Image of Business People Meeting for GDPR Compliance
A Practical Guide to Demonstrating GDPR Compliance by Teresa Troester-Falk, Chief Global Privacy Strategist at Nymity

A Practical Guide to Demonstrating GDPR Compliance

Our clients have often asked, “How do I prioritize my efforts to meet GDPR accountability obligations?”

For many organizations, developing an effective privacy management infrastructure for compliance with the GDPR seems daunting. And since there isn’t a one-size-fits-all solution to this challenge, each organization is responsible for crafting an accountable privacy management program specific to their company’s unique needs.

To assist our clients in streamlining their efforts, our team developed a straight-forward, two-step process to prioritization that, once followed, sets an organization on the path to ongoing accountability. The process is based on the fundamentals of structured privacy management: Responsibility, Ownership, and Evidence.

Responsibility

Responsibility is established when appropriate technical and organizational measures are implemented and maintained on an ongoing basis. To determine which measures need to be implemented, organizations are required to examine their unique compliance requirements, risk profile, business objectives, and the context of data processing.

Ownership

Building on the concept of responsibility, each technical and organizational measure must be assigned ownership, either to an individual or to a department or business unit. The owner must ensure that these measures are being maintained on an ongoing basis. Owners don’t need to belong to the privacy management team- they can reside in the operational and business units where data is being collected. This can include human resources, marketing, product development, IT, and customer service.

Evidence

To prove ongoing compliance, owners must provide evidence that their activity is being maintained. When an activity is performed on an ongoing basis, evidence is often produced as a by-product, whether formal (policies, procedures, reports, etc.), or informal (communication, agendas, system logs, etc.).

The two-step approach to prioritization

Using these fundamental concepts, our two-step process was developed as an industry-neutral tool for organizations of all sizes, and all levels of expertise in the privacy sphere.

Step One: Baseline

In this first step, your organization documents the current status of GDPR compliance, including resources such as people, processes, technology, and tools. In many cases, organizations are pleased to learn that they have more technical and organizational measures in place than they are aware! Many of these can then be easily repurposed for GDPR compliance. The Privacy Office does not need to start with a blank page when baselining GDPR compliance in the organization. Instead, the Privacy Office can use the Nymity Privacy Management Accountability Framework adapted for GDPR. Nymity’s research team has identified 39 Articles under the GDPR, requiring evidence of a technical or organizational measure to demonstrate compliance. These have been mapped to the Framework resulting in the identification of 55 “primary” technical or organizational measures

As you identify the measures in place, you’ll need to complete the following tasks for each:

1) Assign status

At Nymity, we recommend organizing each measure into one of the following statuses: Implemented (already in place, given sufficient resources); In progress (resourced, and either in the process of being implemented, or scheduled to be); Desired (applicable and relevant measure not yet implemented or resourced); and N/A (measures not applicable to your organization).

2) Assign ownership

Who will own the task moving forward? The owner must be answerable for the management and monitoring of the measure on an ongoing basis. Again, owners do not need to reside in the privacy office; in many cases it is more useful to assign owners in the operational or business units.

3) Identify resources

What resources are necessary to maintain the “implemented” and “in progress” measures? Gain an understanding now of what is required and available, so that you can mobilize these assets in Step Two.

4) Record evidence

Identify all the documentation produced as a result of implementing the technical and organizational measures currently in place. As above, this documentation can be either formal, or informal.

Once all the above tasks have been completed for each relevant measure, it’s time to move on to Step Two.

Step Two: Plan

In this step, you’ll develop a privacy management plan to assist you in implementing the measures identified as “desired” or “in progress” in Step One. In doing so, you’ll need to document the following two types of resources:

1) Resources to implement

What resources are necessary in order to formally launch this technical or organizational measure? It’s important to note here that many measures will require greater resources to implement than required to maintain over the long term.

2) Resources to maintain

Once a measure is implemented, what resources are required to provide evidence of an ongoing capacity to comply? Here you’ll identify all the resources required to maintain the measure, as well as to perform periodic reviews and updates.

Worth noting is the fact that Steps One and Two aren’t necessarily a binary, linear process; instead you’ll likely bounce back and forth between them. When new legislation, regulations, and DPA guidelines are introduced, “implemented” activities may once again become “in progress” or “desired” as you work towards satisfying new requirements.

Common approaches to GDPR compliance planning

Given that each organization’s needs are unique, it stands to reason that there would be several different approaches to implementing desired technical and organizational measures. After years of extensive research and experience working with hundreds of companies, our team has identified the following five common approaches:

1) Governance approach

Some organizations prioritize activities that will bear the greatest impact on governance, including: Assigning responsibility to an individual, appointing a DPO, engaging senior management and stakeholders, reporting to stakeholders, maintaining a data privacy policy, conducting privacy training, maintaining a data privacy notice, maintaining data privacy requirements for third parties, and conducting self-assessments.

2) Records of processing inventory approach

Article 30 of the GDPR (Records of processing activities) requires organizations with over 250 employees, and organizations processing large volumes and/or sensitive data, to create a record of processing activities. For the organizations relevant to this Article, it is beneficial to begin GDPR compliance planning by using this approach and completing a Records of Processing Activities Register.

This register contains the details of processing activities, rather than the details of a data holding repository. It’s not necessary to document every data element, but instead to document what is happening, and which technical and organizational measures are in place to reduce risk.

3) Regulator approach

DPAs across the EU have produced extensive guidance on various aspects of GDPR compliance. This guidance may provide clarification for data controllers and data processors, and organizations who take this guidance into account first are considered to be taking a Regulator Approach. In general, DPAs have communicated that they expect organizations to prioritize Awareness, Inventory, Impact Assessments, Procedures for Data Subjects, Notice/Communications, Consent, Children, and DPO.

4) Risk approach

Risk is contextual and not always straightforward to define. In the Regulation, it’s referenced as the “likelihood and severity” of a negative impact on the rights and freedoms of data subjects. This extends beyond privacy and data protection to include other fundamental rights such as the freedom of expression and the right to non-discrimination. Organizations conducting “high risk” processing may benefit from focusing first on measures to address and mitigate risk.

5) Project management approach

Organizations whose privacy officer has experience in project management (or has access to someone who does), or those with ample time to address all the GDPR considerations may benefit from taking a Project Management approach. In this approach, prioritization is generally first based on how much time is needed to complete a task, and what resources are available. Then additional steps are taken such as determining task dependency, resources and timing and creating a roadmap sequence.

Tools for compliance

As industry leaders in the privacy compliance software industry, Nymity Inc. has helped thousands of privacy officers worldwide to operationalize compliance. Our award-winning research-based privacy management software solutions enable organizations to achieve and maintain ongoing, demonstrable compliance with legislations across the globe, including the GDPR. To learn more about prioritizing your privacy program to meet your GPDR accountability obligations, read A Practical Guide to Demonstrating GDPR Compliance or visit www.nymity.com to learn more about our other tools, including how to be regulator ready with automated reporting in 30 days.