing, Privacy Management Having identified the call centre as a point of data collection and use [Data Processing], the privacy office determines consent is required. The data privacy policy is a privacy management activity which sets the expectation for obtaining consent [Rules, Privacy Management].

Evidence: Data Privacy Training Materials The general data privacy training curriculum for all employees with access to personal data9 contains general guidance for obtaining consent. The role specific privacy training for call centre employees10 contains more specific guidance for when and how to obtain and record consent when collecting data. Context: Privacy Management The privacy office can show, using general and role specific privacy training, the expectation to obtain consent is reinforced and communicated proactively [Privacy Management].

Evidence: Call Centre Scripts The call centre utilises scripts for outbound telemarketing which guide the employees on how to obtain explicit consent for processing11. Context: Rules, Privacy Management The privacy office can demonstrate employees are provided with tools to help them comply with the policy [Rules] as the scripts include a statement for explaining the privacy notice and obtaining explicit consent [Privacy Management].

Evidence: CRM Screen Shots The Customer Relationship Management (CRM) system contains a field where consent and opt-out requests are recorded. Validation mechanisms prevent the user from extracting a record for a purpose for which consent has not been obtained. Context: Data Processing Because the privacy officer understands how data is collected and flows throughout the organisation [Data Processing], he or she can use the CRM to demonstrate consent is being collected and managed.

Evidence: Privacy Office Consultation The Call Centre director reached out to the privacy office via email to inquire about how the organisation’s policy around obtaining explicit consent should be applied in a jurisdiction where law permits implied consent. These emails and follow up discussions show how the privacy officer assisted the call centre to address consent requirements.

Context: Rules, Privacy Risk The privacy office can explain that even though the law does not require explicit consent in all cases [Rules], they have made the decision to obtain explicit consent. By simplifying the process and defaulting to the most restrictive requirement, the organisation is less likely to be non-compliant [Privacy Risk].

Evidence: Audit Results An internal audit of call centre operations included listening to a selection of recorded calls to determine if the process for obtaining consent was followed12. No exceptions were reported. Context: Privacy Management, Privacy Risk


The privacy office could answer the question: how does the organisation comply with the Rules around consent? Note that in the above example, the privacy office could demonstrate compliance using existing privacy management documentation - no additional documentation was produced. Also note the documentation alone would not be sufficient to demonstrate compliance to someone who did not understand the Rules applied to the organisation, the way data is processed, how privacy management is embedded in the organisation, or the privacy risk profile. The demonstration of compliance required the context provided by the privacy officer.

4. Stand-Ready to Demonstrate On-Demand

Organisations who keep the Workbook up-to-date with documentation serving as evidence have the capacity to stand-ready to demonstrate responsible privacy management (that is, accountability and/or compliance) on-demand. Some organisations will take more of an assessment based approach and update the workbook on an annual basis. Being able to stand-ready to demonstrate on-demand allows the privacy office to contextualise responsible privacy management (accountability) at any time. Also, the privacy officer can contextualise compliance to a Regulator at any time (for example, if there was an investigation or they were to proactively reach out to a privacy or data protection regulator).

Since 2002, Nymity has been conducting global research and on-the-ground workshops with privacy and data protection regulators to examine what it takes for organisations to “demonstrate” accountability through effective privacy management. One outcome is the understanding that structured privacy management has three key elements: 1. responsibility, 2. ownership, and 3. evidence.

1. Responsibility

Responsible organisations maintain the right set of privacy management activities.

Nymity’s research has resulted in the Nymity Privacy Management Accountability Framework™ (“Framework”). It is this Framework that forms the foundation for the “responsibility” element in a structured approach to privacy management.

The Framework is not a checklist of activities that must be completed, it is a menu for privacy management that can be adapted to any organisation. No two organisation’s privacy management is the same, and thus, this Framework provides the flexibility necessary for planning, scaling, and communicating privacy management. The Framework is not based on principles or controls, but on privacy management activities that can be monitored and tracked. It is a comprehensive, jurisdiction- and industry-neutral listing of 130+ privacy management activities within 13 Privacy Management Categories.

