GDPR Best Practices

Implementation Guide

Transforming GDPR Requirements into

Compliant Operational Behaviours
01
 02

Introduction

The General Data Protection Regulation (GDPR) is a revolutionary change in

Data Protection and will in all likelihood become the de-facto gold standard
for Data Protection regulation globally. The two areas most influential in this
regard relate to Accountability and Enforcement.

1. Accountability: Organisations must embrace the new accountability

principle introduced by the GDPR and move from ‘theory to practice’
in terms of their Data Protection efforts.

2. Enforcement: The member state Data Protection Authorities (DPAs)

must rigorously enforce the Regulation by issuing substantive
penalties where organisations cannot adequately evidence
compliance with the GDPR accountability principle.

One of the biggest challenges for organisations that fall within the broad
extra-territorial scope of GDPR, is transforming the legal requirements of
GDPR into compliant and sustainable operational behaviours. Whilst there
will be many organisations, such as those in the financial services and
healthcare sectors, who are used to dealing with regulatory requirements,
there are many others who will be experiencing the challenge of
implementing strict regulatory requirements for the first time. Experienced or
not, the May 28 deadline in 2018 is fast approaching and action needs to be
taken now by all organisations within the scope of GDPR.
 03

The GDPR Accountability Principle

Recognition of the need for accountability in terms of data privacy

is not new and can be seen in the privacy guidelines issued by the
Economic Cooperation and Development (OECD) back in 1980. The
OECD describes accountability as “showing how responsibility is
exercised and making it verifiable”1 .

The intent of the new GDPR Accountability Principle, as defined in

Article 5(2) of the GDPR text, is similar to that of the OECD privacy
guidelines. It is seeking to reaffirm and strengthen the responsibility
of Data Controllers and Data Processors, in relation to Processing of
Personal Data, and requiring them to demonstrate compliance with
measures which give effect to the other six GDPR principles (listed
below).

GDPR Principle Description

Lawfulness, fairness and Processed lawfully, fairly and in a transparent manner.
transparency
Purpose limitation Collected for specified, explicit and legitimate purposes and not further
Processed in an incompatible manner.
Data minimisation Adequate, relevant and limited to what is necessary.

Accuracy Kept accurate and up-to-date.

Storage limitation Not kept, any longer than necessary, in a form which permits identification
of a Data Subject.

Integrity and confidentiality Appropriate security ensuring protection against unauthorised or unlawful
Processing and against accidental loss, destruction or damage.

1
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf
 04

The European Data Protection Supervisor (EDPS) has stated2 , in reference

to accountability, that “EU institutions and bodies should, at the most senior
level, endorse and take responsibility for Personal Data Processing inside their
organisations which occurs as part of the tasks of their institution”.
Although accountability is undoubtedly a core tenet of the GDPR, it doesn’t
offer a specific definition. The EDPS, in their Accountability Fact Sheet3 , do
provide some insight in this regard by stating that accountability in Personal
Data Processing requires:

• Transparent internal Data Protection policies, approved and

endorsed by the highest level of the organisation’s management.

• Informing and training all people in the organisation on how to

implement the policies.

• Responsibility at the highest level for monitoring the policy

implementation, assessing and demonstrating to external
stakeholders and Data Protection Authorities the quality of the
implementation.

• Procedures for redressing poor compliance and data breaches.

2
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/
Accountability/16-06-07_Accountability_factsheet_EN.pdf
3
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/
Accountability/16-06-07_Accountability_factsheet_EN.pdf
 05

The GDPR Accountability Life Cycle

This GDPR Best Practices Guide puts forward a GDPR implementation

methodology designed to:

• Engage stakeholders to ensure timely and efficient

organisational readiness for GDPR.

• Implement effective procedures that embed GDPR-compliant

operational behaviours.

• Establish assurance criterion that will sustain and

evidence GDPR accountability.

The methodology consists of a three phases (Prepare, Operate,

Maintain), with each incorporating a number of supporting activities.
The objective defined for each phase is attained once all of the
activities for that phase have been successfully executed. The ultimate
goal of the methodology is sustaining and evidencing compliance with
the GDPR Accountability Principle.

Phase I: Phase II: Phase III:

Prepare Operate Maintain

Ensures Implements Delivers

stakeholder effective procedures assurance and
engagement and that embed evidence of
organisational GDPR-compliant ongoing GDPR
readiness for GDPR operational accountability
behaviours
 06

Accountability Life Cycle Activities

The table below lists the phased activities that support the
Accountability Life Cycle.

