AIIM - The Global Community of Information Professionals

Guest Post - Three Critical Steps for GDPR Compliance

Jan 17, 2018 11:04:00 AM by Andrew Pery

Three Critical Steps for GDPR Compliance.jpg

This is the eighth post in a series on privacy by Andrew Pery. You might also be interested in:

Compliance with GDPR is just a short five months away.  While there may be many dimensions to consider from a GDPR readiness perspective there are three steps that are particularly important in order to manage risk and ensure compliance.

Step 1: Data Discovery

In our previous blog data discovery was identified as the first step organizations ought to undertake in order to begin the process of compliance with the GDPR principles.

Step 2:  Record of Processing Activities

Article 30 of the GDPR requires data controllers and processors to maintain a record of processing activities. In order to adhere to this requirement organizations should undertake a data mapping exercise to identify the following:

  • Description of data subjects;
  • Categories of personal data collected from data subjects;
  • Purposes for which personally identifiable information is collected;
  • Business processes and applications which handle personally identifiable information;
  • Categories of the recipients of personally identifiable information;
  • Location of personally identifiable information, access rights and security measures;
  • Duration for processing and retention of personally identifiable information; and
  • Data transfer to third party processors and contractual provisions for lawful processing.

The data mapping process ought to identify all relevant process work flows and applications which may present privacy risks.  Business processes should document:

Subject to specific circumstances data controllers and processors may be required to conduct a privacy impact assessment. There is some uncertainty as to the conditions that necessitate the need for a privacy impact assessment. Article 25 of GDPR stipulates that a privacy impact assessment is necessitated when” taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”. The Article 29 Data Protection Working Party issued guidelines intended to govern the circumstances under which privacy impact assessments are required. They stipulate nine use cases:

  • Predictive Analytics such as screening customers against credit reference databases, buying sentiments that build marketing profiles based on buying preferences, consumer profiles and location information;
  • Automated decision making that may impact the legal rights of data subjects;
  • Systematic monitoring such as bulk data collection or monitoring of publicly accessible areas;
  • Collection of sensitive personal data such as financial and health records;
  • Collection of large volumes of personal data;
  • Combining various datasets that may in combination expose personally identifiable information such as GPS location information combined with internet search history;
  • Data collection relating to vulnerable data subjects such as children, elderly patients and those with physical and mental challenges;
  • Application of new and innovative technologies that may result in novel forms of data collection, processing and analysis such as finger print and facial recognition technologies; and
  • When data subjects are prevented from exercising a right or service such as when a bank refuses a loan based on an automated screening process against a credit reference database.

The Article 29 Working Party provides a very useful criteria for an acceptable data privacy impact assessment.

Step 3: Breach Response

GDPR mandates a rigorous breach notification standard which requires data controllers and processors to report data breaches within a 72 hour deadline.  In order to comply organizations need to institute breach response processes that:

  • Identify and implement risk mitigation processes;
  • Monitor system and network vulnerabilities and apply patches in a proactive fashion (e.g. Equifax breach was due to a failure to proactively apply a patch;
  • Continuously tests breach response readiness; and
  • Evaluates 3rd party processor breach response strategies and protects against potential legal liabilities under the GDPR.

eu gdpr

A particularly useful resource to assist your organization’s GDPR compliance readiness may be found here.

About the author:  Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).

Topics: information governance, electronic records management, privacy, information security, gdpr

Like what you see? Subscribe to get updates delivered straight to your inbox.

Back to Blog

About AIIM

AIIM provides market research, expert advice, and skills development to an empowered community of leaders committed to information-driven innovation.

Click to download 14 Steps to a Successful ECM Implementation

Subscribe to Email Updates

Recent Posts