GDPR Best Practices Implementation Guide

Transforming GDPR Requirements into Compliant Operational Behaviours

02

Introduction

The General Data Protection Regulation (GDPR) is a revolutionary change in Data Protection and will in all likelihood become the de-facto gold standard for Data Protection regulation globally. The two areas most influential in this regard relate to Accountability and Enforcement.

1. Accountability: Organisations must embrace the new accountability principle introduced by the GDPR and move from ‘theory to practice’ in terms of their Data Protection efforts.

2. Enforcement: The member state Data Protection Authorities (DPAs) must rigorously enforce the Regulation by issuing substantive penalties where organisations cannot adequately evidence compliance with the GDPR accountability principle.

One of the biggest challenges for organisations that fall within the broad extra-territorial scope of GDPR, is transforming the legal requirements of GDPR into compliant and sustainable operational behaviours. Whilst there will be many organisations, such as those in the financial services and healthcare sectors, who are used to dealing with regulatory requirements, there are many others who will be experiencing the challenge of implementing strict regulatory requirements for the first time. Experienced or not, the May 28 deadline in 2018 is fast approaching and action needs to be taken now by all organisations within the scope of GDPR.

03

The GDPR Accountability Principle

Recognition of the need for accountability in terms of data privacy is not new and can be seen in the privacy guidelines issued by the Economic Cooperation and Development (OECD) back in 1980. The OECD describes accountability as “showing how responsibility is exercised and making it verifiable”1 .

The intent of the new GDPR Accountability Principle, as defined in Article 5(2) of the GDPR text, is similar to that of the OECD privacy guidelines. It is seeking to reaffirm and strengthen the responsibility of Data Controllers and Data Processors, in relation to Processing of Personal Data, and requiring them to demonstrate compliance with measures which give effect to the other six GDPR principles (listed below).

GDPR Principle Description

Lawfulness, fairness and transparency

Processed lawfully, fairly and in a transparent manner.

Purpose limitation Collected for specified, explicit and legitimate purposes and not further Processed in an incompatible manner.

Data minimisation Adequate, relevant and limited to what is necessary.

Accuracy Kept accurate and up-to-date.

Storage limitation Not kept, any longer than necessary, in a form which permits identification of a Data Subject.

Integrity and confidentiality Appropriate security ensuring protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

1

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf

2

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/ Accountability/16-06-07_Accountability_factsheet_EN.pdf

04

The European Data Protection Supervisor (EDPS) has stated2 , in reference to accountability, that “EU institutions and bodies should, at the most senior level, endorse and take responsibility for Personal Data Processing inside their organisations which occurs as part of the tasks of their institution”.Although accountability is undoubtedly a core tenet of the GDPR, it doesn’t offer a specific definition. The EDPS, in their Accountability Fact Sheet3 , do provide some insight in this regard by stating that accountability in Personal Data Processing requires:

• Transparent internal Data Protection policies, approved and endorsed by the highest level of the organisation’s management.

• Informing and training all people in the organisation on how to implement the policies.

• Responsibility at the highest level for monitoring the policy implementation, assessing and demonstrating to external stakeholders and Data Protection Authorities the quality of the implementation.

• Procedures for redressing poor compliance and data breaches.

3

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Accountability/16-06-07_Accountability_factsheet_EN.pdf

05

The GDPR Accountability Life Cycle

This GDPR Best Practices Guide puts forward a GDPR implementation methodology designed to:

• Engage stakeholders to ensure timely and efficient organisational readiness for GDPR.

• Implement effective procedures that embed GDPR-compliant operational behaviours.

• Establish assurance criterion that will sustain and evidence GDPR accountability.

The methodology consists of a three phases (Prepare, Operate, Maintain), with each incorporating a number of supporting activities. The objective defined for each phase is attained once all of the activities for that phase have been successfully executed. The ultimate goal of the methodology is sustaining and evidencing compliance with the GDPR Accountability Principle.

Phase I:Prepare

Phase III:Maintain

Ensures stakeholder engagement and organisational readiness for GDPR

Phase II:Operate

Implementseffective procedures that embed GDPR-compliant operational behaviours

Delivers assurance and evidence of ongoing GDPR accountability

06

Accountability Life Cycle Activities

The table below lists the phased activities that support the Accountability Life Cycle.

