All good things come to an end, also our GDPR articles… But we would not close without a happy ending! In this last article, we describe our framework for managing GDPR compliancy which can be used across different industries and different levels of data privacy maturity. After reading, we hope you will be able to continue (… or to start) building your own GDPR roadmap within your organization.
We promise to not blow you away with a revolutionary and complicated framework. Because we like to keep things clear and simple, we focus on a 4-step approach: (1) define your data protection strategy and describe your data processing activities (2) assess your level of compliance (3) set your priorities and (4) define the project plan towards GDPR compliance.
Step 1: Set up your data protection team and describe your data processing activities
We admit GDPR can look complex and overwhelming at first sight. Therefore, it is crucial to take a step back and start with defining your overall data privacy strategy.
Remember that the GDPR is a regulation that impacts the entire company. The GDPR impacts your IT, your legal & compliance, your operations, your marketing and your HR department. A data protection team of combined forces will facilitate the creation of GDPR awareness (across all levels in the organization), the overall data protection strategy and the governance model to monitor compliancy during as well as after the GDPR implementation project.
Once your GDPR team is in place, it’s time to analyze your “as is” situation. Again, we can’t stress enough to involve all concerned departments in this exercise. We have seen too often that this analysis is either only done by IT or only driven by the legal department. However if you analyze your entire business from the beginning, it will only reduce the workload of the following steps.
How do you start?
- Identify the processes in the company regarding personal data (i.e. data processing activities) and visualize them.
- Understand which data you collect and where you store them by mapping the data flows on your different business processes.
- As a rule of thumb, you should be able to identify the 5W’s (Who/Where/What/When/Why) of personal data in each data processing activity.
- Use this information as the basis to complete your register of data processing activities (Article 30, GDPR) and to make an inventory of your processors.
Step 2: Assess your current level of compliance
Once your data processing activities have been described and documented, you can determine whether they comply with the legal obligations under the GDPR. In our previous articles, we deep dived in some GDPR concepts. Here we give you a summary of the most important legal obligations.
- Do you process personal data taking into account the following principles? (Article 5, GDPR)
To be compliant, you must ensure that the personal data are:
- processed lawfully (see next chapter), fairly and in a transparent manner;
- accurate and up-to-date (accuracy);
- limited to the purpose for which you collected that data (purpose limitation);
- stored for no longer than necessary for the purposes for which the personal data is processed (storage limitation);
- processed in a manner that ensures appropriate security (information security);
- only collected when it’s necessary for the purpose for which data is processed (data minimization)
Furthermore, the controller is responsible to demonstrate compliance with the above. And that’s why you keep hearing that the accountability concept is so important for controllers.
How can I lawfully process personal data? (Article 6, GDPR)
To guarantee the lawfulness of data processing it is necessary to identify the legal base for all data processing activities.
We can hear you thinking: “To be sure, let’s just ask consent to everybody and put tick boxes everywhere!”. But be aware, consent is not the only option for processing data. And bombarding your clients with tick boxes won’t do the trick. If you would do so, please do it correctly and know that unresponsiveness, pre-ticked boxes and inactivity do not necessarily mean consent!
Exploring the legal ground of processing is fundamental, because this impacts the way you handle data. To recap, you can only process personal data if one of the following six legal grounds applies:
- Data subject has given consent
- Processing is necessary for the performance of a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- Processing is necessary for the purposes of legitimate interests pursued by the controller
- What are the rights of the data subjects? (Article 12 – 22, GDPR)
Here we go again with the data subject’s rights! We know you have probably already heard something about those different rights, but let’s refresh your memory.
- Automated decision-making, including profiling: The data subject has the right to object to a decision based solely on automated processing, including profiling. (Article 22, GDPR)
- Right to object: The data subject has the right to object at any time to processing of his or her personal data. (Article 21, GDPR)
- Right to data portability: Individuals have the right to receive his or her personal data, provided to the controller, in a structured, commonly used and machine-readable format. Individuals have the right to transfer those data to another controller. (Article 20, GDPR) (Read the guidelines on the right to data portability here.)
- Right to be notified: Communicate about any rectification, erasure of personal data or restriction of processing to each recipient when his or her personal data has been made public. (Article 19, GDPR)
- Right to restriction of processing: Data subject has the right to restrict the use of his or her personal data where one of the cases, described in Article 18, applies.
- Right to erasure: You must erase all personal data, when requested by the data subject or if one of the other grounds described in Article 17 applies.
- Right to rectification: The data subject has the right to rectify inaccurate or incomplete personal data. (Article 16, GDPR)
- Right to access: The data subject has the right to access the personal data as well as some extra information like the purposes of the processing and the storage period. (Article 15, GDPR)
- Right to be informed: You must provide the data subject with the necessary information on the processing procedure and be transparent about how you use personal data. The necessary information to be provided differs when data is collected directly (Article 13, GDPR) or indirectly (Article 14, GDPR).
- What are your other most important obligations as controller and/or processor?
- Data breach management: In case of data breach, notify the supervisory authority within 72 hours and communicate to the data subject. (Articles 33 and 34, GDPR)
- Data Protection Impact Assessment (DPIA): A procedure that has been designed to help organizations identify, assess and mitigate (or minimize) data privacy risks. Want to know more? Read our article and WP29 guidelines on this topic. (Articles 35 and 36, GDPR)
- Data Protection Officer (DPO): We recommend to always designate a DPO and to formalize his/her role during as well as after the GDPR implementation project. (Articles 37, 38 and 39, GDPR)
- Data transfers outside the EU: Some countries, such as US, Switzerland and Canada, offer adequate protection and nothing has to be done. For other countries and outside your corporate group, for example, you should conclude standard data protection clauses or legal grounds that would make this transfer possible. (Chapter V, GDPR)
- Consent management: Define policies for (parental) consent, adapt all touchpoints where consent is or should be obtained and develop procedures for ongoing consent compliance. We recommend to read the draft guidelines on consent and transparency.
Step 3: Set priorities in non-compliance issues
Congrats! You managed to cross-reference your business processes and data maps with the legal obligations under the GDPR! You are now able to identify risks and to establish an effective action list with non-compliant issues.
The next step consists of prioritizing the non-compliance issues considering the possible risks.
- Ask yourself which points you can already remove from your action list.
- Analyze the material that exists today in the different departments and check whether it could be reused in the context of GDPR. Maybe there are existing procedures you can adhere to?
- Finally, for the open action points that are left, set your priorities based on the non-compliance risk versus the business impact to resolve these.
Step 4: Define your project plan to improve internal processes
The final step consists of building a GDPR project plan for implementation. Determine the timeline of the project by considering the set priorities and the dependencies of the different action points. It’s recommended to convert the general project plan for each department so that they have a clear overview of the deliverables and the deadlines of the specific tasks. The project manager, preferably someone with appropriate GDPR knowledge, needs to keep his finger on the pulse by providing guidance and support to the business.
Hopefully we have managed to clarify a bit the possible set-up of your GDPR project plan within your organization. However, if you still feel lost after reading this (and all our other) articles, don’t hesitate to reach out!
Are you interested in more content regarding the GDPR?
Download our booklet with 7 in-depth articles on the impact of GDPR on marketing.