In a structured approach to privacy management, responsibility means appropriate technical and organisatinoal measures have been implemented and are maintained on an ongoing basis. The appropriate measures are determined based on the organisation’s compliance requirements, risk profile, business objectives, and the context of data processing (type of data processed, nature of processing, purpose for collection, use and disclosure, etc.).

2. Ownership

An individual is answerable for the management and monitoring of each of the privacy management activities.

Ownership is the second element of structured privacy management and builds upon the element of responsibility. Even if the privacy officer is accountable for data privacy or compliance, the privacy office itself usually processes very little, if any, personal data. As such, effectiveness relies on the appropriate technical and organisational measures being performed at all points of the personal data life cycle, from the point of collection to the point of destruction.

Although the privacy office did not conduct the internal audit, it becomes documentation that can be used as Evidence of privacy accountability and compliance. The report shows the selected calls followed the requirements in the data privacy policy [Rules]. As the policy exceeds the requirements of the law [Rules], the privacy office can explain why they determined there is a minimal risk of non-compliance with legal requirements for consent [Rules].

Privacy Management Categories

1. Maintain Governance Structure

2. Maintain Personal Data Inventory

3. Maintain Data Privacy Policy

4. Embed Data Privacy into Operations

5. Maintain Training and Awareness Program

6. Manage Information Security Risk

7. Manage Third-Party Risk

8. Maintain Notices

9. Maintain Procedures for Inquiries and Complaints

10. Monitor for New Operational Practices

11. Maintain Data Privacy Breach Management Program

12. Monitor Data Handling Practices

13. Track External Criteria


Ownership of some privacy management activities will reside within the operational and business units where data is being collected and processed, for example, human resources, marketing, product development, IT, customer service, etc.

Privacy management activities may be:

• Maintained by the privacy officer. For example: o Maintain a data privacy policy o Conduct privacy training o Maintain a data privacy notice detailing the organisation’s personal data handling practices o Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

• Influenced or observed by the privacy officer. For example: o Integrate data privacy into direct marketing practices o Integrate data privacy into an information security policy o Conduct due diligence around the data privacy and security posture of potential vendors/processors

Table 0.2 provides examples of technical and organisational measures within each of the 13 Privacy Management Categories performed by various stakeholders within the organisation.


Activities Owned by the Privacy Office (Examples)

Activities Owned by Operational Units (Examples)


Maintain a Privacy Strategy Owner: Human Resources Require employees to acknowledge and agree to adhere to data privacy policies


Maintain an inventory of key personal data holdings (what personal data is held and where)

Owner: Corporate Records Management Classify personal data holdings by type (e.g. sensitive, confidential, public)


Maintain a data privacy policy Owner: Human Resources Maintain an employee data privacy policy


Maintain policies/procedures for collection and use of children and minors’ personal data

Owner: Marketing Integrate data privacy into direct marketing practices


Conduct privacy training Owner: Customer Service Incorporate data privacy into operational training, such as HR, security, call centre


Maintain an acceptable use of information resources policy

Owner: Information Security Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring)

7. Manage Third Party Risk Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)

Owner: Legal Maintain procedures to execute contracts or agreements with all processors

8. Maintain Notices Maintain a data privacy notice detailing the organisation’s personal data handling practices

Owner: Facilities/Corporate Security Provide notice by means of on-location signage, posters

9. Maintain Procedures for Inquiries and Complaints

Investigate root causes of data protection complaints

Owner: Call Centre Maintain procedures to address complaints



Activities Owned by the Privacy Office (Examples)

Activities Owned by Operational Units (Examples)


Maintain PIA/DPIA guidelines and templates

Owner: Information Technology Conduct PIAs/DPIAs for new programs, systems, processes


Maintain a data privacy incident/breach response plan

Owner: Legal: Engage a forensic investigation team


Monitor and report privacy management metrics

Owner: Internal Audit: Conduct internal audits of the privacy program (i.e., operational audit of the Privacy Office)

13. Track External Criteria Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc.

Owner: Compliance: Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes

Table 0.2 – Examples of Activities Owned by the Privacy Office and Operational Units

3. Evidence

Documentation that is a by-product of privacy management activities is made available by the owner.

The third element of structured privacy management is evidence. In responsible organisations, the Owner of a privacy management activity provides supporting evidence that the activity is being maintained.