Phase Activity

PHASE I: Prepare Activity A: Obtain the buy-in of key business stakeholdersActivity B: Establish your GDPR readiness program teamActivity C: Identify and assess relevant business functionsActivity D: Identify and assess in-scope Third Party Processing activitiesActivity E: Establish a central Personal Data registerActivity F: Distribute updated Data Protection policies and Privacy NoticesActivity G: Educate internal Personal Data Handlers and external Data Processors

PHASE II: Operate Activity H: Disseminate and maintain external Privacy NoticesActivity I: Justify and record lawful Processing mechanismsActivity J: Process and record Data Subject rights requestsActivity K: Validate and record Third Country data transfersActivity L: Report and manage Personal Data Breach incidents

PHASE III: Maintain Activity M: Evidence understanding of Data Protection policies Activity N: Ensure the ongoing integrity and quality of the Personal Data Processing register Activity O: Trigger impact assessments for business change eventsActivity P: Verify compliance of Third Party Personal Data Processing activitiesActivity Q: Demonstrate effectiveness of Personal Data handling practices

07

PHASE I: Prepare

This initial phase considers the activities necessary to ensure GDPR readiness for your organisation. It is very important that you engage key business at the outset to inform and educate them. If done effectively, you will obtain their buy-in and support, a fundamental success factor for achieving your GDPR readiness goals. Following on from this you will need to appoint your GDPR program team, identify and assess relevant Personal Data Processing activities, prioritise a set of remediation actions, establish a centralised Personal Data register, educate Personal Data Handlers and Data Processors and update your Data Protection policies and Privacy Notices. Each of these activities are explained in more detail below.

Activity A: Obtain the buy-in of key business stakeholders

The importance of obtaining buy-in from your Senior Management and Executive teams should not be underestimated when embarking on any organisation-wide initiative. In a GDPR context, the ongoing cooperation of key business stakeholders is fundamental to the overall success of the GDPR program.

The substantial financial sanctions4 associated with GDPR non-compliance, should assist in getting the attention of your Senior Management and Executive teams. It is in their best interest to ensure that the risk of GDPR non-compliance features prominently on your Corporate risk register.

It is encouraging that several Data Protection Authorities have already reinforced the importance of making senior business stakeholders aware of the requirements of GDPR. In their GDPR guidance, the UK, Belgium and Hungry5 are all recommending a focus on stakeholder awareness as the first step on your journey towards GDPR compliance..

5

http://advocatus.dlapiper.hu/?p=1898

4

https://united-kingdom.taylorwessing.com/globaldatahub/article-enforcement-sanctions-under-gdpr.html

08

It is important to look broadly across your organisation to ensure that you identify and educate all relevant stakeholder groups. Stakeholders from Customer Relations, Human Resources, Marketing, Procurement, Systems Development, IT, Information Security, Legal, Risk and Compliance are obvious candidates for inclusion. In addition, you should consider other business functions specific to your industry, such as Engineering, Research & Development and Manufacturing.

There are various approaches that can be taken to achieve stakeholder awareness, education and buy-in. The one chosen will depend various factors such as your organisation size, company culture, local or global reach and the number of Data Protection personnel your organisation has at its disposal.

If you are a local or regionally focussed company with a relatively small number of staff, you might prefer to engage in-person with your Senior Managers and Executives regarding GDPR. If, on the other hand, you are a large multinational organisation with thousands of globally distributed staff you may choose to leverage web-based GDPR awareness and educational content that is now available from some eLearning vendors.

Activity B: Establish your GDPR readiness program team

Before you embark on your GDPR compliance program it is critical that you clearly define the roles and responsibilities of the personnel tasked with its delivery. The appointment of a Board level program sponsor, a high-ranking Data Protection Officer (DPO) and an experienced compliance program manager would be an ideal way to get the ball rolling.

There are circumstances in which organisations must appoint a Data Protection Officer (DPO). This is the case if your organisation is a Public Authority, carries out online behavioural tracking or conducts large scale Processing of Special Categories of Data. Even if your organisation is not obligated to appoint a DPO, you must still ensure that you have deployed sufficient staff with the appropriate skills to meet all requirements of the GDPR.

Only once you have a formal GDPR program team in place, clear goals outlined, key milestones defined, measurable objectives set, key milestones defined, adequate budget assigned and resources are fully engaged, are you truly ready to embark on your GDPR journey.