Phase Activity

PHASE I: Prepare Activity A: Obtain the buy-in of key business stakeholders

Activity B: Establish your GDPR readiness program team
Activity C: Identify and assess relevant business functions
Activity D: Identify and assess in-scope Third Party Processing activities
Activity E: Establish a central Personal Data register
Activity F: Distribute updated Data Protection policies and Privacy Notices
Activity G: Educate internal Personal Data Handlers and external Data Processors

PHASE II: Operate Activity H: Disseminate and maintain external Privacy Notices
Activity I: Justify and record lawful Processing mechanisms
Activity J: Process and record Data Subject rights requests
Activity K: Validate and record Third Country data transfers
Activity L: Report and manage Personal Data Breach incidents

PHASE III: Maintain Activity M: Evidence understanding of Data Protection policies

Activity N: Ensure the ongoing integrity and quality of the Personal
Data Processing register
Activity O: Trigger impact assessments for business change events
Activity P: Verify compliance of Third Party Personal Data Processing activities
Activity Q: Demonstrate effectiveness of Personal Data handling practices
 07

PHASE I: Prepare

This initial phase considers the activities necessary to ensure GDPR

readiness for your organisation. It is very important that you engage key
business at the outset to inform and educate them. If done effectively,
you will obtain their buy-in and support, a fundamental success factor
for achieving your GDPR readiness goals. Following on from this you will
need to appoint your GDPR program team, identify and assess relevant
Personal Data Processing activities, prioritise a set of remediation actions,
establish a centralised Personal Data register, educate Personal Data
Handlers and Data Processors and update your Data Protection policies
and Privacy Notices. Each of these activities are explained in more detail
below.

Activity A: Obtain the buy-in of key business stakeholders

The importance of obtaining buy-in from your Senior Management and

Executive teams should not be underestimated when embarking on any
organisation-wide initiative. In a GDPR context, the ongoing cooperation
of key business stakeholders is fundamental to the overall success of the
GDPR program.

The substantial financial sanctions4 associated with GDPR non-

compliance, should assist in getting the attention of your Senior
Management and Executive teams. It is in their best interest to ensure that
the risk of GDPR non-compliance features prominently on your Corporate
risk register.

It is encouraging that several Data Protection Authorities have already

reinforced the importance of making senior business stakeholders aware
of the requirements of GDPR. In their GDPR guidance, the UK, Belgium and
Hungry5 are all recommending a focus on stakeholder awareness as the
first step on your journey towards GDPR compliance.
.

4
https://united-kingdom.taylorwessing.com/globaldatahub/article-enforcement-sanctions-under-gdpr.html
5
http://advocatus.dlapiper.hu/?p=1898
 08

It is important to look broadly across your organisation to ensure that you

identify and educate all relevant stakeholder groups. Stakeholders from
Customer Relations, Human Resources, Marketing, Procurement, Systems
Development, IT, Information Security, Legal, Risk and Compliance are
obvious candidates for inclusion. In addition, you should consider other
business functions specific to your industry, such as Engineering, Research &
Development and Manufacturing.

There are various approaches that can be taken to achieve stakeholder

awareness, education and buy-in. The one chosen will depend various factors
such as your organisation size, company culture, local or global reach and the
number of Data Protection personnel your organisation has at
its disposal.

If you are a local or regionally focussed company with a relatively small number
of staff, you might prefer to engage in-person with your Senior Managers and
Executives regarding GDPR. If, on the other hand, you are a large multinational
organisation with thousands of globally distributed staff you may choose to
leverage web-based GDPR awareness and educational content that is now
available from some eLearning vendors.

Activity B: Establish your GDPR readiness program team

Before you embark on your GDPR compliance program it is critical that you
clearly define the roles and responsibilities of the personnel tasked with its
delivery. The appointment of a Board level program sponsor, a high-ranking
Data Protection Officer (DPO) and an experienced compliance program
manager would be an ideal way to get the ball rolling.

There are circumstances in which organisations must appoint a Data

Protection Officer (DPO). This is the case if your organisation is a Public
Authority, carries out online behavioural tracking or conducts large scale
Processing of Special Categories of Data. Even if your organisation is not
obligated to appoint a DPO, you must still ensure that you have deployed
sufficient staff with the appropriate skills to meet all requirements of the GDPR.

Only once you have a formal GDPR program team in place, clear goals
outlined, key milestones defined, measurable objectives set, key milestones
defined, adequate budget assigned and resources are fully engaged, are you
truly ready to embark on your GDPR journey.
 09

PHASE I: Prepare

Activity C: Identify and assess relevant business functions

Expecting to successfully deliver any project, compliance related or

otherwise, without identifying all the in-scope business functions or
consulting the people who perform the operational tasks involved, is
a mistake common to many organisations. This is typically a result of
incorrect assumptions made by those in charge of managing the project
or business managers assigning inexperienced operational personnel to
work on the project. Regardless of the reason, failure in this regard makes it
impossible to deliver a successful GDPR compliance program.

