A warm welcome to our second blog of the series 10 steps to GDPR compliance. In each post, we will cover two steps to become GDPR compliant (we’ll use GDPR for both EU and UK GDPRs). By following along and completing these 10 steps, you‘ll be building out the privacy framework that will power your ongoing privacy governance.
In our last post, we looked at the first two steps: finding your key people and establishing your Benchmark. Today we’re covering the next two steps:
- Step 3: Your personal data inventory
- Step 4: Remediation & risk management
By the end of this post you’ll know how to establish your personal data inventory and the importance of establishing one, as it allows you to take the next steps, including remediation and risk management. Let’s get started!
Your personal data inventory
Your personal data inventory, or ‘Data Map’, sets out the lifecycle of the personal data which your organisation processes. It’s the fundamental and single most important step in your privacy governance. You can’t manage what you can’t measure, and your data map, together with your Benchmark, is really going to drive your program.
Building your data map
In this step three, you’re going to plan your detailed personal data inventory against your Benchmark and applicable laws, so that the questions you ask:
- fully reflect your obligations under applicable laws,
- are at the right level of detail so that the inventory is complete for your purposes, and
- will easily highlight the gaps for you to remediate.
In these posts, we’re assuming you’re going to benchmark yourself against GDPR (UK and/or EU) and applicable e-Privacy rules. We’ve created a handy infographic for you here, summarising the areas your Data Map will cover:
Why your data map is so fundamental!
Gap analysis & remediation
You won’t be able to spot the gaps to remedy without a good Data Map. And you’ll want to ensure it’s simple to maintain, as you’ll rely on it for your ongoing compliance as we’ll see below. This is another area where GDPR compliance software has a part to play.
Article 30 records
GDPR’s Article 30 requires every organisation to create a summary record of every processing activity where they process personal data, containing the information specified in that article (so they’re called ‘Article 30 Records’). You have to maintain them at all times, not least because regulators can always ask for them – and therefore it’s one of the first things customers and investors will ask for in due diligence.
Your Article 30 Records won’t be anywhere near accurate unless you’ve done a good job on your Data Map. Think of the Article 30 Records as the executive summary you complete after you’ve written the body of the business plan, your full Data Map. Again, GDPR compliance software can help here too as most create these automatically for you.
GDPR Reports & KPIs
So many other reports fall out of a good Data Map, such as your Risk Map, your Processor Register, Sub-processor Register, Transfers Register and more.
When you have a personal data breach, your Data Map tells you what data has been compromised, what it’s used for, the data subjects affected and more.
Data subject rights
When a data subject asks what data you have on them, why you use it, who you share it with and more, your Data Map has the answers.
Before we go into firming up your Privacy Framework with all this knowledge (Step 5), you’ll be keen to get started on some remediation and risk management.
Remediation & risk management
Thanks to your Benchmark and Data Map, you’ve everything you need to start on your systematic remediation and risk management.
With this knowledge, you’ll want to firm up exactly who you need to have on your team to help the Key People deliver the project. This is likely to involve external data protection consultants to make sense of it all and help your organisation acquire the skill-set to maintain ongoing compliance.
And after people and process, comes technology. We recommend you start with Privacy Tech from the beginning: not only does using the right GDPR compliance software mean you avoid having to transition from spreadsheets later, the right solution accelerates the whole process, making collaboration with your internal and external team, and reporting, super simple.
‘Low hanging fruit’
Don’t underestimate this category – obvious gaps that you can quickly and cost-effectively remediate for quick wins. Some of the simplest steps can deliver massive results. As examples, you might need to:
- make sure everyone uses a password manager and 2FA. This is so quick and often free, you probably already have these in your organisation or included in your productivity software. Microsoft states that Multi-Factor Authentication can block over 99.9% of account compromise attacks.
Appropriate technical & operational measures
You’ll also have a good idea of the sort of measures you’ll need to create or iterate to comply with GDPR. Those measures will be a combination of:
- technical measures, for example we mentioned cookie tools and password managers above, and
- operational measures, such as ensuring you have the right training in place, your contracts are compliant and you’re confident you can demonstrate your compliance.
GDPR says that the technical and organisational measures you put in place must be ‘appropriate’, but what does that really mean?
The body made up of EEA regulators (the EDBP) notes that appropriate means that the measures you put in place are ‘suited to achieve the intended purpose, i.e. they must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects’.
In plain language, ‘appropriate’ is related to the risk to individuals from your processing their personal data, taking into account various factors. The higher the risk, the more measures you’ll need.
Privacy impact assessments
You’re also now in a position to start your risk assessments, called ‘impact assessments’ in Privacy, and again your Data Map will be invaluable here.
While it’s recommended you always consider carrying out ‘Privacy impact assessments’ (or PIAs), there is only one type of PIA that’s mandatory under GDPR: the Data Protection Impact Assessment (or DPIA).
You must carry out a DPIA when your processing of personal data is likely to result in a high risk to individuals.
GDPR sets out three examples when you should carry out a DPIA and the European Data Protection Board (made up of the data protection regulators of the EEA) have set out more in their Guidance and their Opinions on DPIA factors from national regulators. The UK ICO also has some great advice on DPIAs, and PIAs in general.
Of course, the recommendation is to carry out your impact assessment at the start of your project as it will inform how you might need to change your process to reduce the risk to individuals. And you should review it at least when there’s a change in the risk to individuals.
How many DPIAs do you need?
You can look at this a few ways:
- if your processing is likely to result in a high risk to the data subjects then you have to do a DPIA,
- a single DPIA can cover a set of similar processing operations that present similar high risks – in other words, one DPIA can cover more than one activity,
- regulators see DPIAs as good proof that you’re considering data protection in the right way and implementing ‘Data Protection by Design’ and ‘Data Protection by Default’, so it’s worth doing them as tactical proof of your compliance, and
- they’re not hard to do for most organisations so there’s a lot to be said for doing more so that your customers, partners, auditors and investors can see you’re taking GDPR seriously.
What goes into a DPIA?
GDPR does not specify a particular form to use, although the UK ICO and other regulators have templates you can use and Privacy professionals will have their favourite. However, your DPIA has to cover four defined areas, set out in GDPR:
- a systematic description of the processing – and the purpose(s) – including, where applicable, your legitimate interest if you’re relying on that legal basis,
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes – necessity and proportionality are common themes in Privacy,
- an assessment of the risks to the rights and freedoms of the data subjects – note the risk is to the individuals whose personal data you’re processing, not the risk to your organisation, and
- the measures you’ll use to address those risks – the technical and organisational measures we started to discuss above and we’ll discuss in more detail in later Steps, taking into account the rights and legitimate interests of the data subjects and others concerned.
We’re here to help!
Contact us to see why Keepabl’s been named to the RegTech100 for 2021 as one of the world’s most innovative RegTech companies that every financial institution needs to know about in 2021, and see how we can make implementing your Privacy Framework for GDPR super intuitive
Next week – Steps 5 & 6!
Congratulations – you’ve got the Key People in place, you’ve got your Benchmark and Data Map and you’re started on Remediation and Risk Management! Next time, we’ll be covering Step 5 – Implementing your Privacy Framework and Step 6 – Security and Review Preparation.