09

PHASE I: Prepare

Activity C: Identify and assess relevant business functions

Expecting to successfully deliver any project, compliance related or otherwise, without identifying all the in-scope business functions or consulting the people who perform the operational tasks involved, is a mistake common to many organisations. This is typically a result of incorrect assumptions made by those in charge of managing the project or business managers assigning inexperienced operational personnel to work on the project. Regardless of the reason, failure in this regard makes it impossible to deliver a successful GDPR compliance program.

To successfully identify all the relevant key business processes and understand the information life cycle (collection, Processing, storage and transfer) of the Personal Data associated with those processes, organisations must be prepared to commit the time of experienced personnel. Assigned personnel will need to participate in an assessment of the privacy risks related to the Personal Data Processing activities that have been identified. Establishing a risk threshold is an important step in the assessment process as it allows you to quickly focus on and further assess at an appropriate level, the areas of greatest risk.

Having identified and assessed the key risk areas across your business functions, you are now in a position to define and prioritise a set of remediation actions based on the compliance gaps uncovered. Each of these remediation actions must be well defined, have a specific deadline, be adequately resourced, have clear ownership and be tracked through to completion.

10

Activity D: Identify and assess in-scope Third Party Processing activities

The process described here for identifying and assessing the Personal Data Processing activities of your Third Party Data Processors, such as business partners and service providers, is similar to Activity C. However, there are number of considerations, specific to engaging with and managing Third Parties, that do not apply to internal business functions.

Identifying the relevant stakeholders within the organisational structure of your Third Parties is the first step. Depending on the type of relationship you have with them, this may or may not be a straight-forward exercise. If you are not getting adequate engagement from your Third Parties, it is important that you initiate the agreed contractual escalation process sooner rather than later. This is to ensure that any associated delays don’t leave insufficient time to identify and assess the Third Party Processing activities and carry out any remediation activities necessary to meet your GDPR readiness deadlines.

One of the key changes that GDPR brings for all Data Processors is a level of direct accountability and liability which does not apply under the current EU Data Protection Directive. In addition, the GDPR imposes significant new requirements6 that must be included by Data Controllers in all Personal Data Processing agreements (including existing agreements that extend beyond May 2018). This will lead to the negotiation of Processing agreements becoming more complex and Data Processors being more careful about agreement terms and the scope of the Data Controller’s instructions. The end result being a high likelihood that you will need to re-negotiate at least some of your existing Personal Data Processing contracts.

Having identified and assessed the in-scope Third Party Processing activities, you are now in a position to define and prioritise a set of remediation actions based on any identified compliance gaps.

6

http://www.whitecase.com/publications/article/chapter-11-obligations-processors-unlocking-eu-general-data-protection

11

PHASE I: Prepare

Activity E: Establish a central Personal Data register

The assessments carried out for the key business processes of the relevant business functions and Third Party Processing activities will have established answers to the following list of information gathering questions.

• What data is being collected?• From whom is data collected?• Why is the data being collected?• How is the data being processed?• What is the legal basis for each processing operation?• Where is the data being stored?• How long is the data retained?• Who has access to the data?• To where and to whom is the data being transferred?

The answers gathered need to be collated to form a comprehensive Personal Data register. The register becomes your centralised ‘single source of truth’ detailing the characteristics and Processing activities for all Personal Data which your organisation is ultimately accountable. The register must be regularly checked and updated to ensure its integrity over time. It would also be beneficial to build a data flow map based on the register contents to provide a visual representation of the various flows of Personal Data both internal and external to your organisation.

12

Activity F: Distribute updated Data Protection policies and Privacy Notices

The GDPR states that all organisations must implement appropriate Data Protection policies outlining the technical and organisational measures needed to ensure that Personal Data Processing is performed in accordance with the Regulation. In addition, you must provide Privacy Notices as a means of being transparent, with your customers, ensuring that they know how their information will be used.

It is important that updates to your Data Protection policies and Privacy Notices are made after identifying and assessing the Personal Data Processing activities of your business functions (Activity C) and Third Party Data Processors (Activity D). Without doing so, it will prove very difficult to obtain a complete view of the content requiring inclusion in your policies and Notices. The example scenarios below are provided to further illustrate this point.

Example 1:

In this example we focus on the information collected from assessments that relating to the purpose of data collection. Purposes of collection may include provision of goods or services, direct marketing activities, legal obligations, etc. Without knowing the reason behind collection you cannot establish a definitive legal basis justifying that Processing. This then means you are unable to ensure all appropriate information is included in the Privacy Notice you provide to your customers.