To successfully identify all the relevant key business processes and

understand the information life cycle (collection, Processing, storage
and transfer) of the Personal Data associated with those processes,
organisations must be prepared to commit the time of experienced
personnel. Assigned personnel will need to participate in an assessment of
the privacy risks related to the Personal Data Processing activities that have
been identified. Establishing a risk threshold is an important step in the
assessment process as it allows you to quickly focus on and further assess
at an appropriate level, the areas of greatest risk.

Having identified and assessed the key risk areas across your business
functions, you are now in a position to define and prioritise a set of
remediation actions based on the compliance gaps uncovered. Each of
these remediation actions must be well defined, have a specific deadline,
be adequately resourced, have clear ownership and be tracked through to
completion.
 10

Activity D: Identify and assess in-scope Third Party Processing activities

The process described here for identifying and assessing the Personal Data
Processing activities of your Third Party Data Processors, such as business
partners and service providers, is similar to Activity C. However, there are
number of considerations, specific to engaging with and managing Third
Parties, that do not apply to internal business functions.

Identifying the relevant stakeholders within the organisational structure of your

Third Parties is the first step. Depending on the type of relationship you have
with them, this may or may not be a straight-forward exercise. If you are not
getting adequate engagement from your Third Parties, it is important that you
initiate the agreed contractual escalation process sooner rather than later. This
is to ensure that any associated delays don’t leave insufficient time to identify
and assess the Third Party Processing activities and carry out any remediation
activities necessary to meet your GDPR readiness deadlines.

One of the key changes that GDPR brings for all Data Processors is a level
of direct accountability and liability which does not apply under the current
EU Data Protection Directive. In addition, the GDPR imposes significant new
requirements6 that must be included by Data Controllers in all Personal
Data Processing agreements (including existing agreements that extend
beyond May 2018). This will lead to the negotiation of Processing agreements
becoming more complex and Data Processors being more careful about
agreement terms and the scope of the Data Controller’s instructions. The end
result being a high likelihood that you will need to re-negotiate at least some of
your existing Personal Data Processing contracts.

Having identified and assessed the in-scope Third Party Processing activities,
you are now in a position to define and prioritise a set of remediation actions
based on any identified compliance gaps.

6
http://www.whitecase.com/publications/article/chapter-11-obligations-processors-unlocking-eu-
general-data-protection
 11

PHASE I: Prepare

Activity E: Establish a central Personal Data register

The assessments carried out for the key business processes of the relevant
business functions and Third Party Processing activities will have established
answers to the following list of information gathering questions.

• What data is being collected?

• From whom is data collected?
• Why is the data being collected?
• How is the data being processed?
• What is the legal basis for each processing operation?
• Where is the data being stored?
• How long is the data retained?
• Who has access to the data?
• To where and to whom is the data being transferred?

The answers gathered need to be collated to form a comprehensive Personal

Data register. The register becomes your centralised ‘single source of truth’
detailing the characteristics and Processing activities for all Personal Data
which your organisation is ultimately accountable. The register must be
regularly checked and updated to ensure its integrity over time. It would also
be beneficial to build a data flow map based on the register contents to
provide a visual representation of the various flows of Personal Data both
internal and external to your organisation.
 12

Activity F: Distribute updated Data Protection policies and Privacy Notices

The GDPR states that all organisations must implement appropriate Data
Protection policies outlining the technical and organisational measures
needed to ensure that Personal Data Processing is performed in accordance
with the Regulation. In addition, you must provide Privacy Notices as a
means of being transparent, with your customers, ensuring that they know
how their information will be used.

It is important that updates to your Data Protection policies and Privacy

Notices are made after identifying and assessing the Personal Data
Processing activities of your business functions (Activity C) and Third Party
Data Processors (Activity D). Without doing so, it will prove very difficult to
obtain a complete view of the content requiring inclusion in your policies
and Notices. The example scenarios below are provided to further illustrate
this point.

Example 1:

In this example we focus on the information collected from assessments that

relating to the purpose of data collection. Purposes of collection may include
provision of goods or services, direct marketing activities, legal obligations,
etc. Without knowing the reason behind collection you cannot establish
a definitive legal basis justifying that Processing. This then means you are
unable to ensure all appropriate information is included in the Privacy Notice
you provide to your customers.

Example 2:

In this example we are looking at the information collected from

assessments that relates to data transfer. Without knowing the details of
what data is being sent to and Processed by Third Parties, you cannot
ascertain the extent of Third Party Processing being performed on your
behalf. Without this information, you cannot be sure that your Data
Protection policy adequately defines the rules to be followed when
interacting with your Third Party Data Processors.
 13

PHASE I: Prepare

Activity G: Educate internal Personal Data Handlers and external Data Processors

Providing meaningful education to Personal Data Handlers across your organisation

is critical to ensure that they fully understand their role in achieving and maintaining
GDPR compliance. The training offered needs to enable them to:

• Identify the Personal Data under their control.

