09 Jan BUILDING GDPR IMPLEMENTATION PLAN IN 10 STEPS
Get ready for more transparency, more informed consent and more rights for data subject
In 2012 the European Commission argued on GDPR draft:”The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens”. So lets make an opportunity out of this legal framework.
Step 1 – Assess Readiness.
Step 1 is to audit the organisation core activities toward data protection requirements and compliance. Broad overview of operations shall emcompass DP principles recognized under Directive 1995 and reinforced under GDPR:
- Transparency of data collection
- Purpose limitation and further processing
- Personal data quality
- Privacy culture
- Security of data both internal and external threats to consider
- Data breach response plan
- Ensuring effective rights of Data Subject and defined remedies
Step 2 – Define a plan and personal data flow mapping
Following the readiness assessment, we need to develop a gap analysis and define a plan to address issues prioritized considering possible risks involved toward level of effort and available resources.
Based on gap assessment put various projects and prioritize upon timeline.
Build a GDPR implementation plan accordingly. This will be done for each department of your organization. Management shall be informed and supporting this project especially if different department are involved and/or located in different MS countries.
At this stage data flow mapping (personal data vs special personal data processing) will be required in defining priority project with correlative data protection policies.
To ensure you have uncovered all of the risks and appropriately prioritized your plan, you must have a solid understanding of your organization’s complete data lifecycle. The process to document this lifecycle is called data mapping. Data mapping will require that you talk to your colleagues who know where data is at each of these stages across the organisation and with third parties: Future data flow monitoring is also a must. Covering the entire lifecycle, from data collection, saving, usage, transfer, processing, and storage/archiving to deletion.
This timeline will require flexibility. Especially with interdepartment collaboration often requiring additional input. Timeline must be approved by Management with strong backing and regular update and tracking. GDPR implementation plan objectives of complying with requirements thus managing risk shall not be business disruptive providing solutions.
Step 3 – Build a plan and strike a consensus
Building consensus up-front is critical to the success of any GDPR project within an organization, especially when considering the complexity. It needs to be rehearsed from the CEO/managing director downwards. It’s about the company’s image and reputation.
Formalyze the GDPR project kick-off with all the stakeholders: Management, HR, Operations, IT, Marketing and Accounting etc.
GDPR implementation team shall be formally presented in an organigram listing roles and responsabilities and reporting lines. This is also a tool which will be used for Accountability/ Compliance proof toward DPA. This is an aknowledged 2017 top priority project with milestones to achieve clearly communicated internally requiring strong support. Agree on regular update of project progress to entire workforce to ensure full back-up.
Leadership principles and organizational decision-making must come into play. With the expanded scope of the GDPR and significant budgeting required to implement, building consensus will be critical to secure funding.
Highlight the pros and cons to make a case approach for matching any business requirements case for approving the investment.
Key messaging strategies will be helpful to make the case for this GDPR project:
Change of attitude of employees toward data protection as required under GDPR scheme will be obtained with awarness campaign hold thoughout the organisation (Our data vs DS personal data). Training of Data Privacy Impact Assessment methodology where required.
List risks and opportunities:
- 4% fine of total WW turnover is a very stong argument. DPA new penalties panel and controlling power. Data breach treated in a similar way to stringent anti-competition Law.
- Accounting loss on goodwill depreciation and damage to image and brand (provide current examples alike YAHOO)
- Investment in data protection is not a one shot but a short/medium and long term value addition
- Report on organisation using strong data protection culture as competitive Advantage
List the gaps as a result of initial assessment requiring remediation
- Findings of gaps and associated risks
- If relevant history of privacy breaches, possible inquiries by the Authorities. IT will be a natural source for data recoveries request by employees.
To achieve full compliance additional budget will be required
- List the initiative of competitors and public bodies action to support GDPR implementation.
- Compliance will be on media front page by May 2018
- Submitt implementation project with timeline and metrics to support realisation
- Listing of gaps, required DPIA to fulfill and updating of policies requirements
Step 4 – Implementation of GDPR
With Data Protection Officer (DPO) appointment/assignment (Art 37) the implementation into your organisation will be kick-started. DPO may be an employee or a third party service provider (e.g., consulting or law firm), but should be a direct report to the Board/managing director. He/she shall enjoy significant independence for performing compliance monitoring.
As highlited above this is a high priority project. DPO shall be supported by relevant resource . GDPR will require amendment of current practice or new tools for managing compliance. DPO can be either inhouse or provided by external service providers. In both cases it is advisable to set up a GDPR project team to address complexity and technicality. DPO shall be regarded as an orchestra conductor leveraging resources and prioritize phasing out on compliance gaps. DPO is providing recommendations and solutions during implementation and ongoing compliance.