When privacy management activities are performed on an ongoing basis, Accountability Mechanisms are put in place evidence is produced as a by-product. Evidence is documentation which may be formal (e.g., policies, procedures, reports) or information (e.g., communication, agendas, system logs) and can be used with context by the privacy office to show a privacy management activity is being performed. For example, the technical and organisational measure “Maintain PIA/DPIA guidelines and templates” produces several forms of evidence, including: policies requiring PIAs, procedures and workflows documenting the approval process, PIA guidelines and templates, training documents on how to conduct PIAs, logs of PIAs, etc. This documentation serves as evidence of accountability.

Refer to Table 0.3 for the characteristics of formal and informal documentation and corresponding examples:

Documentation Characteristics Examples

Formal Typically published, maintained, and communicated to designated groups

Policies, Procedures, Reports

Informal May show an example of an activity having occurred, such as an e-mail conversation between two key individuals or a record of participation in a webinar

Email communication, meeting agendas, system logs

Table 0.3 – Characteristics of Formal and Informal Documentation

Table 0.4 describes the role the privacy office plays depending on the source of the documentation, as well as corresponding examples of the document types:

Source Privacy Office Role Example Documents

Produced Generated by the privacy office with input from other key stakeholders

The privacy office performs the activity

Data Privacy Policy Privacy Notice Data Privacy Training Curriculum Privacy Impact Assessment Guidelines Policy/procedure for secondary uses of personal data

Influenced Influenced by the privacy office but created by other stakeholders

The privacy office provides input or opinions

Direct Marketing Procedures Privacy Impact Assessments Employment Policies Records retention schedules


Source Privacy Office Role Example Documents

Collected Provided to the privacy office by other stakeholders

The privacy office is kept up-to-date on progress, often only upon completion

Internal Audit Results IT Security Assessment Results Business Continuity Plans

Table 0.4 – The Privacy Office’s Role in Production of Documentation

Table 0.5 outlines how formal and informal documentation can be produced, influenced, or collected by the privacy office as evidence of the Privacy Management Activities.

Technical or Organisational Measure

Evidence/ Documentation Source/ Role Formal/ Informal

Maintain a data privacy policy Data Privacy Policy Produced by privacy office Formal

Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)

E-mail monitoring policy and procedure

Influenced by privacy office Produced by information technology

Formal

Measure participation in data privacy training activities (e.g. numbers of participants, scoring)

System generated report of data privacy exam scores

Collected by privacy office Produced by human resources

Informal

Provide notice in marketing communications (e.g. emails, flyers, offers)

Examples of e-mail marketing communications

Influenced by privacy office Produced by marketing

Informal

Table 0.5 - Formal and Informal Documentation

4. Frequency: Technical and Organisational Measures are Ongoing

Although privacy management may have started as a project, responsible organisations sufficiently allocate resources to privacy management and continually re-evaluate its privacy management needs to ensure activities are aligned.

A privacy management program should never be considered a finished product; it requires ongoing assessment and revision to be effective and relevant. The building blocks must be monitored and assessed on a regular basis and be updated accordingly. – Getting Accountability Right13

Privacy management is a set of ongoing technical or organisational measures performed either periodically or continuously.

• Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end.

• Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, where adjustments are made continuously toward the desired outcome.

Table 0.8 reviews privacy management activities to show how the two frequency of activities approaches might differ:

Technical or Organisational Measure Periodic Continuous

Maintain flow charts for data flows (e.g. between systems, between processes, between countries)

On an annual basis, require key stakeholders review the flow charts for accuracy and update diagrams as necessary

Proposed changes to data flows are identified and the flow charts are updated as a condition of project sign-off and implemented as part of the project management requirements

13 Office of the Information and Privacy Commissioner of Alberta. (2012). Getting Accountability Right with a Privacy Management Program. Alberta, Canada.

https://www.nymity.com/data-privacy-resources/data-privacy-research/privacy-management-activities.aspx?utm_source=Book&utm_medium=pdf&utm_content=PMA&utm_campaign=PMA


Technical or Organisational Measure Periodic Continuous


Each quarter, review reports generated by the e-Learning system to determine whether all employees have completed required training

Configure the e-Learning system to generate alerts when an employee has not completed training by the required date and notify the employee’s manager suggesting he or she follow up immediately

Engage stakeholders throughout the organisation on data privacy matters (e.g., information security, marketing, etc.)

