Our clients have often asked, “How do I prioritize my efforts to meet GDPR accountability obligations?”
For many organizations, developing an effective privacy management infrastructure for compliance with the GDPR seems daunting. And since there isn’t a one-size-fits-all solution to this challenge, each organization is responsible for crafting an accountable privacy management program specific to their company’s unique needs.
To assist our clients in streamlining their efforts, our team developed a straight-forward, two-step process to prioritization that, once followed, sets an organization on the path to ongoing accountability. The process is based on the fundamentals of structured privacy management: Responsibility, Ownership, and Evidence.
Responsibility is established when appropriate technical and organizational measures are implemented and maintained on an ongoing basis. To determine which measures need to be implemented, organizations are required to examine their unique compliance requirements, risk profile, business objectives, and the context of data processing.
Building on the concept of responsibility, each technical and organizational measure must be assigned ownership, either to an individual or to a department or business unit. The owner must ensure that these measures are being maintained on an ongoing basis. Owners don’t need to belong to the privacy management team- they can reside in the operational and business units where data is being collected. This can include human resources, marketing, product development, IT, and customer service.
To prove ongoing compliance, owners must provide evidence that their activity is being maintained. When an activity is performed on an ongoing basis, evidence is often produced as a by-product, whether formal (policies, procedures, reports, etc.), or informal (communication, agendas, system logs, etc.).
The two-step approach to prioritization
Using these fundamental concepts, our two-step process was developed as an industry-neutral tool for organizations of all sizes, and all levels of expertise in the privacy sphere.
Step One: Baseline
In this first step, your organization documents the current status of GDPR compliance, including resources such as people, processes, technology, and tools. In many cases, organizations are pleased to learn that they have more technical and organizational measures in place than they are aware! Many of these can then be easily repurposed for GDPR compliance. The Privacy Office does not need to start with a blank page when baselining GDPR compliance in the organization. Instead, the Privacy Office can use the Nymity Privacy Management Accountability Framework adapted for GDPR. Nymity’s research team has identified 39 Articles under the GDPR, requiring evidence of a technical or organizational measure to demonstrate compliance. These have been mapped to the Framework resulting in the identification of 55 “primary” technical or organizational measures
As you identify the measures in place, you’ll need to complete the following tasks for each:
1) Assign status
At Nymity, we recommend organizing each measure into one of the following statuses: Implemented (already in place, given sufficient resources); In progress (resourced, and either in the process of being implemented, or scheduled to be); Desired (applicable and relevant measure not yet implemented or resourced); and N/A (measures not applicable to your organization).
2) Assign ownership
Who will own the task moving forward? The owner must be answerable for the management and monitoring of the measure on an ongoing basis. Again, owners do not need to reside in the privacy office; in many cases it is more useful to assign owners in the operational or business units.
3) Identify resources
What resources are necessary to maintain the “implemented” and “in progress” measures? Gain an understanding now of what is required and available, so that you can mobilize these assets in Step Two.
4) Record evidence
Identify all the documentation produced as a result of implementing the technical and organizational measures currently in place. As above, this documentation can be either formal, or informal.
Once all the above tasks have been completed for each relevant measure, it’s time to move on to Step Two.
Step Two: Plan
In this step, you’ll develop a privacy management plan to assist you in implementing the measures identified as “desired” or “in progress” in Step One. In doing so, you’ll need to document the following two types of resources:
1) Resources to implement
What resources are necessary in order to formally launch this technical or organizational measure? It’s important to note here that many measures will require greater resources to implement than required to maintain over the long term.