With GDPR’s May 25th deadline rapidly approaching, here are ten high-impact moves you can make now to jump-start your GDPR compliance efforts.
1. Controller vs. Processor (Article 4):
- Identify when and where your organization serves as a controller, a joint controller and a processor.
- At a high level, this hinges on whether or not your organization is determining “the purposes and means” of the processing of personal data.
- If you’re make those determinations, then you’re acting as a controller.
- If you’re processing personal data on the explicit instructions of another entity that is making those determinations, then you’re acting as a processor.
- This is a question for which you’ll want to seek legal counsel.
2. Data Protection Officer (Article 37):
- Determine if you need to designate a DPO and if so, who would have those responsibilities for your organization.
- The regulation is vague on this requirement – for example, do your organization’s “core” activities require “regular and systematic monitoring” of data subjects “on a large scale”?
- Again, this is a question for counsel.
- Then, if a DPO is required, you need to determine who it should be – it can be internal or external to your organization, and the individual must have sufficient expertise, independence and access to upper management.
3. Designation of a Representative (Recital 80):
- Determine if you need to designate a representative in the EU.
- This is yet another question for counsel. For example:
- Do you process personal data of data subjects in the EU in relation to offering goods or services, whether or not payment is received? Or do you monitor their behavior?
- But is the processing occasional? Or does it not involve large-scale processing of special categories of data? Or is it unlikely to result in a risk to the rights and freedoms of natural persons?
4. Processing Personal Data (Article 4):
- Ensure stakeholders understand GDPR’s definition of processing, as it’s very broad – it can be automated or manual; it includes collection; it includes erasure and destruction.
- Similarly, the definition of Personal Data is broader than many expect – it includes “any information relating to an identified or identifiable natural person…such as a name, an identification number, location data, an online identifier…”
- Perform a Data Mapping to record all processing activities of personal data.
5. Lawfulness of Processing (Article 6):
- Obtain legal counsel to determine the legal basis for your various processing activities.
- There are six options to choose from – don’t assume that it can only be consent:
- Consent
- Performance of a contract entered into by the data subject
- Legal obligation of the controller
- Vital interests (life or death)
- Task in the public interest
- Legitimate interests
6. Main Establishment (Recital 36):
- Seek legal counsel to designate the organization’s main establishment within the EU.
- This “should be the place of [your] central administration in the Union.”
- It will define which EU Member State Supervisory Authority will be designated the “Lead Supervisory Authority” for your organization within the EU.
7. Data Protection by Design and Default (Article 25):
- Utilize an “approved certification mechanism” to demonstrate Data Protection by Design and Default by mapping your ISO 27001 processes and controls
- DPDD refers to implementing “appropriate technical and organizational measures … designed to implement data-protection principles” such as:
- Minimizing the amount of personal data collected
- Limiting the extent of processing
- Limiting retention periods
- Limiting access
8. Security of Processing (Article 32):
- Inventory your ISO 27001 and ISO 22301 processes, plans and controls to ensure security of processing, such as:
- Pseudonymization and encryption of personal data
- Ensuring confidentiality, integrity, availability and resilience of processing systems and services
- Restoring availability and access to personal data in a timely manner
- Regularly testing, assessing and evaluating the effectiveness of technical and organizational measures
9. Notification of a Personal Data Breach to the Supervisory Authority (Article 33):
- Align your breach notification procedures to meet the 72-hour reporting requirement to the Lead Supervisory Authority.
10. Communication of a Personal Data Breach to the Data Subject (Article 34):
- Encrypt EU data subject personal data whenever possible during processing operations to eliminate or reduce the need to notify data subjects of a data breach.
#InformationGovernanceorCompliance#GDPR