Example 2:

In this example we are looking at the information collected from assessments that relates to data transfer. Without knowing the details of what data is being sent to and Processed by Third Parties, you cannot ascertain the extent of Third Party Processing being performed on your behalf. Without this information, you cannot be sure that your Data Protection policy adequately defines the rules to be followed when interacting with your Third Party Data Processors.

13

PHASE I: Prepare

Activity G: Educate internal Personal Data Handlers and external Data Processors

Providing meaningful education to Personal Data Handlers across your organisation is critical to ensure that they fully understand their role in achieving and maintaining GDPR compliance. The training offered needs to enable them to:

• Identify the Personal Data under their control.

• Understand how and why Personal Data Processing is taking place.

• Protect the Personal Data from an Information Security perspective.

• Deal appropriately with Data Subject requests.

• Respond promptly to any suspected Personal Data Breaches.

As discussed in Activity A, it may be feasible to engage and educate a limited audience such as key business stakeholders on a face-to-face basis. However, doing so for Personal Data Handlers and Data Processors, who represent a much broader user population is unlikely to be practical. Organisations may be better placed looking to vendors who can deliver web-based GDPR training courses to a decentralised global audience.

The approach you take with regard to education of your Third Party Data Processors requires additional consideration. Given that the GDPR now clearly imposes legal obligations directly on Data Processors and liability exists where a Data Processor has acted outside or contrary to the lawful instructions of the Data Controller, the Data Controller could take the view that all responsibility for GDPR compliance (including education) lies solely with the Third Party. While this approach may be considered prudent from a legal point of view, Data Controllers need to think carefully about this as they could easily come to regret taking a such a stance. At the end of the day, it is the Data Controller’s reputation, arguably its greatest asset, that is ultimately at stake.

14

At a minimum, Data Controllers should offer the following list of basic training elements to any Third Party Data Processor who is Processing Personal Data on its behalf:

• The need to act solely on the Data Controller’s documented instructions.

• The confidentiality obligations applicable to Data Processor staff charged with Processing Personal Data.

• The security practices necessary for protecting (in an equivalent manner to that of the Data Controller), thePersonal Data being processed.

• The rules to be followed regarding appointment of sub-processors.

• The provision of assistance to the Data Controller in complying with the rights of Data Subjects.

• The return or destruction of Personal Data at the end of the relationship.

• The provision of any information needed by the Data Controller, to assist them in demonstrating compliance with the GDPR.

15

PHASE II: Operate

This phase of the life cycle addresses the need to define and embed procedures that enable staff who handle Personal Data to carry out their duties in an efficient and compliant manner. The GDPR requires not just that your Personal Data Handlers perform their duties in alignment with GDPR obligations, but that there is also a record maintained of their decisions and actions in relation to carrying out those duties.

Given the substantial GDPR obligations (e.g. Data Subject rights, data transfer rules, lawful Processing) that relate to the operational handling of Personal Data, it is critical that front-line staff are provided with targeted and specific procedural guidance for Personal Data Processing.

Activity H: Disseminate and maintain external Privacy Notices

The GDPR emphasises the need for transparency in relation to the use of Personal Data by organisations. An individual’s right to be informed requires that organisations provide ‘fair processing’ information to their customers and employees via a Privacy Notice.

The ‘fair processing’ information that must be provided is extensive and includes items not currently mandatory under the EU Data Protection Directive. Examples include:

• The legal basis for Processing.

• The categories of Personal Data being Processed.

• Details of any Third Party recipients.

• The intended retention period.

• The logic associated with any automated decision-making being undertaken.

The information supplied and when to supply it can also vary based on whether you have obtained the Personal Data via direct (i.e. from the Data Subject) or indirect means.

Responses received from the Business Functions and Third Party Processing assessments completed during the Preparation phase will assist in supplying the correct information in Privacy Notices. Such Notices must remain accurate and up-to-date to reflect any new or amended Processing activities. A revision history is also required to clearly establish which version of a Privacy Notice was in operation at any point in time. This can prove very useful when determining how best to deal with Data Subject requests.

Integrating the external publication of your Privacy Notices with your internal Policy Management system is a very effective method of managing your Privacy Notice revision process. There are vendors emerging who plan to offer this type of functionality.