Project roll-out will be defined on a risk-based approach. This will vary upon the business activity of your organisation. As a Data Controller or Data Processor do you hold Special “sensitive” Data i.e. health data, biometric information etc? Are you processing Personal Data i.e. DS family name, phone, payment or financial information etc? Web page releasing employee’s picture, phone numbers etc.
Develop a data classification schema:
* Special Personal Data (Art 9.1)
Health data concerning a natural
Political opinions; religious or philosophical beliefs
Biometric or Genetic information
Children’s personal data (Art 8)
* Personal Data
Criminal convictions and (Tax) offences
HR Data (PD, appraisal)
* Disclosure of Personal data considered appropriate
E-mails of employees
Phone number of employees etc.
Picture of Management acting as such
Signed financial Statement
To have effective data protection management four elements are required, regardless of domain covered: (1) Procedures and policies of operating guidance, (2) Supervision to implement these internal rules, (3) Monitoring to ensure the audit reporting tools and controls operate effectively throughout the data cycle (4) Governance, to maintain adherence and effectiveness of point 1 to 3 and ensure all gaps are closed.
Step 5. Address Sub-contracting and personal data transfer
Sub-contractor monitoring will be an integral part of compliance and accountability practice. This will start from review/update of existing contracts (Data Processor, storage and cloud services etc.) to assess and confirm the counterparts are GDPR complying too. The contract will have to reflect new requirements for example timely Incident Response and Management. Adherence to code or conduct (Art 41) and/or Certification mechanisms (Art 42) will be supportive tools for compliance proof.
Code of Conduct and Certification seals will be usefull tools for organisation with trans-border personal data transfer. If you transfer personal data to a DC or DP not within the GDPR scope i.e. not established withing the EU the regulation lists safeguards to demonstrate compliance.
Transfer based on adequacy decision (Art 45). See European Commission’s list of countries with deamed adequate level of data protection incl. Privacy Shield decision decision.
EU-US Privacy Shield mechanism has been largely discussed. As of today 1238 organisations have declared their adherence. This self-declaration scheme is probably less rigid compared to Standard Contractual Clauses (Art 46). GDPR allows for data transfers to non-EU countries by way of Binding Corporate Rules (Art 46 & Art. 4 (20)).
On a case-by-case basis and depending on your organisation’s business model you will select the more appropriate way of demonstrating compliance knowing that each mechanism will have it’s Pros and Contras arguments.
By complying with the EU-US Privacy Shield mechanisms you will use this framework to demonstrate compliance with GDPR i.e. Accountability thus lowering adminitrative costs.
Step 6. Data inventory
This step of identifying and listing personal data by DC and DP (and possible subprocessors) is essential for effective GDPR compliance. Organizations are more equipped to secure/manage personal data when listing which data are collected, where they are stored, who shares them, and how long they are retained/stored. Moreover, the loss of protected and sensitive data is a serious threat to business operations. The vast majority (70%) of data leaked or lost result from poorly understood procedures with 30% of problems resulting of theft or hacking. Biggest source of data breach resulting of user error and lack of effective policy architectures. Information Security refers to Data Loss Prevention as a comprehensive approach covering user, processes and systems that identify, monitor and protect personal – data in use (work environment) – data in transfer (Network and E-mails) and – data stored. These aspects beeing safeguarded through IS Deep Content Management. See also Data Flow Mapping section.
Step 7. Security & Data Breach Plan
Data Loss Prevention tools are available on the IS market to detect suspicious activities and possible data exfiltration tentative. System must be robust and able to identify and detect sensitive data being transferred outside your organisation’s system per Network file transfer or portable media. Although, you may develop and implement the Data Breach Response Plan only following your Data Protection Impact Assessment (DPIA) of datum flagged as personal data already hold by your organisation we consider DBRP should be integrated into IS program. A proper Data Governance (from inventory to storage and erasing) will help to comply with your security obligation and manage data breach risks. This good practice will help to set up a procedure for a timely response to data subject access request or objection to processing.
Vendors are adapting rapidely and delivering technologies that were once exclusively for large enterprises to small and medium-sized businesses and compliance tools decisions are getting a little bit easier.
Under GDPR the new mandatory data breach notification to relevant DPAs will certainly enjoy their scrutinity. Response time of 72 hours notification to DPA and “without undue delay”, for breaches with potential for serious harm to data subject will possibly require revision of policies. DBRP will require a clear assignment of responsabilities between the stakeholders, training and practice. Without practice the short response time will not be met and your organisation exposed to sanction/fine by DPA.
Step 8. Developing an accountability framework: DPIA and Consent mechanisms
• Data Protection Impact Assessment
Recital 90 GDPR demands:”That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation”.