Establish a cross-functional committee of privacy stakeholders (e.g. IT, marketing, legal, HR, etc.) who meet on a quarterly basis to discuss data privacy matters

Create an email alias or group discussion to facilitate communication amongst group members, on data privacy matters

Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)

On a monthly basis, review reports of active system users to ensure their access is still appropriate and sign-off to indicate approval

Configure HR system to send alerts to information security when employees are terminated or when there are changes to the job title, department, or reporting structure

Table 0.8 - Examples of Periodic and Continuous Approaches to Privacy Management Activities

Whether the activity should be performed periodically or continuously depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.

An organisation with embedded responsibility, ownership, and evidence into the privacy program has implemented accountability and is now equipped to demonstrate accountability.


Privacy Management

Framework mapped

Privacy

Management

Categories

Privacy Management Activities

GDPR Article

Reference


Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO,) Representative

27

Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)

Appoint a Data Protection Officer/Official (DPO) in an independent oversight role 37, 38

Assign responsibility for data privacy throughout the organisation (e.g. Privacy Network)

Maintain roles and responsibilities for individuals responsible for data privacy (e.g. Job descriptions)

39

Conduct regular communication between the privacy office, privacy network and others responsible/accountable for data privacy

38


Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)

Report to external stakeholders on the status of privacy management (e.g., regulators, third-parties, clients)

Conduct an Enterprise Privacy Risk Assessment 24, 39

Integrate data privacy into business risk assessments/reporting

Maintain a privacy strategy

Maintain a privacy program charter/mission statement

Require employees to acknowledge and agree to adhere to the data privacy policies


Maintain an inventory of personal data holdings (what personal data is held and where) 30

Classify personal data holdings by type (e.g. sensitive, confidential, public)

Obtain regulatory approval for data processing (where prior approval is required)

Register databases with regulators (where registration is required)


Maintain records of the transfer mechanism used for cross-border data flows (e.g., standard contractual clauses, binding corporate rules, approvals from regulators)

45, 46, 49

Use Binding Corporate Rules as a data transfer mechanism 46, 47

Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 46

Use APEC Cross Border Privacy Rules as a data transfer mechanism

Use regulatory approval as a data transfer mechanism 46

Use adequacy or one of the derogations from adequacy (e.g. consent, performance of a contract, public interest) as a data transfer mechanism

45, 49, 48

Use the EU-US Privacy Shield as a data transfer mechanism 46


Maintain a data privacy policy 5, 24, 91

Maintain an employee data privacy policy

Document legal basis for processing personal data 6, 9, 10

Integrate ethics into data processing (Codes of Conduct, policies, and other measures)

Maintain an organisational code of conduct that includes privacy

Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)

9

Appendix C: Getting Started with GDPR Compliance

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-governance-structure.aspx?a=1





















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-personal-data-inventory.aspx?a=1















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-policy.aspx?a=1





https://www.nymity.com/data-privacy-resources/privacy-management-tools/embed-data-privacy-into-operations.aspx?a=1



Privacy

Management

Categories


GDPR Article

Reference


Maintain policies/procedures for collection and use of children’s and minors’ personal data

8, 12

Maintain policies/procedures for maintaining data quality 5

Maintain policies/procedures for the de-identification of personal data 89

Maintain policies/procedures to review processing conducted wholly or partially by automated means

12, 22

Maintain policies/procedures for secondary uses of personal data 6, 13, 14

Maintain policies/procedures for obtaining valid consent 6, 7, 8

Maintain policies/procedures for secure destruction of personal data

Integrate data privacy into use of cookies and tracking mechanisms

Integrate data privacy into records retention practices 5

Integrate data privacy into direct marketing practices 21

Integrate data privacy into e-mail marketing practices

Integrate data privacy into telemarketing practices

Integrate data privacy into digital marketing practices (e.g., mobile, social media, behavioural advertising)

Integrate data privacy into hiring practices

Integrate data privacy into the organisation’s use of social media practices 8

Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures

Integrate data privacy into health & safety practices

Integrate data privacy into interactions with works councils

Integrate data privacy into practices for monitoring employees

Integrate data privacy into use of CCTV/video surveillance

Integrate data privacy into use of geo-location (tracking and or location) devices

Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)

Integrate data privacy into e-discovery practices

Integrate data privacy into conducting internal investigations

Integrate data privacy into practices for disclosure to and for law enforcement purposes

Integrate data privacy into research practices 21, 89


Conduct privacy training 39

Conduct privacy training reflecting job specific content

Conduct regular refresher training

Incorporate data privacy into operational training, such as HR, security, call centre

Deliver training/awareness in response to timely issues/topics

Deliver a privacy newsletter, or incorporate privacy into existing corporate communications

Provide a repository of privacy information, e.g., an internal data privacy intranet

Maintain privacy awareness material (e.g. posters and videos)

Conduct privacy awareness events (e.g., an annual data privacy day/week)


Enforce the Requirement to Complete Privacy Training

Provide ongoing education and training for the Privacy Office and/or DPOs (e.g. conferences, webinars, guest speakers)

Maintain certification for individuals responsible for data privacy, including continuing professional education































https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-training-awareness-program.aspx?a=1


















Privacy

Management

Categories


GDPR Article

Reference


Integrate data privacy risk into security risk assessments 32

Integrate data privacy into an information security policy 5, 32

Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) 32

Maintain measures to encrypt personal data 32

Maintain an acceptable use of information resources policy

Maintain procedures to restrict access to personal data (e.g. role-based access, segregation of duties)

32

Integrate data privacy into a corporate security policy (protection of physical premises and hard assets)

Maintain human resource security measures (e.g. pre-screening, performance appraisals)

Maintain backup and business continuity plans

Maintain a data-loss prevention strategy

Conduct regular testing of data security posture 32

Maintain a security certification (e.g., ISO)

7. Manage Third-Party Risk

Maintain data privacy requirements for third parties (e.g., clients, vendors, processors, affiliates)

28, 32

Maintain procedures to execute contracts or agreements with all processors 28

Conduct due diligence around the data privacy and security posture of potential vendors/processors

28

Conduct due diligence on third party data sources

Maintain a vendor data privacy risk assessment process

Maintain a policy governing use of cloud providers

Maintain procedures to address instances of non-compliance with contracts and agreements

Conduct ongoing due diligence around the data privacy and security posture of vendors/processors

Review long-term contracts for new or evolving data privacy risks

8. Maintain Notices

Maintain a data privacy notice that details the organisation’s personal data handling practices

8, 13, 14

Provide data privacy notice at all points where personal data is collected 13, 14, 21

Provide notice by means of on-location signage, posters

Provide notice in marketing communications (e.g. emails, flyers, offers)

Provide notice in contracts and terms

Maintain scripts for use by employees to explain or provide the data privacy notice

Maintain a privacy Seal or Trustmark to increase customer trust

9. Respond to Requests and Complaints from Individuals

Maintain procedures to address complaints

Maintain procedures to respond to requests for access to personal data 15

Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data

16, 19

Maintain procedures to respond to requests to opt-out of, restrict or object to processing

7, 18, 21

Maintain procedures to respond to requests for information

Maintain procedures to respond to requests for data portability 20

Maintain procedures to respond to requests to be forgotten or for erasure of data 17, 19

Maintain Frequently Asked Questions to respond to queries from individuals

Investigate root causes of data protection complaints

Monitor and report metrics for data privacy complaints (e.g. number, root cause)

https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-information-security-risk.aspx?a=1















https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-third-party-risk.aspx?a=1





















https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-procedures-privacy-inquiries-complaints.aspx?a=1













Privacy

Management

Categories


GDPR Article

Reference


Integrate Privacy by Design into system and product development 25

Maintain PIA/DPIA guidelines and templates 35

Conduct PIAs/DPIAs for innovative programs, systems, processes 5, 6, 25, 35

Conduct PIAs or DPIAs for changes to existing programs, systems, or processes 5, 6, 25, 35

Engage external stakeholders (e.g., individuals, privacy advocates) as part of the PIA/DPIA process

35

Track and address data protection issues identified during PIAs/DPIAs 35

Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)

36


Maintain a data privacy incident/breach response plan 33, 34

Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol

12, 33, 34

Maintain a log to track data privacy incidents/breaches 33

Monitor and report data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)