Activity I: Justify and record lawful Processing mechanisms

One of the fundamental requirements of GDPR is the need to establish, justify and document the legal basis for the Processing of Personal Data. The legal basis will vary based on the nature of the Personal Data being Processed. As an example, the Processing of Special Categories of data requires explicit Data Subject consent to be obtained.

It is also important to note that the legal basis chosen for Processing can have an effect on Data Subject rights. For instance, if you rely on obtaining an individual’s consent to Process their Personal Data, they will then have the ‘right to erasure’ available to them.

Determining the legal basis by which your organisation will Process Personal Data is typically something undertaken by the legal team in partnership with key GDPR business stakeholders. Such decisions must have clear justification and are well documented. An example of this is where Legitimate Interests is used to justify the Personal Data Processing. In this case, a record needs to be maintained describing the assessment carried out to balance of the Legitimate Interests of the Data Controller and the rights of the individual.

16

17

Although a lot of the initial work will be carried out by the legal team, there are also situations pertaining to lawful Processing where your front-line Personal Data handling staff have a role to play. For example, the further Processing of Personal Data for new purposes requires that front-line staff be trained to identify scenarios where further Processing may be incompatible with the original lawful Processing mechanism. Ideally, they will also be given clear guidance that allows them to establish whether or not the proposed further Processing is legitimate, removing the need to refer to your legal personnel.

Activity J: Process and record Data Subject rights requests

The GDPR significantly increases the rights of individuals and as a result, organisations will see an increase in requests and complaints from Data Subjects. Organisations are obliged to respond to such requests within one month, unless they are manifestly unfounded, excessive or a National legislative measure has been introduced allowing the access to be refused.

Under the current EU Data Protection Directive, requests from Data Subjects have been focused on the ‘right of access’ and are commonly referred to as Subject Access Requests or SARs. The GDPR expands the access rights of Data Subjects and introduces an array of new and enhanced rights as described in the table below. Under GDPR, referring to the broad array of requests that may come from Data Subjects as Data Subject Requests or DSRs rather than SARs would seem more appropriate.

PHASE II: Operate

Data Subject Right Changes under GDPR

The right of access The GDPR expands the mandatory categories of information which must be supplied in connection with a Data Subject access request including information about a Data Subjects right to complain to the Data Protection Authority (DPA).

The right to erasure The GDPR creates a broader right to erasure such as where the Personal Data is no longer needed for its original purpose or where the lawful basis for the Personal Data Processing is the Data Subject’s consent.

18

The right to restrict Processing Under the GDPR, there are a much broader range of circumstances in which Data Subjects can require that the Processing of their Personal Data be restricted. Examples include the accuracy of the Personal Data being contested or the Personal Data is no longer needed for its original purpose.

The right to data portability A new right under GDPR which provides Data Subjects the right to receive a copy of their Personal Data in a commonly used machine-readable format, and have their Personal Data transferred from one Data Controller to another.

The right to object The GDPR now puts the obligation on the Data Controller as it requires the Data Controller to cease Processing unless it can demonstrate that it either has compelling grounds for continuing the Processing, or that the Processing is necessary in connection with its legal rights.

The right to rectification As per the current EU Data Protection Directive, Data Subjects have the right to rectification where their Personal Data is shown to be incorrect.

Organisations should ensure all staff who Process Personal Data are appropriately trained, allowing them to quickly recognise, and appropriately respond to, rights requests from Data Subjects. The use of decision trees7 can aid the provision of guidance to front-line operational staff. They are an effective decision support tool because they are simple to understand and therefore require minimal training. An example of a decision tree is provided in Activity K below.

7

https://en.wikipedia.org/wiki/Decision_tree

19

Activity K: Validate and record Third Country data transfers

The GDPR restricts the transfer of Personal Data to recipients located outside the European Economic Area (EEA). These locations are referred to as Third Countries. Unless one of the following conditions can be met, the transfer of Personal Data to Third Countries is prohibited:

• The European Commission has deemed the Third Country jurisdiction adequate.

• The organisation transferring the Personal Data puts in place appropriate safeguards (e.g. model clause contracts).

• A derogation or exemption applies (e.g. consent, vital publ interests).

The GDPR retains the current EU Data Protection Directive transfer mechanisms pertaining to the above conditions, but it also provides additional mechanisms, including DPA clauses, codes of conduct, certifications and a new derogation for the purposes of Legitimate Interests.

