Blogs

Jump-Starting your GDPR Compliance Efforts

By Michael Johnson posted 03-30-2018 08:37

  

With GDPR’s May 25th deadline rapidly approaching, here are ten high-impact moves you can make now to jump-start your GDPR compliance efforts.

1. Controller vs. Processor (Article 4):
  • Identify when and where your organization serves as a controller, a joint controller and a processor.
  • At a high level, this hinges on whether or not your organization is determining “the purposes and means” of the processing of personal data.
    • If you’re make those determinations, then you’re acting as a controller.
    • If you’re processing personal data on the explicit instructions of another entity that is making those determinations, then you’re acting as a processor.
  • This is a question for which you’ll want to seek legal counsel.

2. Data Protection Officer (Article 37):
  • Determine if you need to designate a DPO and if so, who would have those responsibilities for your organization.
  • The regulation is vague on this requirement – for example, do your organization’s “core” activities require “regular and systematic monitoring” of data subjects “on a large scale”?
  • Again, this is a question for counsel.
  • Then, if a DPO is required, you need to determine who it should be – it can be internal or external to your organization, and the individual must have sufficient expertise, independence and access to upper management.

3. Designation of a Representative (Recital 80):
  • Determine if you need to designate a representative in the EU.
  • This is yet another question for counsel. For example:
    • Do you process personal data of data subjects in the EU in relation to offering goods or services, whether or not payment is received? Or do you monitor their behavior?
    • But is the processing occasional? Or does it not involve large-scale processing of special categories of data? Or is it unlikely to result in a risk to the rights and freedoms of natural persons?

4. Processing Personal Data (Article 4):
  • Ensure stakeholders understand GDPR’s definition of processing, as it’s very broad – it can be automated or manual; it includes collection; it includes erasure and destruction.
  • Similarly, the definition of Personal Data is broader than many expect – it includes “any information relating to an identified or identifiable natural person…such as a name, an identification number, location data, an online identifier…”
  • Perform a Data Mapping to record all processing activities of personal data.

5. Lawfulness of Processing (Article 6):
  • Obtain legal counsel to determine the legal basis for your various processing activities.
  • There are six options to choose from – don’t assume that it can only be consent:
    • Consent
    • Performance of a contract entered into by the data subject
    • Legal obligation of the controller
    • Vital interests (life or death)
    • Task in the public interest
    • Legitimate interests

6. Main Establishment (Recital 36):
  • Seek legal counsel to designate the organization’s main establishment within the EU.
  • This “should be the place of [your] central administration in the Union.”
  • It will define which EU Member State Supervisory Authority will be designated the “Lead Supervisory Authority” for your organization within the EU.

7. Data Protection by Design and Default (Article 25):
  • Utilize an “approved certification mechanism” to demonstrate Data Protection by Design and Default by mapping your ISO 27001 processes and controls
  • DPDD refers to implementing “appropriate technical and organizational measures … designed to implement data-protection principles” such as:
    • Minimizing the amount of personal data collected
    • Limiting the extent of processing
    • Limiting retention periods
    • Limiting access

8. Security of Processing (Article 32):
  • Inventory your ISO 27001 and ISO 22301 processes, plans and controls to ensure security of processing, such as:
    • Pseudonymization and encryption of personal data
    • Ensuring confidentiality, integrity, availability and resilience of processing systems and services
    • Restoring availability and access to personal data in a timely manner
    • Regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

9. Notification of a Personal Data Breach to the Supervisory Authority (Article 33):
  • Align your breach notification procedures to meet the 72-hour reporting requirement to the Lead Supervisory Authority.

10. Communication of a Personal Data Breach to the Data Subject (Article 34):
  • Encrypt EU data subject personal data whenever possible during processing operations to eliminate or reduce the need to notify data subjects of a data breach.

#InformationGovernanceorCompliance
#GDPR
0 comments
49 views

Permalink