This is the eighth post in a series on privacy by Andrew Pery. You might also be interested in:
- Mitigate Data Privacy and Security Risks with Machine Learning
- The Privacy and Security Dichotomy
- GDPR and Cross Border Data Flows between the EU and the US: Current State of the Law
- Privacy by Design: The Intersection of Law and Technology
- What Do the GDPR and new Privacy Laws Mean for U.S. Companies?
- Balancing Privacy Rights with Social Utility in the Age of the Internet of Things.
- GDPR Compliance Starts with Data Discovery
Compliance with GDPR is just a short five months away. While there may be many dimensions to consider from a GDPR readiness perspective there are three steps that are particularly important in order to manage risk and ensure compliance.
Step 1: Data Discovery
Step 2: Record of Processing Activities
Article 30 of the GDPR requires data controllers and processors to maintain a record of processing activities. In order to adhere to this requirement organizations should undertake a data mapping exercise to identify the following:
- Description of data subjects;
- Categories of personal data collected from data subjects;
- Purposes for which personally identifiable information is collected;
- Business processes and applications which handle personally identifiable information;
- Categories of the recipients of personally identifiable information;
- Location of personally identifiable information, access rights and security measures;
- Duration for processing and retention of personally identifiable information; and
- Data transfer to third party processors and contractual provisions for lawful processing.
The data mapping process ought to identify all relevant process work flows and applications which may present privacy risks. Business processes should document:
- Compliance with Article 7 of the GDPR that demonstrate conditions for obtaining data subject consent and when requested processes for withdrawal of consent;
- Business processes that protect data subject rights, in particular, right of access, rectification, erasure, right to object and data portability;
- Security measures that safeguard privacy rights;
- Processes relating to transfer of personal data to 3rd parties; and
- Notification processes in the event of personal data breach.
Subject to specific circumstances data controllers and processors may be required to conduct a privacy impact assessment. There is some uncertainty as to the conditions that necessitate the need for a privacy impact assessment. Article 25 of GDPR stipulates that a privacy impact assessment is necessitated when” taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. The Article 29 Data Protection Working Party issued guidelines intended to govern the circumstances under which privacy impact assessments are required. They stipulate nine use cases:
- Predictive Analytics such as screening customers against credit reference databases, buying sentiments that build marketing profiles based on buying preferences, consumer profiles and location information;
- Automated decision making that may impact the legal rights of data subjects;
- Systematic monitoring such as bulk data collection or monitoring of publicly accessible areas;
- Collection of sensitive personal data such as financial and health records;
- Collection of large volumes of personal data;
- Combining various datasets that may in combination expose personally identifiable information such as GPS location information combined with internet search history;
- Data collection relating to vulnerable data subjects such as children, elderly patients and those with physical and mental challenges;
- Application of new and innovative technologies that may result in novel forms of data collection, processing and analysis such as finger print and facial recognition technologies; and
- When data subjects are prevented from exercising a right or service such as when a bank refuses a loan based on an automated screening process against a credit reference database.
The Article 29 Working Party provides a very useful criteria for an acceptable data privacy impact assessment.
Step 3: Breach Response
GDPR mandates a rigorous breach notification standard which requires data controllers and processors to report data breaches within a 72 hour deadline. In order to comply organizations need to institute breach response processes that:
- Identify and implement risk mitigation processes;
- Monitor system and network vulnerabilities and apply patches in a proactive fashion (e.g. Equifax breach was due to a failure to proactively apply a patch;
- Continuously tests breach response readiness; and
- Evaluates 3rd party processor breach response strategies and protects against potential legal liabilities under the GDPR.
A particularly useful resource to assist your organization’s GDPR compliance readiness may be found here.
About the author: Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).