The General Data Protection Regulation (GDPR) is just around the corner, and we’re sharing with you the things we’re doing to make sure we’re ready. As the GDPR will be taking effect on May 25th, 2018, we’ve spent the past few months, along with organizations all over the world, preparing to ensure we comply with the expectations highlighted within the regulation. For details on our initial phases of preparation and research read, How to Achieve GDPR Compliance: Documenting Our Experience (I).
In case you didn’t know, the GDPR is a new regulation for the processing of personal data of data subjects residing in European Union countries. Essentially, it is meant to protect the rights of residents in EU countries in regards to the fair and lawful processing of their personal information. One very important concept outlined in the Regulation is “Privacy and the Protection of Personal Data as a Fundamental Right”. This can be interpreted in variations but essentially it means that data subjects have a fundamental right to protect and to protection of their privacy and personal data being processed by companies, organizations, or third parties. These data subjects have final say as to whether or not they consent to the processing of their personal data, and if there are errors , they have the right to request corrections or deletion.
Like thousands of other businesses, the new regulation impacts us directly, and so we thought this would be a good opportunity to share with our readers and others what we are doing to prepare for the GDPR.
Action Items Checklist
In our previous blog on GDPR we covered many of the actions items below. So at this stage our action items look something like this:
- Assign designated Data Protection Officers
- Identify core compliance team
- Identify appropriate EU Supervisory authority and contact
- Identify internal legal agreements (for employees & contractors)
- Hold initial GDPR Introductory meeting
- Assemble a Data Storage Inventory
- Perform and document an existing privacy and security analysis
- Carry out data protection impact assessment for high risk activities
- Data Processor and Controller Agreements
- Create operational & technical roadmap
- Identify certifications and compliance recognition
Notes on Data Inventory
One of the first things to do, after getting the GDPR team together and identifying action items for GDPR compliance, was to begin a data inventory. We began with identifying the “what, where, how, and why” for all of our data processing activities, with the help of a knowledgeable representative from each department within the company. Then it was time to generate a comprehensive data inventory. We were sure to add a column for third parties and partners who might act as either data controllers or data processors on our behalf. And we were careful to be overinclusive at this stage to avoid letting anything slip through the cracks.The data inventory served as the foundation for many of our action items moving forward like, performing a privacy and security analysis, identifying high risk activities, and it will be guiding the creation of our operational and technical roadmap.
Privacy and Security Analysis
The goal of the privacy and security analysis is twofold: One, to identify potential high-risk activities we may be performing; and two, to document all company-wide processing activities to the best of our abilities (this will come into play later, when creating our operational and technical roadmap).
As for determining which activities we deem to be “high-risk” we first needed to come to an understanding, as a team, of the definition of “high-risk”. With the help of examples described in the GDPR documentation we were able to agree that high-risk processing activities are any of the following:
- Processing activities that are likely to result in “a risk for the rights and freedom” of the individual.
- Where there is potential for “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
- Where data processing activities involve “new technologies, or are of a new kind and where no data protection impact assessment has been carried out.”
We then used these definitions in conjunction with our data inventory to identify which of our activities (if any) met any of these definitions of high-risk.
DPIA’s for High Risk Activities
In the GDPR it states that for any high-risk processing activities a company must perform a Data Protection Impact Assessment (DPIA). Therefore, a templated DPIA document was in order, should any high-risk activity be identified or later discovered. This ensured a standardized way of reporting on processing activities and gave our departmental GRPR committee members easy access to the necessary tools, when the time comes to perform a DPIA.
The regulation identifies some of the necessary items to be addressed in each DPIA, including, purpose of processing, necessity of processing (how much of the specific processing is done in the name of the described purpose), potential risk, and measures to address risk. Keep in mind that each DPIA we would perform would be done for a very specific processing activity, keeping all potentially “high-risk” processing activities clearly documented and accurately assessed.
Create data Processor and Controller Agreements
Another component described in the regulation is to ensure that any controller or processor of personal data is aware of and in compliance with the GDPR. Therefore, we took some time to develop agreements for data processors and controllers to both recognize our compliance with the GDPR and to ensure their understanding of compliance with the regulation and how we expect any processing on our behalf to be handled by them. We found no ready-made templates for these agreement, so we made some addendums to existing agreements and if you are a company who may not have access to relevant legal services you may want to consider the same. (disclaimer: not official legal advice)
At this stage in our GDPR journey we discovered a few obstacles worth noting. For one, while we work with many enterprise companies, we run as a rather lean organization. There are benefits for companies like us outlined in the regulation, like seemingly lesser expectations from a documentation standpoint. However, we still wanted to make sure we have everything in place to keep enterprise clients satisfied with our privacy policies and operation. That said, rather than taking the easy route and forgoing some of the documentation steps, we decided to proceed with our due diligence and assess our processing activities just like the big players.
Secondly, there is a vagueness surrounding a fundamental component of the GDPR, in that it highlights processing activities with the “potential of risk to the rights and freedoms” of an individual as high-risk activities. Additionally, it describes a fundamental truth, that privacy and the protection of privacy is a fundamental right. So I was left with the question, Is the processing of all personal data then considered high-risk? After all there is potential of risk in all processing of data, is there not? In any case, we decided to be over-vigilant in cases where the question arose, to be sure that any risk is properly addressed, without overdoing it of course.
Next steps in our GDPR journey will be to create and document our operational and technical roadmap, identify certifications and compliance recognition, and come May 25th we will have everything in place to be in compliance with the General Data Protection Regulation. Stay tuned in the coming weeks for our third and final blog on our GDPR journey.
Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor – the entity that processes data on behalf of the Data Controller