Accountability is the cornerstone of Regulatory Ready reporting, and it means effectively operationalising the use of appropriate technical and organisational measures to allow for reporting at the enterprise and project level. In blog one of our two-part series, we discussed Regulator Ready reporting at the enterprise level: demonstrating compliance and putting in place the appropriate technical and organisational measures under GDPR Articles 5(2) and 24. Today, we will be looking at Regulatory Ready reporting at the project level.
Project level Regulator Ready reporting
Once you are able to demonstrate compliance and have put in place the appropriate technical and organisational measures under Articles 5(2) and 24 you can scale those measure and leverage them to embed into projects to meet additional compliance requirements.
Required Reporting: Articles 30 and 35
When a Regulator pays a visit, they will want to see evidence of key requirements.1 The following Articles under the GDPR specifically indicate that documentation of some type must be made available to supervisory authorities:
Article 30 – Records of Processing Activities2: Requires that controllers and processors must maintain a record of processing activities and make the record available to the supervisory authority on request. At a minimum, Regulators will want to see a record of processing for all processing occurring prior to May 25, 2018 and records for any new processing that occurred after that date.
Article 35 – Data Protection Impact Assessment (DPIA)3: Requires that controllers carry out DPIAs in high risk processing scenarios. At a minimum, the Regulator will want to see a DPIA report for any new processing or major changes to current processing post May 25th.
Additional reporting: Article 25 and Article 6(1)(f)
From an accountability standpoint, it may also be advantageous to report on compliance with other key GDPR provisions:
Article 25 – Data Protection by Design/Default: Where applicable, it may be beneficial to show how the appropriate technical and organisational measures are applied at a processing level.
Article 6(1)(f) – Legitimate Interest as lawful basis for processing: The GDPR sets practical and clear criteria for organisations that seek to rely on legitimate interest as a lawful ground for processing personal data, but organisations must document their decision making and be able to report on it to a supervisory authority.
Organisations that prepare for Regulatory Ready reporting leverage the technical and organisational measures that are currently in place to embed accountability into projects, allowing them to efficiently generate reports for multiple compliance requirements (Records of Processing, DPIAs, Legitimate Interests assessments and more). For example, when new projects are initiated, the privacy office often requires that the operational unit complete a ‘threshold PIA’. A threshold PIA pre-emptively detects an organisation’s use of personal data, which, if identified, would require subsequent PIAs. If done correctly, the threshold PIA can collect all the data necessary for Article 30 records of processing reports.
In addition, a threshold PIA can identify if the processing is likely to be high risk and require a data protection impact assessment as required under Article 35. In a Regulator Ready reporting approach, organisations that are processing high risk data will use their data protection impact assessment method to embed appropriate technical and organisational measures directly into the project and require evidence that the business or operational unit is applying the measures. Thus, the technical and organisational measures become the cornerstone of the DPIA report. The measures are applied prior to processing the data which reduces risk.
Next, because the organisation has embedded appropriate technical and organisational measures directly into the DPIA, the project itself is now designed with privacy and data protection in mind, so the organisation can easily generate a DPbD (Data Protection by Default) or PbD (Privacy by Design) report.
Finally, this Regulator Ready approach can also help with producing the necessary information when an organisation chooses to rely on legitimate interests as a lawful basis for processing. An assessment for use of legitimate interests requires a balancing test between the interests of the controller and the potential harms to the rights and freedoms of data subjects. Courts and Regulators have indicated that, the more safeguards that are in place (technical and organisational measures), the more likely the balance will tip in favour of the controller.4
To assist organisations in being able to report on GDPR compliance, Nymity Research™ identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance. We have mapped those to the free Nymity Privacy Management Accountability Framework™. Nymity provides a host of free resources to assist organisations in understanding their GDPR obligations and prioritizing compliance. To learn more about Regulator Ready reporting, read our white paper.
2 Article 30(4) The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
3 Article 35(1) Where at type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data…
4 Nymity and FPF Legitimate Interests report, https://info.nymity.com/deciphering-legitimate-interests-under-the-gdpr