Defining a Winning GDPR Strategy Part 2 - 7 Steps for GDPR Compliance
By Sagara Gunathunga
- 21 Dec, 2017
About this series
This series of articles consists of four parts and aims to provide comprehensive insights on GDPR and practical guidelines for business organizations to plan, define and execute a successful GDPR compliance strategy.
GDPR is a great challenge for any business organization that processes personal data of individuals living in the EU. Those who understand the GDPR regulations well and are early adopters have a much better chance of not just meeting the compliance date but also creating new opportunities and expanding their business horizon. This article outlines a 7-step plan on how to execute a GDPR compliance strategy for any business organization.
1. Build awareness around GDPR
Awareness is the key factor and starting point of any organization’s journey towards GDPR compliance. It’s not a one-time task or something a single company within a group can execute. It’s a continuous process, hence organizations must ensure deep and proper understanding from and contribution of every employee. You need to build in-house expertise on all aspects of GDPR, which includes the correct understanding of definitions, scope, territorial applicability, objectives, main privacy principles, consumer rights, and processes required to liaise with supervisory bodies. Awareness is not just helpful to win the GDPR compliance battle but also helps organizations move beyond GDPR compliance by creating new business opportunities.
One of the best initial approaches is to appoint a study group or similar within the existing staff, this group should consist of people who are responsible for various aspects of the business such as marketing, HR, business developments, software development and maintenance, network and system administration, etc. This set of people can propose a high-level approach that the organization should follow in terms of GDPR compliance. In addition to a set of books, there is a large collection GDPR-related material that is already available on the Internet.
There are also a few consultancy firms and law firms that offer GDPR consultancy. Engaging with such a firm is another time-effective approach.
Additionally, if the business uses specialized systems, such as content management systems (CMS), API management systems or identity and access management (IAM) system, those vendors can provide GDPR expertise specific to their domain.
2. Understand whether your business is affected
Following a thorough understanding of all aspects of GDPR, an organization would need to ascertain whether their business is affected. A business may be impacted depending on the nature of the business and establishment. Following are some of the criteria that can be used to determine whether a business is impacted by the GDPR.
If an organization processes data categorized as personal data (more correctly ‘personally identifiable information’ - PII) from individuals living in the EU or if an organization monitors the behavior of individuals living in the EU, then the business is impacted and GDPR compliance is mandatory. For example, consider a business that sells retail goods online and delivers them to EU addresses through a website created and hosted in the US. They will need to be in compliance with the GDPR because they collect, store and use data categorized as personal data from individuals that live in the EU.
Some businesses may not directly provide goods or services to the EU but rather indirectly process personal data from EU. In such cases, GDPR compliance is required too. For example, consider a cloud storage service established and hosted outside the EU. In order for a business established in the EU to consume this cloud storage service to back up their customer details, the cloud storage service should fulfill the safeguard requirements mentioned in the GDPR.
Additionally, businesses established outside the EU who process personal data belonging to individuals living in the EU must appoint a representative within the EU to represent and cooperate with individuals and supervisory bodies related to privacy.
3. Review the impact on your current data
GDPR does not require an organization to erase existing personal data, however, you need to properly evaluate whether the data collection has been carried out with proper consent and if you’re in a position to demonstrate proof of consent for processing purposes. It’s possible to further break down this exercise into several stages as discussed below.
Identify and map sources with the data
At the initial stage, it’s required to analyze and identify all the sources of existing personal data. The data may be directly collected from the customer with their consent, received as a result of a business partnership or acquisition or bought from a marketing list selling company. Once the sources have identified it’s easy to assess what portion of data needs to be erased in the first round and what portion of data needs to be kept for further analysis. For example, if some data was bought from a marketing list and the approach used during the data collection can’t be validated, such data can be easily marked for deletion.
Determine the data has legitimate grounds
Consent from an individual is the most common and most popular lawful data processing basis but there are five other lawful processing means as well. You are required to evaluate whether the existing data belongs to any of these six lawful processing means. Here is a general overview what each of them means:
- Consent from an individual — An individual has given consent to process their personal data for one or more purposes.
- Contract with the individual — Processing is necessary to execute a contract with an individual. For example, to supply goods or services they have requested, or to fulfill your obligations under an employment agreement.
- Compliance with a legal obligation — Processing is necessary for compliance with a legal obligation to which the processing organization (controller) is subject.
- Vital interests — Processing is necessary in order to protect someone’s life.
- A public task — Processing is necessary to carry out your official functions or a task in the public interest and you have a legal basis for the processing under the law.
- Legitimate interests — To provide legitimate consent an individual should be at least 16 years old. In case an individual is less than 16 years old the consent needs to be authorized by the holder of parental responsibility (it is possible for the member state to reduce this age limit up to 13 years).
Apply privacy principles
At this stage, it’s possible to apply some of the principles such as purpose limitation, data minimization, and accuracy of existing data.
- Purpose limitation — With the evolution of the business the original purpose of collecting personal data may no longer be valid. In such cases, the organization needs to erase that data. Also, there can be new purposes introduced after data collection. In such cases, the organization should erase that data or plan to get fresh consent from individuals.