Understanding the appropriate use of the available lawful Personal Data transfer mechanisms is essential for all organisations that wish to carry out transfers of Personal Data to Third Countries. These can prove tricky for your front-line operational staff to navigate, particularly in relation to ad-hoc data transfers. As with the handling of Data Subject requests discussed in Activity J, decision trees are also suitable in the case of Personal Data transfer decisions. Provided below are screen shots that illustrate how a decision tree approach could work in practice.

PHASE II: Operate

20

Personal Data Test

Personal data is any information by which a living individual is identifiable, either directly or indirectly. An individual is identifiable if you have distinguished that individual from other members of a group. This can be done in a ‘direct’ or ‘indirect’ manner. In some cases there is no question that an individual can be ‘directly’ identified. A government issued ID, for example, is explicitly and uniquely personal and would always be considered personal data. In other cases, a combination of data is required for the data to be deemed personal data. Importantly, the data does not need to be already combined, there just needs to be a possibilty for it to become combined at some point in the future.

Watch this video:

Based on the information provided above, do you believe the data you intend to transfer to be personal data?

Yes

No

Special Categories of Data (Sensitive Data)

Special Categories of Data (Sensitive Data) as defined in the General Data Pro-tection Regulation (GDPR) includes:

• Racial or ethnic origin• Political Opinions• Religious or philosophical beliefs• Trade union membership• Data concerning health or sex life and sexual orientation• Genetic data• Biometric data where processed to uniquely identify a person

Does the data that you intend to transfer contain any of the Special Categories of Data (also known as sensitive data) listed above?

Yes

No

Explicit Consent and Possible Risks Notification

IMPORTANT NOTE:Check to see if any relevant National (Member State) variances are currently in force pertaining to the transfer of Special Categories of Data (Sensitive Data).

Has the Data Subject provided explicit consent for this data transfer and have they been informed of all the possible associated risks?

Yes

No, Contact DPO.

Formally record details of the transfer (including justification) and proceed with data transfer ensuring application of all necessary technical protection measures

· Replace with URLs linking to Organisational procedures for:· Regarding details of data transfers· Recording justification of data transfers· Secure transfer of data.

Data Recipient Location

Countries that make up the European Economic Area (EEA):

Is the intended data recipient located in one of the European Economic Area counties listed above?

Yes

No

AustriaBelgiumBulgariaCroatiaRepublic of CyprusCzech RepublicDenmarkEstonia

FinlandFranceGermanyGreeceHungaryIrelandItalyLatvia

LithuaniaLuxembourgMaltaNetherlandsPolandPortugalRomaniaSlovakia

SloveniaSpainSwedenUnited KingdomIcelandLiechtensteinNorway

Activity L: Report and manage Personal Data Breach incidents

The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed”8. The GDPR also specifically sets out that each event must be documented “comprising the facts relating to the data breach, its effects and the remedial action taken”8.

To satisfy the GDPR, organisations will likely need to update their data breach identification systems, notification procedures and response plans. The GDPR prescribes criteria regarding the need for notification, to whom notification should be provided, when notification should occur and what information should be included. A summary of the requirements is provided in the table below.

Given the complexities and sensitivities associated with Personal Data Breach identification and handling, it’s important that your front-line operational staff are familiar with your breach management procedures. Clear guidance for applying the procedure must be provided to allow staff to easily identify a breach, take prompt and appropriate action, and record all necessary information pertaining to the incident. The use of a decision tree in combination with a Incident Management tool would serve you well for identifying, reporting and managing data breach incidents.

PHASE II: Operate

21

8

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Determination for Notification

Risk Category Examples

Breach Notification Recipient

Timeline for Notification

Minimum Required Breach Information for Notification

Where the breach is likely to result in a risk to the rights and freedoms of individuals

• Individuals deprived of rights and freedoms;

• Special Categories of Data

• Processing to create or use

profiles

Supervisory Authority

72 hours • Description, in clear and plain language, of the nature of the Personal Data Breach.

• Details of the categories of Personal Data involved and an approximate number of the Data Subjects concerned

Where a breach is likely to result in a high risk to the rights and freedoms of individuals

• High likelihood or severity of risks stated above

• Large-scale Processing of Special Categories of Data

• • Systematic

and/or extensive automated profiling

Supervisory Authority

Affected Data Subject

Without undue delay

• Description, in clear and plain language, of the nature of the Personal Data Breach

• Details of the categories of Personal Data involved and an approximate number of the Data Subjects concerned

• Name and contact details of the Data Protection Officer or other contact from which more information can be obtained

• Details of the likely consequences of the Personal Data Breach

• Information as to the measures taken or proposed to be taken to address the Personal Data Breach

22

This final phase of the life cycle incorporates a series of recurring activities that address the need to evidence accountability with GDPR on an ongoing basis.

