The EU General Data Protection Regulation is getting closer every day. For many privacy offices, this equates to an overwhelming workload and anxiety about where to begin and a view of the GDPR as nothing more than a list of projects to complete and items to check off in an effort to be compliant.
However, the GDPR is actually quite flexible, and compliance with its requirements is intended to be an ongoing exercise, rather than as a means to an end. It is a risk-based approach to privacy and data protection that is full of requirements for conducting analyses, balancing tests and assessments, and the overlap between these requirements often gets overlooked. As a result, the work done to address one article of the GDPR can be leveraged when addressing others. This is a proposal to simplify GDPR compliance efforts by combining and conquering.
Article 5 of the GDPR addresses the principles related to the processing of personal data, but these principles are not new. For example, they can be found in the FTC’s Fair Information Practice Principles and the OECD Guidelines on the Protection of Privacy and Trans-border Flows, which have served as foundational principles for many privacy and data protection laws around the world. As a result, it can be wise to begin by addressing these principles, as they represent what is common across privacy and data protection frameworks. For example, ask about fairness, transparency, purpose specification, purpose limitation, data minimization, data quality, storage limitation and notice — all of which require some level of documentation in order to demonstrate compliance in accordance with Article 5.
Next, you may want to consider any specific jurisdictional requirements that may be triggered by the processing activity. For example, the GDPR may apply if the activity either (1) is in the context of an establishment in the European Economic Area (EEA); (2) includes the offering of goods or services to individuals located in the EEA; or (3) includes the monitoring of the behavior of individuals in the EEA. If the GDPR applies, then you will want to get into more specifics about the activity.
Many organizations view the building of an Article 30 records of processing (or “data map”) as the first step in GDPR compliance efforts, as doing so can serve as a foundation for tackling other GDPR obligations. However, this is not the only approach. Another way could be to integrate this within your overall questionnaire in order to increase efficiency (there’s no need to ask about “purpose of processing” more than once) and ensure a more holistic assessment of processing activities, their risks and benefits. The GDPR does take a risk-based approach, after all.
Data subject rights
The GDPR provides data subjects with a variety of rights that they may enforce against data controllers, and under Articles 12–22, controllers have specific obligations regarding these rights. These obligations include providing information to data subjects and facilitating the exercise of data subject rights. Therefore, perhaps you also want to ask how data subjects will be made aware of the activity and how you will enable the exercise of their rights — e.g., if the processing activity is a new product offering for your customers, will you build functionalities that allow data subjects to access their personal data or request its rectification?
The GDPR requires controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” In other words, conduct an assessment. Again, we see the GDPR’s risk-based approach at play here, and what better way to determine (and document) what is appropriate than to use the same questionnaire that we have used up until this point.
The same can be said for vendor management. Again, the GDPR requires an assessment, but this time, an assessment of another organization (i.e., the proposed processor) and whether they provide “sufficient guarantees to implement appropriate technical and organizational measures.” Here, you may want to branch off into a vendor assessment, if necessary, and ensure that GDPR-compliant contracts are in place. Additionally, if data will be transferred out of the EEA to this third party, this is the time to ensure that an appropriate safeguard is in place to provide for a lawful transfer.
Think also about breach-notification requirements. After a breach, controllers only have 72 hours to notify supervisory authorities. Thankfully, if you have already asked the necessary questions to learn about the data you are processing and understand where and how it is being processed, you will already be one step ahead in the event of the “inevitable” breach. Moreover, having already identified your high-risk activities (i.e., those requiring a DPIA) can assist you in determining whether a personal data breach is likely to result in a high risk and therefore necessitating the notification of affected data subjects under Article 34(1).
Under the GDPR, processing is lawful only if one of several legal bases apply. One of those is “legitimate interests,” and it is expected to be one of, if not the, most widely used legal basis, due to the high level of flexibility given to organizations in explaining and documenting their rationale for conducting a given processing activity. To rely on legitimate interests, controllers must assess the benefits of a particular activity (to individuals, society, business, etcetera) against the interest or fundamental rights and freedoms of data subjects. In other words, there must be an assessment of harms versus benefits, and a case must be made as to why the legitimate interests of the organization are not “overridden” by those of data subjects — a quintessential example of the GDPR’s flexibility at work.
Data protection impact assessments (DPIAs)
Under Article 35(1), a DPIA is required when processing “is likely to result in a high risk to the rights and freedoms of natural persons.” Therefore, one of the first things to do for every processing activity is to identify the different risks and benefits associated with it. Second, these risks need to be evaluated in terms of their severity (or “impact”) and the likelihood of occurrence. The results of your legitimate interests assessment (if applicable) can also be useful in determining whether the activity is likely to result in a high risk to individuals and therefore requiring a DPIA, and if so, in carrying out the DPIA itself.
At the end of the day, and regardless of DPIA requirements, using the methods described above can ensure that you are carrying out your general obligation to implement measures to manage risks to data subjects under the GDPR and other frameworks and as a good steward of personal data.
GDPR compliance is a massive undertaking, no doubt, and the stakes are high, but with a little creativity and the right tools, it can be the catalyst behind growing your program to meet its true potential as the advocate for privacy in your organization.
photo credit: Erwin.van.Leeuwen The CrossFit Games 2017 @ Sixforty CrossFit Wildhearts in Rotterdam via photopin (license)
If you want to comment on this post, you need to login.