Nasdaq: Global Data Protection Regulation: Record of Processing Activities
Posted: 1 February 2018 | Author: Bram den Boer | Source: NASDAQ OMX BWise
The General Data Protection Regulation (GDPR) act will come into force in May 25, 2018. Organizations will need to review their ability to comply with GDPR. Organizations are feeling the urge to getting things done. To help navigate through this process with meaningful information, our subject matter experts will write blogs addressing important steps that your organization may want to take.
It is good to understand the pivotal role of Governance, Risk Management and Compliance (GRC) solutions can play to assist companies in GDPR compliance. The blog series will focus on how GRC solutions help form a holistic approach that amplifies, among other things, practice efficiencies, as many organizations are facing other regulatory obligations. We hope you will find this blog series helpful. Moreover, we are happy to answer any questions you may have about our GRC solutions.
The first step is having a summary visual that provides the foundation for aspects of GDPR obligations. This visual will be used as a guideline for our blog posts. The first blog post will address the records of processing activities and we will continue with the second blog following the cycle steps starting with Initial Assessment and Data Protection Impact Assessment (DPIA). Below a summary outline of blog topics:
- Record of processing activities (Article 30)
- Initial Assessment & Data Protection Impact Assessment (DPIA) (Article 35)
- Risk Treatment & Data breach management (Article 33- 34)
- Action Management & Reporting
- Role of the DPO (Article 37- 39)
Record of processing activities (Article 30)
The way European citizen data is processed (collected, accessed, transferred, or shared) and how data privacy and data protection is safeguarded in these assets is the core of GPDR and described in article 30 . GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. GDPR does not only apply to organizations located within the European Union (EU), but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
Data, data subjects, personal data… what do these terms constitute? Any information related to a natural person or ‘data subject’ that can be used to identify a person directly or indirectly. For example, it can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The first steps towards GDPR compliance
One of the first things an organization will need to do to comply with GDPR is to create awareness internally and document what personal data you hold, where it came from, and who you share it with. You may need to organize an information audit, across the organization, or within a particular business area.
Secondly, you need to inform other organizations your company is working with. For example, if the organization has inaccurate personal data and has shared this with another organization, you will have to tell the other organization about the inaccuracy so it can correct its records. You won’t be able to do this unless you know what personal data you hold, where it came from, and who you share it with. An organization is required to document this. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organizations to be able to show how they comply with the data protection principles.
Third, the organization must perform a documentation of the legal basis of the various types of data processing activities. Under GDPR, this has many practical implications because some individuals’ rights will be modified depending on the organization’s legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. This legal basis is also used to explain why you are processing personal data in your privacy notice and when you answer a subject request.
Finally, as illustrated above, organizations will need to adopt internal policies and measures that meet the principles of data protection by design (data subject transparency and access) to ensure that you can show that you are data protection compliant. This can be done by implementing technical and organizational measures that:
- Provide that only personal data that is necessary for each specific processing is used (in relation to the amount of data collected, the extent of its processing, the period of its storage, and its accessibility)
- Provide that personal data is not made accessible to more individuals than necessary for the purpose of using applications or processes
- Allow to implement controls to demonstrate/report on GDPR compliancy
According to the GDPR, organizations should appoint a Data Protection Officer (DPO) to implement, streamline, and continuously monitor GDPR processes. Structurally, the DPO should report to the highest management level of the controller or processor depending on how the organization structure is setup. A DPO should have the support to carry out its activities, including the necessary resources.
The first steps towards GDPR compliance are not merely a check-the-box exercise. GDPR has significant impact on the organization’s data processes and can have serious implications for non-conformance with fines up to 4% of the global annual revenue or € 20,000,000 (whichever is greater) and fierce reputational damage that can come with the publicity of data breaches. Therefore, the role of the DPO should not be underestimated. Since the DPO position is a new job role for many organizations, we will address the role of the DPO in another upcoming blog. As a second step, we will address the initial assessment and data protection impact assessment (DPIA) first in our next blog post.
Nasdaq BWise enables organizations map the landscape of where personal data is processed within your organization’s processes and supporting IT environment to produce consolidated reporting in support of GDPR compliance.
- Efficiently collect, access, transfer, or share data assets
- Safeguard data privacy and data protection
- Determine the privacy risk level in the organization, based on a predefined set of questions involving answers on the use, disclosure, purpose, and evaluation of personal data resulting in a high, medium or low risk level
- Determine with a Data Protection Impact Assessment (DPIA) if compliance with ‘privacy by design’ and ‘privacy by default’ is met for new assets or projects in the company
- Establish an estimate of the risk of impacting rights and freedom of the data subject and the support for risk acceptance or treatment.
- Determine which set of baseline requirements are already implemented or planned and where additional requirements need to be implemented to accept the residual risk.
- Powerful process workflows to ensure that policies to comply with GDPR are developed, approved, applied, and consistently improved.
- Integrated data feed management to allow integrations with Configuration Management Databases (CMDBs)
- Allows for the recording and notification of any incident to all relevant internal stakeholders within established thresholds
- Reports and dashboards that provide different analyses of GDPR conformance, including a statement of GPDR compliancy
- Central view on compliance data for easy tracking and monitoring of activities and actions to assure GDPR compliancy
GDPR is evidence that the topic of data privacy will continue to garner interest, especially as both the business and consumer environment are changing rapidly. Topics, such as the Internet of Things, disruptive technologies, new and untraditional market entrances, and technological use will force businesses to adapt their risk management practices in such a way that not only protects the current data of companies, but is predictive. Although GRC software solutions won’t be able to stop all data breaches and attacks, it can provide the means to substantiate that data privacy is effectively managed, and managed well.