As mentioned earlier, the European Data Protection Supervisor (EDPS) has stated that accountability involves assessing your organisation’s implementation of GDPR and demonstrating, to external stakeholders and Data Protection Authorities, the quality of that implementation. The ability to demonstrate the quality of your GDPR implementation requires forward planning regarding the areas that need to be assessed and the performance metrics that will be used to measure and evidence effectiveness.

Activity M: Evidence understanding of Data Protection policies

Having the ability to demonstrate a quality implementation with regard to your Data Protection policies requires that you evidence:

• The dissemination of up-to-date Data Protection policies that have been approved by senior management.

• Effective staff awareness and training for all people in the organisation on how to comply with the policies.

Previous to GDPR, showing that you have disseminated policies to staff and obtained basic confirmation from them that they have read those policies was once widely accepted as best practice. This will no longer be the case. You will need to show that you have targeted relevant training material to the correct audience in a way that fits your organisational culture.

Metrics are a good way to measure the success of your awareness and training program. The table below shows examples of how you could demonstrate that the GDPR requirements have been met.

PHASE III: Maintain

23

GDPR Requirement Target Audience Related Training and Awareness Content

Metrics

Maintain a policy that addresses Data Protection for all staff

Data Protection policy Improving results for policy related knowledge assessments

Implement a formal awareness program to make all personnel aware of Personal Data Breach handling procedures

Personal Data Breach notification procedures

Personal Data Breach management policy

Personal Data Breach response plan

Increase in reporting of Personal Data related issues

Decrease in Personal Data Breach incidents and near-misses

Maintain and implement policies and procedures to manage Third Parties with whom Personal Data is shared, or that could affect the security of Personal Data

Third Party management and monitoring policy

Third Party risk assessment procedures

Decrease the number and severity of audit findings associated with Third Party Processing

Ma

nag

emen

t

Pers

ona

l Da

ta

Ha

ndle

rs

Exte

rna

l Da

ta

Pro

cess

ors

Pro

cure

men

t

24

Activity N: Ensure the ongoing integrity and quality of the Personal Data Processing register

The GDPR requires that Personal Data is “limited to what is necessary in relation to the purposes for which they are Processed”8. In other words, organisations should collect only the Personal Data they really need and should keep it only for as long as is absolutely necessary.

It is estimated that data quality (i.e.completeness, validity, and accuracy) of Personal Data deteriorates, on average, at a rate of 15% per year9. Compounding this issue is the fact that most organisations store far more Personal Data than they actually require in the form of duplicate and out-of-date data. As such, there is an obvious need for organisations to regularly review, update and purge their Personal Data register. Focussing efforts on the identification of Personal Data that can be disposed of, has the added benefit of vastly reducing the storage costs associated with retaining data unnecessarily.

There are several existing data mining vendors who are evolving their product offerings to allow for the automated discovery of the Personal Data. Whilst beneficial for some organisations in identifying previously unknown repositories of Personal Data, such products should not be regarded as a panacea. Engaging the front-line staff who perform the Personal Data related operational tasks will always yield the most insight. This can be effectively accomplished through the distribution of intuitive questionnaires to a carefully selected audience of business process owners, Personal Data Handlers and Third Party Data Processors. The feedback from these questionnairescan then be used to directly update the related data elements in your Personal Data register.

PHASE III: Maintain

25

9

http://www.bloorresearch.com/research/spotlight/the-data-management-implications-of-gdpr/

26

Activity O: Trigger impact assessments for business change events

The GDPR mandates that organisations have procedures in place that define when Data Protection Impact Assessments (DPIAs) need to be initiated in relation to business change events. Examples of business change events include:

• Development projects relating to new business systems or processes.• Operational unit changes to existing business systems or processes.• Procurement that involves, Third Party access to or Processing of, Personal Data.

Trigger points (or thresholds) are a good way of capturing any new project or process re-design activities involving Personal Data. They can be built into existing project management methodologies or introduced as part of legal, procurement and finance review procedures.

