The AIIM Blog - Overcoming Information Chaos

Three Critical Steps for GDPR Compliance

Written by Andrew Pery | Jan 17, 2018 4:04:00 PM

Compliance with GDPR is just a short five months away.  While there may be many dimensions to consider from a GDPR readiness perspective, there are three steps that are particularly important in order to manage risk and ensure compliance.

Step 1: Data Discovery

In our previous blog, data discovery was identified as the first step organizations ought to undertake in order to begin the process of compliance with the GDPR principles.

Step 2:  Record of Processing Activities

Article 30 of the GDPR requires data controllers and processors to maintain a record of processing activities. In order to adhere to this requirement, organizations should undertake a data mapping exercise to identify the following:

  • Description of data subjects;
  • Categories of personal data collected from data subjects;
  • Purposes for which personally identifiable information is collected;
  • Business processes and applications which handle personally identifiable information;
  • Categories of the recipients of personally identifiable information;
  • Location of personally identifiable information, access rights, and security measures;
  • Duration for processing and retention of personally identifiable information; and
  • Data transfer to third party processors and contractual provisions for lawful processing.

The data mapping process ought to identify all relevant process workflows and applications which may present privacy risks.  Business processes should document:

  • Compliance with Article 7 of the GDPR that demonstrate conditions for obtaining data subject consent and when requested processes for withdrawal of consent;
  • Business processes that protect data subject rights, in particular, right of access, rectification, erasure, right to object and data portability;
  • Security measures that safeguard privacy rights;
  • Processes relating to the transfer of personal data to 3rd parties; and
  • Notification processes in the event of a personal data breach.

Subject to specific circumstances, data controllers and processors may be required to conduct a privacy impact assessment. There is some uncertainty as to the conditions that necessitate the need for a privacy impact assessment. Article 25 of GDPR stipulates that a privacy impact assessment is necessitated when” taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. The Article 29 Data Protection Working Party issued guidelines intended to govern the circumstances under which privacy impact assessments are required. They stipulate nine use cases:

  • Predictive Analytics such as screening customers against credit reference databases, buying sentiments that build marketing profiles based on buying preferences, consumer profiles, and location information;
  • Automated decision making that may impact the legal rights of data subjects;
  • Systematic monitoring such as bulk data collection or monitoring of publicly accessible areas;
  • Collection of sensitive personal data such as financial and health records;
  • Collection of large volumes of personal data;
  • Combining various datasets that may in combination expose personally identifiable information such as GPS location information combined with internet search history;
  • Data collection relating to vulnerable data subjects such as children, elderly patients and those with physical and mental challenges;
  • Application of new and innovative technologies that may result in novel forms of data collection, processing and analysis such as fingerprint and facial recognition technologies; and
  • When data subjects are prevented from exercising a right or service such as when a bank refuses a loan based on an automated screening process against a credit reference database.

The Article 29 Working Party provides very useful criteria for an acceptable data privacy impact assessment.

Step 3: Breach Response

GDPR mandates a rigorous breach notification standard that requires data controllers and processors to report data breaches within a 72-hour deadline.  In order to comply, organizations need to institute breach response processes that:

  • Identify and implement risk mitigation processes;
  • Monitor system and network vulnerabilities and apply patches in a proactive fashion (e.g., Equifax breach was due to a failure to proactively apply a patch;
  • Continuously tests breach response readiness; and
  • Evaluates 3rd party processor breach response strategies and protects against potential legal liabilities under the GDPR.