- Data minimization — As per this principle businesses should process only required personal data to carry out the business offering. Any other additional data needs to be removed from the system. The business can apply this same principle to existing data as well.
- Data accuracy — A business should take every possible approach to evaluate the accuracy of existing data. For example, an online shopping application can plan to bring a feature to prompt existing users and ask to validate their profile.
4. Review your systems and processes
This is a very critical and time-consuming planning step. A business needs to mainly focus on business operations related to personal data processing, but should not limit to just that. Areas such as data processing/storing infrastructures, network infrastructures, and staff members who access personal data would need to be evaluated as well. You need to specifically check whether a data processing impact assessment (DPIA) must be carried out.
Here are some general guidelines but this process differs from one business to another. It’s highly effective to get a professional expert’s opinion at this stage.
- Evaluate whether the personal data processing activities carried out by your business organizations belong to any one of above lawful processing means, if not evaluate and plan for necessary business and strategic level adjustment to be based on one of these lawful processing means:
- Consent from an individual
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
- Evaluate privacy principles mandated in the GDPR such as transparency, purpose limitation, data minimization and accuracy related to the current business process, identify possible gaps and plan to mitigate them.
- Evaluate current mechanisms used to fulfill customer rights with the set of individual rights mentioned in the GDPR. Based on the result of the above evaluation a business can identify gaps and plan to implement those missing features.
- Evaluate whether the organization need to carry out a data protection impact analysis (DPIA) mentioned in the GDPR. If that is the case plan to conduct the DPIA as early as possible.
- Evaluate current policies and contract with the HR and operation teams related to see whether employees are supportive to GDPR compliance specifically to achieve the required level of personal data access protection and to support privacy principles such as confidentiality and accountability.
- Evaluate whether all the software systems are in compliance with the expected safeguard and security standard. Most of the time those software vendors can help out the GDPR compliance.
- Evaluate whether hardware systems and network systems can support safeguard requirements expected by the GDPR.
- The GDPR very clearly defines a set of guidelines on how to behave during a data breach. Organizations should update supervisory bodies within the first 72 hours after a data breach and continue to cooperate as well. If required the organization should update each affected individual as well. For most of the organization, this is a very challenging requirement. It may require modification to the organization's internal structure as well as system levels such as by introducing new tools and processes, staff training and recruiting required skills.
- Professional bodies on each specific industry area can define certification and code-of-conduct practices. A business should evaluate the existence of such certification and code-of-conduct practices and plan for them.
5. Implement necessary safeguards
At this stage, based on the detailed plan derived from Step 4, you need to implement the required safeguards. Adjusting your business process, upgrading software, network, and storage systems, introducing internal staff training and proper auditing/monitoring systems are some of the important aspects you would need to consider.
This looks like a short phase but in reality is the most time consuming and costly phase. A business should take strategy level decisions to cut down the time and cost at this stage. For example, instead of building a consent management system one can evaluate to bring a ready-to-use tool with support for consent lifecycle management. Today many identity and access management (IAM) tools support full-scale consent lifecycle management. A business can also bring a self-care user portal system to support the execution of individual rights by the customers.
6. Appoint EU representatives and/or a DPO
If the business is not established in but offer service/goods to the EU, you need to appoint a representative within the EU in order to address GDPR related matters.
According to the GDPR, appointing of a DPO is required in following cases:
- Processing is carried out by a public authority expect courts.
- The nature of data processing requires regular monitoring from individuals.
- Data processing involves large amounts of data categorized as special or proceeding data related to criminal convictions.
- Some other conditions according to the EU/Member state laws.
GDPR text itself does not provide quantitative interpretation about the phrase “ large amount of data “ but according to Gartner businesses that process more than 5000 individuals data within 12 months fall into this category. Source: http://www.gartner.com/smarterwithgartner/top-five-priorities-to-prepare-for-eu-gdpr/.
GDPR also lists out the following basic responsibilities for the DPO:
- Inform and advise staff members on data protection regulations and procedures.
- Monitor the compliance with the regulations.
- Give advice on data protection impact assessments.
- Cooperate with supervisory authorities and act as the point of contact for supervisory authorities.
- Act as the point of contact for individuals related to any data protection related matters.
7. Revise your documents and policies
Implementation of those safeguard measures internally is not sufficient. You need to revise your public material as well, such as websites, social channels, terms and conditions, and privacy policies in accordance with GDPR requirements. Individuals and supervisory bodies too should be able to access and evaluate this material.
Business should ensure whether the business can clearly demonstrate the GDPR compliance through the publicly available documents such as privacy notices, terms and conditions, user consent pages and more.
Meeting the GDPR deadline is vital for all affected organization. To help get there on time, this article (the second of a series) presents you with a pragmatic 7-step approach to planning and defining a GDPR compliance strategy for your business organization. Each step provides you both conceptual and practical ideas in a comprehensive manner without using legal jargon.
7 steps to become GDPR compliant!
Table of content
- 1. Build awareness around GDPR
- 2. Understand whether your business is affected
- 3. Review the impact on your current data
- 4. Review your systems and processes
- 5. Implement necessary safeguards
- 6. Appoint EU representatives and/or a DPO
- 7. Revise your documents and policies
- Sagara Gunathunga
- WSO2 Inc