A warm welcome to Keepabl’s third blog in the series on 10 Steps to GDPR Compliance. In each post, Keepabl cover two Steps to become GDPR compliant. By following along and completing these 10 Steps, you’ll be building out the Privacy Framework that will power your ongoing Privacy Governance.
Today’s two Steps really start bringing it all together:
- Step 5: Implementing your Privacy Framework and
- Step 6: Security and Review Preparation
By the end of this post you will know how to implement your privacy framework and ensure that your organisation is adopting Data Protection by Design and by Default. We’ll also cover some measures your organisation should consider to increase security, and how to prepare for potential data breaches.
Step 5: Implementing your Privacy Framework
You’ll now bring all the previous Steps together into your Privacy Framework – this is everything you do to create your Privacy Governance and maintain it as a living thing.
What is a Privacy Framework?
At its core, your Privacy Framework is the set of policies and procedures you decide on, and follow, to ensure that your organisation acts as you want it to when processing personal data. But it covers all areas of your Privacy Governance, as you can see in our handy infographic:
In practice, your Privacy Framework will be about the people, processes and technology you’ll deploy to ensure you meet:
- your obligations under applicable data protection laws (here, we’re looking at the UK and EU GDPRs, but you’ll have other obligations for example under the UK’s PECR on electronic marketing),
- other external data protection obligations on you (for example from Finance, Credit or Insurance industry regulations),
- your contractual obligations to customers or partners, and
- your values and standards of behaviour related to personal data.
We like to think of your Privacy Framework as everything you deliberately do to ensure you have good Privacy Governance on an ongoing basis so that you meet obligations, manage risk and can capture and accelerate rewards.
Just as you did with your Benchmark and Data Map, your Privacy Framework needs to be targeted at the obligations your organisation is subject to.
Data Protection by Design & by Default
Your Privacy Framework also ensures that you implement these key ongoing GDPR obligations. (They’re often called Privacy by Design and Privacy by Default – don’t worry about that too much, people mean the same thing.)
Data Protection by Design
As the name suggests, this means that you consider and implement data protection principles at the outset of every project and during the processing.
Data Protection by Default
Again as the name suggests, this means that implementing those data protection principles is your default position.
Completing your Framework
The good work you did in Steps 1 and 2, with your Key People in place and your Benchmark showing you strategic gaps, and Steps 3 and 4, with your Data Map looking good and an early view on Remediation & Risk Management, mean you’ve a clear idea on the scope of your Privacy Framework.
- you’re now aware of the different checklists and the audits you’re going to follow to make ongoing compliance easier,
- you know the levels of training and awareness you’ll do for different colleagues to make that cultural change,
- you’re in a position to start finalising those Data Protection Impact Assessments,
- you’re able to decide if you need a Data Protection Officer (or DPO), an EU or UK Representative, and appoint them, and
- you’ll have a great perspective to evaluate the right technologies to help you. We’ve created the Privacy Stack to help you visualise and identify what support and solutions you should consider. You probably have a number in-house already.
Rewards of a Good Framework
Cisco’s 2021 Data Privacy Benchmark Study confirms the continuing benefits from GDPR compliance and the return on Privacy spend. And with 93% of organisations reporting to the board on Privacy metrics, a good privacy Framework will help you with your reporting too.
Horses for courses
The UK ICO notes that the extent of the Privacy Framework will depend on various factors including the size of your organisation. For large organisations, their ‘framework should include:
- robust program controls informed by the requirements of the UK GDPR;
- appropriate reporting structures; and
- assessment and evaluation procedures.’
Whereas smaller organisations may ‘benefit from a smaller scale approach to accountability’ including to:
- ensure a good level of understanding and awareness of data protection amongst your staff;
- implement comprehensive but proportionate policies and procedures for handling personal data; and
- keep records of what you do and why.’
Step 6: Security Review & Preparation
You simply cannot have data protection without good Security. It’s so important, it’s one of GDPR’s 7 Principles and the obligation applies to both controllers AND processors.