Conducting a DPIA is pursuing 2 objectives — evaluate and mitigate possible negative effect of data processing and – establish compliance of data processing. It can be on voluntary basis with the aim to demonstrate compliance or mandatory (Art 35). DPO will centralize in a report possible gap findings and risk remedies applied for effective accountability and fast response in case of DPA inquiry. This implementation dashboard listing the actions taken will be communicated to all stakeholders for regular update.
DPO will have a centrale role acting as orchestra conductor on developing DPIA. Although DPIA will be required in different areas of your organisation (marketing, HR, accounting, profiling activities etc.) it is vital to use one single template covering your organisation’s entire personal data processing. DPO will then present this standardized questionnaire and obtain Management sign-off.
Organisations conducting DPIA report a typical duration of up to 1 week (. Delays are typically due to obtaining required project details from subject matter experts. DPIA are conducted at the project or product launch stage, or when a project or product changes
DPO must sit where the personal data are processed throughout its lifecycle. The goals of a privacy program should be aligned with the goals of the business, and the outcomes be stated in business terms. Data protection should not be regarded solely as a compliance tool but a cultural change in a growing digital world.
DPIA will be based on 3 aspects:
• Persons designated for conducting the DPIA. As mentionned above they will be trained on conducting a DPIA. It is essential for Operations/HR/Sales etc. colleagues to provide input to the DPIA questionnaire. It is a pre-requisite to obtain their insight information to support a comprehensive assessment.
• Mapping Data mapping and personal data collection points within the considered data processing activity. Identify possible risks for data subjects’ rights.
• Process DPIA can be based upon an online workflow process or management platforms with built in templates depending of available resources with the aim in reinforcing collobaration. To gain support and maintain effectiveness ongoing trainings are required. DPIA process will evolve over time as privacy culture will be distilled withing the organisation. As mentionned above DPO will be supporting DPIA as a facilitator and central repository of compliance/monitoring but process is driven by employees involved in the data processing. DPIA may be repeated to reflect business changes.
Once the processing operations and their purposes have been thouroughly described and compliance gaps identified the possible remedies to risks will be elaborated. Assessment of the necessity and proportionality contra risks will be elaborated. Following completion you will need to implement the proposed safeguards measures of data protection for example data minimisation at collection point, IS decision (access restriction) etc. When assessing risks it is important to tackle the specific risks of Art 35 among others security of data, large scale processing, employees data). The requirements will also cover new products or processes, databases changes/upgrades or high risk of sensitive data processing or data processor activities. DPIA must be completed before data processing and for existing data processing before May 2018. DPO will be central in documenting these steps and follow-up on implementation to report on progress to Management and demonstrate accountability in case of DPA control.
• Data Subject’s Consent logs
This has been largely debated within the privacy community. Alike the transparency requirement GDPR put more stringent rules for obtaining data subjet’s consent.
Empowering data subject. He/she will take the decision to consent (and is entitled to withdraw it)
Requirements regarding consent under the GDPR are significantly more compelling compared to 1995 Directive. However, this is only an evolution and current practices and technical tools must be amended. Data Protection technical controls and solutions are on the market for years.
For example, privacy notices and obtaining acknowledgement from data subject regarding their content electronically is nothing new. Tracking the opt-in and out choices of data subjects is regularly done electronically in customer relationship managements and e-marketing tools. GDPR sets for specific circumstances for consent and burden of proof thereof. See a paper on consent and profiling Profiling and Consent GDPR requirements
• Affirmative Consent to data processing. Art 7 requires more transparency when obtaining consent “A statement or a clear affirmative action” from the data subject, which must be “freely given, specific, informed and unambiguous.” It is generally agreed that Opt-in consent are only valid: data subject ticking a box, “silence, pre-ticked boxes or Opt-out inactivity” shall be considered as insufficient. Data controller must be able to demonstrate consent to each data processing operation.
• Special categories of data processing and profiling activities. Art 9 require a stricter explicit consent level and proof with a “proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing.” These “special categories” include unions membership, genetic data, biometric data, and data concerning sexual orientation. Explicit consent stricter requirement wil also apply for automated decision making-processing i.e. based on profiling (Art 22).
• Parental consent for children’s data processing (Art 8). Explicit parental consent is required for data relating to children under the age of 16 years for information society services. Member states may lower this requirement to 13 years. Art 8 (2) “Reasonable efforts” must be made to verify that the parent or authority holder have provided consent” There is no particular challenge here. For years there are various tools on the market to verify identities and age electronically
However, like the GDPR, the draft proposal e-Privacy Regulation of European Commission will set compelling requirements on cookies. Cookies placement are getting considerably more strict. While there is a new limited exemption for first party analytics, the draft law proposes that consent must be obtained “prior” to cookies being served, and explicitly extends cookie consent rules to device fingerprinting too. It also proposes that device manufacturers and browser/software providers should block third party cookies by default.This draft regulation will be subject to amendment.
Step 9 Address “Right to be forgotten” and “Data Portability Rights”.