Conduct periodic testing of data privacy incident/breach plan

Engage a breach response remediation provider

Engage a forensic investigation team

Obtain data privacy breach insurance coverage


Conduct self-assessments of privacy management 25, 39

Conduct Internal Audits of the privacy program (i.e., operational audit of the Privacy Office)

Conduct ad-hoc walk-throughs

Conduct ad-hoc assessments based on external events, such as complaints/breaches

Engage a third-party to conduct audits/assessments

Monitor and report privacy management metrics

Maintain documentation as evidence to demonstrate compliance and/or accountability 5, 24

Maintain certifications, accreditations, or data protection seals for demonstrating compliance to regulators

13. Track External Criteria

Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc. 39

Maintain subscriptions to compliance reporting service/law firm updates to stay informed of new developments

Attend/participate in privacy conferences, industry associations, or think-tank events

Record/report on the tracking of new laws, regulations, amendments, or other rule sources

Seek legal opinions regarding recent developments in law

Document decisions around new requirements, including their implementation or any rationale behind decisions not to implement changes

Identify and manage conflicts in law

Appendix D: Common Approaches to Prioritising GDPR Compliance Planning

111111

https://www.nymity.com/data-privacy-resources/privacy-management-tools/monitor-new-operational-practices.aspx?a=1









https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-breach-management-program.aspx?a=1










https://www.nymity.com/data-privacy-resources/privacy-management-tools/monitor-data-handling-practices.aspx?a=1










https://www.nymity.com/data-privacy-resources/privacy-management-tools/track-external-criteria.aspx?a=1











There are no silver bullets to prioritising GDPR compliance planning; what works for one company does not necessarily work for another. Nymity’s extensive research and experience with hundreds of companies implementing GDPR compliance has identified many common approaches to implementing desired technical and organisational measures, including:

• Governance Approach

• Inventory (Record of Processing Activities) first approach

• Risk Approach

• Project Management Approach

Governance Approach The GDPR is an accountability based law requiring organisations to demonstrate compliance on an ongoing basis. Some

organisations begin their prioritisation efforts by focusing on activities with the greatest impact overall on governance in their

organisation.

Common governance related technical and organisational measures Assign responsibility for data privacy to an individual (e.g. Privacy Officer, Privacy Counsel, CPO)

Appoint a Data Protection Officer/Official in an independent oversight role

Engage senior management in data privacy (e.g. at the Board of Directors, Executive Committee)


Report to internal stakeholders on the status of privacy management (e.g. board of directors, management)

Maintain a data privacy policy

Conduct privacy training

Maintain a data privacy notice that details the organisation’s personal data handling policies

Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)

Conduct self-assessments of privacy management

Inventory (Record of Processing Activities) Approach Article 30 of the GDPR (Records of processing activities) requires organisations with more than 250 employees create a record of processing activities. Many organisations, especially those who process data considered “high risk,” have found it beneficial to begin their GDPR compliance planning by completing a Records of Processing Activities Inventory. If an organisation has fewer than 250 employees and resources are available, this exercise can be useful and, in general, not onerous.

If your Step 1 Baseline exercise revealed you have an existing data inventory, review it to ensure it captures the required information outlined in Article 30. In general, Nymity research has found organisations completing or attempting to complete traditional data inventories may not have captured the required information and in many cases, have far more information than is required.

What is a record of processing activities inventory?

For organisations operating in the EU, a requirement of the EU Privacy Directive 1995 was to notify and register processing activities with local DPAs. Article 30 replaces this requirement. The French data protection authority (CNIL) recently published a six-step


https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-data-privacy-policy.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP3PMA1&utm_campaign=PMP3PMA1

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-notices.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP8PMA1&utm_campaign=PMP8PMA1

https://www.nymity.com/data-privacy-resources/privacy-management-tools/manage-third-party-risk.aspx?a=1?utm_source=Paper&utm_medium=PDF&utm_content=PMP7PMA1&utm_campaign=PMP7PMA1



methodology for complying with the GDPR14 which includes an Article 30 template. This template highlights a traditional data inventory is not the intent of Article 30.15 In general, these records must contain:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b) the purpose(s) of the processing;

(c) a description of the categories of data subjects and personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

It is important to note this list is first concerned with the details of processing activities versus the details of a data holding repository and does not require the onerous process of documenting every data element forming part of the data repository (though in practice, some companies will want to do this).

