Organisations had two years to prepare for GDPR compliance in the run-up to May 25, 2018. Now that the GDPR is in force, what will Regulators want to see? The question is no longer theoretical. The Dutch DPA recently announced an investigation into 30 large organisations regarding their GDPR compliance and at the outset will ask to see their records of processing activities. Many regulators prefer voluntary compliance, but are prepared to back that up with tough action when required. This is why your reporting must be ‘regulator ready’. Accountability is the cornerstone of Regulatory Ready reporting, and it means effectively operationalising the use of appropriate technical and organisational measures to allow for reporting at the enterprise and project level.
What is Regulator Ready reporting and why do you need it?
Regulator Ready reporting means organisations have the capacity to efficiently produce reports that clearly tell a story reflecting GDPR compliance and accountability and align with legal requirements. To understand the growing need for Regulator Ready reporting, consider the following scenarios:
1. Your organisation experiences a breach. Within a short period of time, and reactively, the Regulator is on your doorstep.
2. Your organisation has not had a breach or any other public privacy incident, but the Regulator shows up expecting to assess your organisation’s GDPR2
3. Your organisation is launching a new product that has privacy implications. You initiate a meeting with the Regulator to provide assurance that your product is not only GDPR compliant but that you have considered privacy by design in the product itself and embedded it throughout your organisation.
In any of these scenarios, you want to be able to deliver Regulator Ready reporting. It means effectively operationalising the use of appropriate technical and organisational measures to allow for reporting at the enterprise and project level.
- Demonstrating compliance and putting in place the appropriate technical and organisational measures (Articles 5(2) and 24)
Leveraging existing measures and accountability mechanisms and embedding them into projects to meet additional compliance requirements:
- Records of processing (Article 30)
- Data Protection Impact Assessments (Article 35)
- Data Protection by Design (Article 25)
- Using Legitimate Interest as a lawful basis for processing (Article 6(1)(f)
The cornerstone of Regulator Ready reporting is accountability. In this blog, part one of a two-part series, we will discuss demonstrating accountability and compliance at the enterprise level: GDPR Articles 5(2) and 24.
Articles 5(2) and 24: Regulator Ready reporting on enterprise level technical and organisational measures:
If a Regulator comes to your door, they will want to see evidence of key requirements at the enterprise level. The need to be accountable and to demonstrate compliance is codified in the GDPR in Article 24, which closely links to Article 5 on the data protection principles. At a minimum, Regulators require a demonstration of the appropriate technical and organisational measures that have been put in place at an enterprise level.
- As referenced above, Article 5(2) of the GDPR contains an explicit provision regarding demoisntrating compliance with all the principles related to the processing of personal data (e.g.lawfulness, fariness, transparency, data minimization, data accuracy, security.
The measures and associated documentation in place for your compliance program must be regularly re-examined and updated to ensure continued data protection. There is no specific guidance concerning how to report on your enterprise level compliance. However, being Regulator Ready to report at an enterprise level means that you have a good understanding of which obligations under the GDPR apply to you, that you have addressed compliance respecting those obligations throughout the organisation and that you have evidence of this compliance.
To assist organisations in being able to report on GDPR compliance, Nymity Research™ identified 39 Articles under the GDPR that require evidence of a technical or organisational measure to demonstrate compliance. We have mapped those to the free Nymity Privacy Management Accountability Framework™. Nymity provides a host of free resources to assist organisations in understanding their GDPR obligations and prioritising compliance. To learn more about Regulator Ready reporting, read our white paper.
Project Level Regulator Ready Reporting
Once you are able to demonstrate compliance and have put in place the appropriate technical and organisational measures under Articles 5(2) and 24 you can scale those measure and leverage them to embed into projects to meet additional compliance requirements.
Required Reporting: Articles 30 and 35
When a Regulator pays a visit, they will want to see evidence of key requirements.1 The following Articles under the GDPR specifically indicate that documentation of some type must be made available to supervisory authorities:
Article 30 – Records of Processing Activities: Requires that controllers and processors must maintain a record of processing activities and make the record available to the supervisory authority on request. At a minimum, Regulators will want to see a record of processing for all processing occurring prior to May 25, 2018 and records for any new processing that occurred after that date.
Article 35 – Data Protection Impact Assessment (DPIA)3: Requires that controllers carry out DPIAs in high risk processing scenarios. At a minimum, the Regulator will want to see a DPIA report for any new processing or major changes to current processing post May 25th.
Additional Reporting: Article 25 and Article 6
From an accountability standpoint, it may also be advantageous to report on compliance with other key GDPR provisions:
Article 25 – Data Protection by Design/Default: Where applicable, it may be beneficial to show how the appropriate technical and organisational measures are applied at a processing level.
Article 6(1)(f) – Legitimate Interest as lawful basis for processing: The GDPR sets practical and clear criteria for organisations that seek to rely on legitimate interest as a lawful ground for processing personal data, but organisations must document their decision making and be able to report on it to a supervisory authority.
Organisations that prepare for Regulatory Ready reporting leverage the technical and organisational measures that are currently in place to embed accountability into projects, allowing them to efficiently generate reports for multiple compliance requirements (Records of Processing, DPIAs, Legitimate Interests assessments and more). For example, when new projects are initiated, the privacy office often requires that the operational unit complete a ‘threshold PIA’. A threshold PIA pre-emptively detects an organisation’s use of personal data, which, if identified, would require subsequent PIAs. If done correctly, the threshold PIA can collect all the data necessary for Article 30 records of processing reports.
In addition, a threshold PIA can identify if the processing is likely to be high risk and require a data protection impact assessment as required under Article 35. In a Regulator Ready reporting approach, organisations that are processing high risk data will use their data protection impact assessment method to embed appropriate technical and organisational measures directly into the project and require evidence that the business or operational unit is applying the measures. Thus, the technical and organisational measures become the cornerstone of the DPIA report. The measures are applied prior to processing the data which reduces risk.
Next, because the organisation has embedded appropriate technical and organisational measures directly into the DPIA, the project itself is now designed with privacy and data protection in mind, so the organisation can easily generate a DPbD (Data Protection by Default) or PbD (Privacy by Design) report.
Finally, this Regulator Ready approach can also help with producing the necessary information when an organisation chooses to rely on legitimate interests as a lawful basis for processing. An assessment for use of legitimate interests requires a balancing test between the interests of the controller and the potential harms to the rights and freedoms of data subjects. Courts and Regulators have indicated that, the more safeguards that are in place (technical and organisational measures), the more likely the balance will tip in favour of the controller.4
Learn more about Regulator Ready reporting, in this Whitepaper.
By Teresa Troester-Falk, Chief Global Privacy Strategist, Nymity
The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.
Ahead of the end of year event, DPWF has launched a series of intensive workshops.
Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/