Next to breach notification obligation GDPR has developped new features for example data erasure and data portability rights. Profiling restrictions have been dealt with above. Data protection by design and by default concept must be implemented by data controller and data processor into their business model. Data protection culture must obtain support and adherence of organisations processing personal data.
The lack of effectiveness in privacy management is a real deficiency that requires further articulation before we delve into its root cause and possible solutions. Any program, regardless of discipline, requires that four elements will be in place to be managed effectively: (1) policies, to articulate its do’s and don’ts, (2) controls, to implement those policies, (3) monitoring, to ensure the controls operate effectively over time, and (4) governance, to maintain elements 1 to 3.
• Right to be forgotten
This new concept introduced by GDPR art 17 is a logical consequence of the lawfulness and data minimisation principles.
There are some specific circumstances where the right to erasure does not apply and data controller can refuse to deal with a data subject’s request. The right to be forgotten is not absolute but your organisation shall respond without undue delay especially when the request is formulated by a child.
ICO ICO Right to erasure provides the example of balancing rights: A search engine notifies a media publisher that it is delisting search results linking to a news report as a result of a request for erasure from an individual. If the publication of the article is protected by the freedom of expression excemption, then the publisher is not required to erase the article.
• Data portability right
Art 20 and recital 68 have introduced the data portability concept. It empowers data subject to obtain and reuse the personal data they provided to a controller “in a commonly used and machine readable format”. It allows them to copy and transfer data to another safe IT environment. Data portability right only applies in the case data were provided by data subject, processing is based on the individual’s consent, for the performance of a contract and when the processing is carried out by electronic means. ICO: Right to data portability
There are many questions surrounding this new concept (does “provided to controller” include web browsing history, social media with comments of various data subjects, E-mails chain etc.). We are expecting the WP29 opinion/guidance on this topic.
Based on SAR procedure you will have to set up new processes and create new technological capabilities within your organization to meet this new obligation. With a response time of undue delay or maximum 1 month an effective Data Portability process shall be developped and practiced.
Step 10 Data Storage Limitation and Solution
According to Tech UK around 90% of global data available today was generated in just the last 2 years and that amount is predicted to grow year on year over the next decade. We are all exposed to Big Data. According to Art 23 DC should only store personal data for as long as is necessary for the specific purpose for which it was obtained.
It is important that DC:
- establish the retention periods and accessibility rights that apply to data processed for each different purposes at collection point.
- implement appropriate retention policies starting from data collection. Data classification shema (see point 4 above) will be a helpful tool to comply with this requirement
- comply with defined retention policiess, and monitor adherence.
Data minimisation must be combined with data mapping and then, from the collection point, understand where the data flows to and where it comes from, and apply the right level of technology to store only the appropriate level of data, erase/dispose of the data in a secured way way, and encrypt the data we need to work with.
And the best way to do it is to only keep the data required for processing as communicated to data subject. If data is not needed for processing. Do not store it. That will make your storage and backup requirements way easier to deal with in 2018 and beyond. This is a wise advice considering possible Subject Access Right request you would need to respond. For example this is particularly true for clinical trials with 1 Tera Byte of data shared between numerous data controller for each data subject.
However, the proper erasure of information, for example, is not something often seen in software. Example are outdated banking systems will demand a lot or programming work. Alternatively, Quyncy Larson founder of Free Code Camp (open source code): said the best way to destroy data was not to delete it, because it could potentially be resurrected from a hard drive, but to encode it in “a secure form of cryptography”. But in the future, all software will be required to be capable of completely erasing data including Banking systems. And remember, retention limitation does not apply to personal data that has been anonymised and cannot be re-associated with the particular data subject.
As an organisation subject to GDPR you need to develop technical solutions to comply with the regulation principles of:– Storage limitation (Art 5) — Storage periods (Art 6) for Member States to further define – SAR (Art 15) — data minimisation (Art 25) “only personal data which are necessary for each specific purpose “…. “That obligation applies to the amount of personal data collected, … the period of their storage and their accessibility”. These obligations are extented to DP (Art 28). DP must commit to deleting or returning personal data upon completion of the processing service.
In this respect Luxembourg has already enacted a storage legal framework in 2015 Loi et Reglement sur archivage electronique Luxembourg
Key advice can be obtained from the ICO in the UK ICO retention periods guidance or the French DPA CNIL Limiter la consevation des données dans le temps.
We expect WP29 to publish guidance on the data minimisation principle beginning 2017.
By starting as from January 2017 and taking the time to diligently step through all of the 10 highlited activities in the implementation plan, your organisation and DPO will have successfully secured GDPR compliance and protected the company’s reputation and image. Gaining data subject’s trust for your processing.
Written by Christophe Baur, CIPP / E, Associate at Assured Privacy, looking for a new challenge