Organisations are very much aware of the deadline of 25 May 2018 to become GDPR compliant. But let us not forget that 25 May is not just the end of the period to become compliant. Even more, it is the start of an era where organisations are to be GDPR compliant continuously.
So, as organisations are working to update their privacy statements, improve consent (e.g. opt-in vs opt-out), document records of processing, determine retention schedules and remove old personal data, determine person’s (data subject) rights to be adhered to, and more, organisations should consider two perspectives:
- Manage the complete life cycle of personal data in the organisation
- Demonstrate GDPR compliance continuously
Manage the complete life cycle of personal data
A good starting point to understand an organisation’s handling of personal data, is to consider the ‘types’ of persons about who data is being ollected. For instance, in a B2C organisation, such consists at least of Customers and Staff. But let us not forget personal data related to various types of Business Partners, these could also concern personal data.
For each ‘type’ of personal data, e.g. Customers and Staff, you can follow the related data flow in the organisation, that from a privacy-perspective is to be managed continuously, from entry of personal data into the organisation, till the moment of removal of such data.
Demonstrate GDPR compliance continuously
As mentioned, GDPR compliance is to be managed continuously, including the accompanying accountability. An organisation is to be able to demonstrate protecting personal data, just like organisations are to be demonstrable in control for financial reporting to be compliant with SOx.
To support both business and compliance, it would be very useful if privacy controls are designed based on the following:
- actions are triggered spontaneously in the flow or regular business activities, i.e. as part of third party contracting, adequate on-boarding questionnaires and template documents are available
- activities are well-understood, for regular activities you should not need a lawyer to interpret requirements. Otherwise, errors and omissions are likely to occur, resulting in non-compliances
- tasks are performed scalable, e.g. self service for data subject requests
- privacy knowledge is provided based on need, so staff actually reaches out to read and understand, i.e. data retention schedules for relevant HR staff
The privacy controls consist of the components People, Processes and Technology. Using these components, an organisation needs to set-up its Privacy Management Framework. This framework consists of Governance, Policy, Guidelines, Processes and Controls, Registries, and Training.
The detailed elements of the framework need to be identified, fit for the organisation and fit for purpose, be designed, and rolled-out. Below, each of these framework elements is highlighted, and an example framework is provided.
To remain GDPR compliant over time, people in the organisation that handle personal data need to take on their role. And as a fundament, an organisation is to carry a culture from leadership to operational staff, that drives both privacy and being demonstrable in control.
Consequently, specific individuals need to own accountability for specific personal data, guidelines, processes, controls and registries. Privacy is not something for the DPO alone, but for all people in the organisation, especially leadership who sets the tone.
Where process and controls owners need supporting information, e.g. retention schedules, such information is to be made available in privacy guidelines. Guidelines should not exist just because they are nice to have, their purpose is that specific persons receive needed guidance.
Processes and Controls
To ensure effectiveness and support efficiency, privacy processes and controls should be aligned with business needs, e.g. processes and controls should not be designed based on clauses of the GDPR, but on data sets to be managed, and considering normal workflows in the organisation. Such also supports that privacy tasks are triggered ‘spontaneously’.
So, for various processes, there is no specific privacy process, but privacy adjustments to current processes, e.g. user access control and third party services management.
From a privacy management framework perspective, the processes and controls are the basis. Next, supporting are guidelines, registries, and training.
Processes include various controls. An organisation can define which controls are key to demonstrate GDPR compliance and require explicit compliance monitoring.
Also, one should consider which controls need automation, e.g.
- data subject requests could be implemented based on self service, to ensure scalability
- encryption of data (personal data in databases, personal data in emails)
- inventory of personal data, especially non-transactional data
As mentioned, GDPR is about being demonstrable in control of privacy. Therefore, an organisation needs to determine which registries are needed, to ensure being able to demonstrate compliance. For instance, such registries concern the records of processing, and third party services being used a processors.
Training is a continuous effort, to be recurring for new staff and staff in changed roles, and also as refreshers since awareness degrades over time.
Example privacy management framework
Using the above-mentioned concepts, below a partial overview is presented of a practical privacy management framework:
So, do you have all privacy-supporting processes in place, and are they triggered ‘spontaneously’? Are you ready for to continuously demonstrate being GDPR compliant? The effort to remain GDPR compliant starts per 25 May 2018.