The DPIA process must allow the Data Controller to assess the impact of, the new or altered Processing operations, on the protection of Personal Data. As a minimum the DPIA process should deliver:

• A systematic description of the Processing and its purposes.• An assessment of the necessity and proportionality of the Processing.• An assessment of the risks to the rights and freedoms of Data Subjects.• The measures envisaged to address the risks.

The Data Protection risks that are identified as part of a DPIA process must be prioritised and then have remediation plans agreed which are tracked through to completion. To facilitate continuous improvement, it is also beneficial for organisations to identify and treat similar Data Protection risks consistently, which in turn allows for the remediation approach to be applied to subsequent DPIAs.

Activity P: Verify compliance of Third Party Personal Data Processing activities

Organisations need to establish an ongoing due diligence process to verify that the operational behaviours of Third Parties, such as suppliers and service providers, are in line with contractual agreements. To streamline this process, organisations should establish a risk threshold that drives the ongoing compliance monitoring efforts from a timing, frequency and scope perspective. The level of compliance monitoring applied is then based on the risk rating assigned.

For ‘low’ and ‘medium’ risks that are identified, a desktop audit will likely suffice. A practical and efficient approach to take here, is the redistribution of the initial Third Party Processing assessment requesting that the Third Party make updates:

• Highlighting any changes to their Personal Data Processing activities.

• Providing evidence of the operational effectiveness of the controls in place to meet contractual requirements.

• Highlighting any known compliance gaps in reference to the contractual requirements.

For ‘high’ risks that are identified, you will likely want to perform an in-person audit or have an external body do it on your behalf. It is important to ensure that the auditor is well trained and understands how the requirements of GDPR apply to the specific Third Party relationship being audited.

Irrespective of the risk rating and the approach taken, a review of the contract should also be included to ensure:

• It remains fit-for-purpose from an organisational perspective, taking into account any new or changed business requirements.

• It is amended to address any issues you may have uncovered when soliciting feedback from internal stakeholders.

PHASE III: Maintain

27

28

Activity Q: Demonstrate effectiveness of Personal Data handling practices

Evaluating the effectiveness of Personal Data related operational practices is very important as a means of evidencing accountability with GDPR. In addition to demonstrating effectiveness, it shows a commitment to ongoing improvement. A layered evaluation approach is considered best practice as it provides multiple tiers of defence. As an example, an evaluation may consist of the following layers:

• Business process owner self-assessment.• Internal audit review of business unit compliance.• External party audit of organisation compliance.

Benchmarking is an excellent means of visualising the effectiveness of your operational practices. As an example, your benchmarking could:

• Compare the results against previous assessments and audits.• Make comparisons of operational compliance across business units.• Measure the organisation’s operational performance against peer organisations.

Performance metrics can also prove valuable for demonstrating the continued improvement of your Personal Data related operational practices. For example, you could develop specific performance targets for the metrics listed below.

• Satisfactory resolution of Data Protection complaints.• Timely handling of Data Subject requests.• Personal Data Breaches managed in line with document procedures.

By carrying out regular evaluations and collating benchmarks and performance metrics, you stand ready to evidence accountability to your senior management team, Data Protection Authorities and other external stakeholders.

List of Definitions

29

Definition Meaning

Data Protection The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.

Data Controller A natural or legal person, Public Authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor A natural or legal person, Public Authority, agency or other body who Process Personal Data on behalf of the Data Controller.

Personal Data Any information (including opinions and intentions) which relates to an identified or identifiable natural person.

Personal Data Handlers Staff of the Data Controller who have been given responsibility for handling Personal Data as part of their operational activities.

Third Party Any outside organisation with which your organisation has either previously, or currently conducts business. Such organisations can include business partners, vendors, suppliers and service providers.

Special Categories of Data Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Privacy Notice A statement or document that discloses the ways an organisation gathers, uses, discloses, and manages a customer or client’s Personal Data.

Data Subject The identified or identifiable natural person to which the data refers. Examples of Data Subjects include customers and web users, individuals on e-mailing lists or marketing databases, employees, contractors and suppliers.

Legitimate Interests A lawful means for organisations to Process Personal Data without obtaining consent from the Data Subject. However, the interests of the Data Controller must be balanced with the interests and fundamental rights and freedoms of the Data Subject.

Third Country Any country not recognised by the European Commission as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

30

Definition Meaning

Process, Processing, Processed Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.