So, we’ll first consider what GDPR has to say about Security and then the easy actions your organisation can take to improve its Security maturity.
GDPR & Security
GDPR requires controllers and processors implement ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
We looked at the meaning of ‘appropriate technical and organisational measures’ (or TOMs) in Step 4. And, as this is GDPR, we’re talking about the risk to the individuals, not your organisation.
When looking at your TOMs, you should take into account:
- the state of the art,
- the costs of implementation,
- the nature, scope, context and purposes of processing, and
- the risk of varying likelihood and severity for the rights and freedoms of individuals.
However, this doesn’t mean you can stop short because the solution is too expensive or difficult. Risk to individuals is GDPR’s key concern. And, while GDPR is a risk-based law and recognises that risk is hardly ever zero, if you can’t put in measures to reduce the risk to acceptable levels – at least below a likely high risk – then you may not be able to carry out the processing. This is where your Privacy Impact Assessments and DPIAs come in – more on those next time.
Security has been around as a recognised practice area for longer than Privacy, so you’re likely to be well-versed in this already and possibly have colleagues dedicated to maintaining your Security Governance. Although Privacy and Security are different, there’s a lot of crossover and Security best practice on its own will address a lot of your Privacy risk.
So let’s have a quick run through the top Security technical and organisational measures.
GDPR specifically mentions encryption as an appropriate technical measure (depending on the nature and risk of your data processing). Although it falls short of saying you must use encryption, if you don’t encrypt personal data, both ‘at rest’ and ‘in transit’, then regulators are likely to see that as a Security failure and breach of your duties under GDPR.
A recent study by NordPass suggests that the average person has to remember 100 passwords! This presents a real vulnerability because remembering that many passwords is completely unsustainable and many people use similar or the same passwords across solutions.
We’ve two simple and often free recommendations to address this threat (and you can see more in our Privacy Kitchen roundtable on Identity).
We highly recommend using a password manager. These apps allow you to create unique passwords for all of the applications and services that you use and then promptly forget about them! You just remember one master password, and the password manager app does the rest.
2FA & MFA
Alongside a password manager, we strongly recommend Two-Factor Authentication (2FA) and, if you’re really keen, Multi-Factor Authentication (MFA).
Because a large number of data breaches result from weak or stolen passwords, by implementing a two or multi step process to authenticate a user Microsoft reports that MFA can block over 99.9 percent of account compromise attacks.
2FA is the simplest – and still very effective – solution and may be as simple as using one of the many free authenticator apps out there, from Microsoft, Google and others, as well as your password.
And don’t forget Physical Security
We live in an increasingly digitised world, and it’s easy to be dazzled by cybersecurity, but don’t forget about the physical measures of information security, such as:
- physical security at your offices, including locks on doors and windows and an alarm,
- access and visitor control, and
- implementing a ‘clear desk, clear screen’ policy so people don’t leave laptops open, papers lying around and are aware of ‘shoulder surfing’ when working from remote locations.
Preparing for personal data breaches
Unfortunately, personal data breaches will happen, so you need to prepare for them. We’ve another helpful Privacy Kitchen video on Personal Data Breaches with lots of examples so we won’t go into lots of detail here.
It’s worth stressing that, while you are required to record all of your data breaches, you do not need to notify all of your data breaches. As the ICO states:
‘If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report.’
This highlights how important it is to have a risk assessment procedure in place. When you become aware that a breach has occurred, you must act quickly as, if you need to notify your supervisory authority about the data breach, you only have 72 hours to do so!
So, it is critical that you have a response plan in place and a team ready to handle any breaches that may occur. We’ve prepared a great Privacy Kitchen video for you on Seven Steps to Prepare for a Personal Data Breach.
Here to help!
For example, Keepabl’s Instant Breach Management tool enables you to easily record breaches, have instant email alerts, efficiently manage breaches, and simplifies breach reporting.
Next week – Steps 7 and 8!
You now know about implementing your Privacy framework and Security Review & Preparation! Next week, we’ll look at Step 7: Data Subject Rights and Step 8: Reviewing Processors.