Completing this exercise can act as the basis for compliance with multiple obligations because the same information is required to address the following obligations:

• Record of processing activities (Article 30)

• Transparency (Articles 12 and 13)

• Data Protection Impact Assessments (Article 35)

• Data Subject Access Rights (Article 15)

• Processor (Article 28)

Risk Approach The GDPR is a risk-based law requiring data controllers to engage in risk analysis and adopt risk-measured responses. The GDPR imposes additional obligations for data processing activities posing a high risk to individuals. Organisations engaging in low-risk processing activities, or adequately addressing risk, may avoid specific obligations such as to notify a data protection authority of a data breach.

Risk is contextual and is not clearly defined by the GDPR. Where the concept of risk appears in the GDPR, it is defined by reference to the “likelihood and severity” of a negative impact on data subject rights. Organisations should account for the “nature, scope, context and purpose of processing.” On April 4, 2017, the Article 29 Data Protection Working Party (WP) released proposed guidelines for the GDPR’s DPIA requirements, which were open to public comment through May 23, 2017. The WP guidelines shed some light on what will be considered “high-risk” processing. Ask yourself:

• Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?

• Does the processing involve automated decision making producing significant effect on the data subject?

• Are you performing systematic monitoring of data subjects, including in a publicly accessible area?

14 www.cnil.fr/fr/comment-se-preparer-au-reglementeuropeen-sur-la-protection-des-donnees 15 www.cnil.fr/fr/cartographier-vos-traitements-de-donneespersonnelles


http://www.cnil.fr/fr/comment-se-preparer-au-reglementeuropeen-sur-la-protection-des-donnees

http://www.cnil.fr/fr/cartographier-vos-traitements-de-donneespersonnelles


• Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?

• Is the data being processed on a large scale?

• Have datasets been matched or combined?

• Does the data concern vulnerable data subjects (as laid out in Recital 75)?

• Is this an innovative use or does it apply technological or organisational solutions (for example, combining use of finger print and facial recognition)?

• Are you transferring data outside the European Union?

• Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

Common technical and organisational measures to address high-risk processing Conduct an Enterprise Privacy Risk Assessment

Maintain an inventory of personal data holdings (what personal data is held and where) [Records of Processing Data Inventory]

Classify personal data holdings by type (e.g. sensitive, confidential, public)


Maintain a data privacy policy

Maintain policies/procedures for secure destruction of personal data

Integrate data privacy into records retention practices

Conduct privacy training

Maintain Data Privacy Requirements for Third Parties (e.g., Vendors, Processors, Affiliates)

Conduct due diligence around the data privacy and security posture of potential vendors/processors

Maintain a vendor data privacy risk assessment process

Integrate Privacy by Design into system and product development

Maintain PIA/DPIA guidelines and templates

Conduct PIAs for new programs, systems, processes

Maintain a Privacy by Design framework for all system and product development

Maintain a documented data privacy incident/breach response protocol

Conduct self-assessments of privacy management


Project Management Approach This approach works well for organisations with ample time to address all GDPR compliance obligations and one in which the privacy

officer has experience with project management or has access to internal employee resources around project management.

Organisations taking this approach consider the time it would take to complete a task and availability of resources to prioritise, then

follow the below general sequence of steps:

Step 1: Task Dependency

Determine if any technical or organisational measures are dependent on completing another measure. For example, some

organisations determine PII inventory/records or processing inventory/data flow maps need to be complete before

beginning items such as Data Subject Access requests or an Information Security Assessment. This step will provide a high-

level overview of the order to work on tasks.

Step 2: Resources and timing

Work with applicable resources for each task to determine roughly how long it will take to complete the required measure

and identify if there are specific times of year where resources will or will not be available to help (i.e., working on other

business projects, vacations, leaves).

Step 3: Roadmap sequence

Build a roadmap starting with the tasks in sequence. Then, overlap items not dependent on other tasks and make sure the

resources have bandwidth. Add extra time into the roadmap for every task (things always happen).

Step 4: Buy-in

When the roadmap is complete, obtain buy-in from senior management (general counsel, managers of

departments/resources). Adjust plan accordingly.
