Organisations had two years to prepare for GDPR compliance in the run-up to May 25, 2018. Now that the GDPR is in force, what will Regulators want to see? The question is no longer theoretical. The Dutch DPA recently announced an investigation into 30 large organisations regarding their GDPR compliance and at the outset will ask to see their records of processing activities. Many regulators prefer voluntary compliance,1 but are prepared to back that up with tough action when required. This is why your reporting must be ‘regulator ready’.
What is Regulator Ready reporting and why do you need it?
Regulator Ready reporting means organisations have the capacity to efficiently produce reports that clearly tell a story reflecting GDPR compliance and accountability and align with legal requirements. To understand the growing need for Regulator Ready reporting, consider the following scenarios:
Your organisation experiences a breach. Within a short period of time, and reactively, the Regulator is on your doorstep.
Your organisation has not had a breach or any other public privacy incident, but the Regulator shows up expecting to assess your organisation’s GDPR2
Your organisation is launching a new product that has privacy implications. You initiate a meeting with the Regulator to provide assurance that your product is not only GDPR compliant but that you have considered privacy by design in the product itself and embedded it throughout your organisation.
In any of these scenarios, you want to be able to deliver Regulator Ready reporting. It means effectively operationalising the use of appropriate technical and organisational measures to allow for reporting at the enterprise and project level.
Demonstrating compliance and putting in place the appropriate technical and organisational measures (Articles 5(2) and 24)
Leveraging existing measures and accountability mechanisms and embedding them into projects to meet additional compliance requirements:
Records of processing (Article 30)
Data Protection Impact Assessments (Article 35)
Data Protection by Design (Article 25)
Using Legitimate Interest as a lawful basis for processing (Article 6(1)(f)
The cornerstone of Regulator Ready reporting is accountability. In this blog, part one of a two-part series, we will discuss demonstrating accountability and compliance at the enterprise level: GDPR Articles 5(2) and 24.
Articles 5(2) and 24: Regulator Ready reporting on enterprise level technical and organisational measures:
If a Regulator comes to your door, they will want to see evidence of key requirements at the enterprise level. The need to be accountable and to demonstrate compliance is codified in the GDPR in Article 24, which closely links to Article 5 on the data protection principles. At a minimum, Regulators require a demonstration of the appropriate technical and organisational measures that have been put in place at an enterprise level.
As referenced above, Article 5(2) of the GDPR contains an explicit provision regarding demoisntrating compliance with all the principles related to the processing of personal data (e.g.lawfulness, fariness, transparency, data minimization, data accuracy, security).
The measures and associated documentation in place for your compliance program must be regularly re-examined and updated to ensure continued data protection. There is no specific guidance concerning how to report on your enterprise level compliance. However, being Regulator Ready to report at an enterprise level means that you have a good understanding of which obligations under the GDPR apply to you, that you have addressed compliance respecting those obligations throughout the organisation and that you have evidence of this compliance.
To assist organisations in being able to report on GDPR compliance, Nymity Research™ identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance. We have mapped those to the free Nymity Privacy Management Accountability Framework™. Nymity provides a host of free resources to assist organisations in understanding their GDPR obligations and prioritising compliance. To learn more about Regulator Ready reporting, read our white paper.