• Understand how and why Personal Data Processing is taking place.

• Protect the Personal Data from an Information Security perspective.

• Deal appropriately with Data Subject requests.

• Respond promptly to any suspected Personal Data Breaches.

As discussed in Activity A, it may be feasible to engage and educate a limited

audience such as key business stakeholders on a face-to-face basis. However, doing
so for Personal Data Handlers and Data Processors, who represent a much broader
user population is unlikely to be practical. Organisations may be better placed looking
to vendors who can deliver web-based GDPR training courses to a decentralised
global audience.

The approach you take with regard to education of your Third Party Data Processors
requires additional consideration. Given that the GDPR now clearly imposes legal
obligations directly on Data Processors and liability exists where a Data Processor has
acted outside or contrary to the lawful instructions of the Data Controller, the Data
Controller could take the view that all responsibility for GDPR compliance (including
education) lies solely with the Third Party. While this approach may be considered
prudent from a legal point of view, Data Controllers need to think carefully about this
as they could easily come to regret taking a such a stance. At the end of the day, it is
the Data Controller’s reputation, arguably its greatest asset, that is ultimately at stake.
 14

At a minimum, Data Controllers should offer the following list of basic training
elements to any Third Party Data Processor who is Processing Personal Data on
its behalf:

• The need to act solely on the Data Controller’s documented instructions.

• The confidentiality obligations applicable to Data Processor staff

charged with Processing Personal Data.

• The security practices necessary for protecting (in an equivalent manner

to that of the Data Controller), thePersonal Data being processed.

• The rules to be followed regarding appointment of sub-processors.

• The provision of assistance to the Data Controller in complying with

the rights of Data Subjects.

• The return or destruction of Personal Data at the end of the relationship.

• The provision of any information needed by the Data Controller, to assist

them in demonstrating compliance with the GDPR.
 15

PHASE II: Operate

This phase of the life cycle addresses the need to define and embed
procedures that enable staff who handle Personal Data to carry out
their duties in an efficient and compliant manner. The GDPR requires not
just that your Personal Data Handlers perform their duties in alignment
with GDPR obligations, but that there is also a record maintained of their
decisions and actions in relation to carrying out those duties.

Given the substantial GDPR obligations (e.g. Data Subject rights, data
transfer rules, lawful Processing) that relate to the operational handling of
Personal Data, it is critical that front-line staff are provided with targeted
and specific procedural guidance for Personal Data Processing.

Activity H: Disseminate and maintain external Privacy Notices

The GDPR emphasises the need for transparency in relation to the use
of Personal Data by organisations. An individual’s right to be informed
requires that organisations provide ‘fair processing’ information to their
customers and employees via a Privacy Notice.

The ‘fair processing’ information that must be provided is extensive and

includes items not currently mandatory under the EU Data Protection
Directive. Examples include:

• The legal basis for Processing.

• The categories of Personal Data being Processed.

• Details of any Third Party recipients.

• The intended retention period.

• The logic associated with any automated decision-making

being undertaken.
 16

The information supplied and when to supply it can also vary based on whether
you have obtained the Personal Data via direct (i.e. from the Data Subject) or
indirect means.

Responses received from the Business Functions and Third Party Processing
assessments completed during the Preparation phase will assist in supplying
the correct information in Privacy Notices. Such Notices must remain accurate
and up-to-date to reflect any new or amended Processing activities. A revision
history is also required to clearly establish which version of a Privacy Notice was
in operation at any point in time. This can prove very useful when determining
how best to deal with Data Subject requests.

Integrating the external publication of your Privacy Notices with your internal
Policy Management system is a very effective method of managing your Privacy
Notice revision process. There are vendors emerging who plan to offer this type
of functionality.

Activity I: Justify and record lawful Processing mechanisms

One of the fundamental requirements of GDPR is the need to establish, justify

and document the legal basis for the Processing of Personal Data. The legal
basis will vary based on the nature of the Personal Data being Processed. As
an example, the Processing of Special Categories of data requires explicit Data
Subject consent to be obtained.

It is also important to note that the legal basis chosen for Processing can
have an effect on Data Subject rights. For instance, if you rely on obtaining an
individual’s consent to Process their Personal Data, they will then have the ‘right
to erasure’ available to them.

Determining the legal basis by which your organisation will Process Personal
Data is typically something undertaken by the legal team in partnership with
key GDPR business stakeholders. Such decisions must have clear justification
and are well documented. An example of this is where Legitimate Interests is
used to justify the Personal Data Processing. In this case, a record needs to be
maintained describing the assessment carried out to balance of the Legitimate
Interests of the Data Controller and the rights of the individual.
 17

PHASE II: Operate

Although a lot of the initial work will be carried out by the legal team, there are
also situations pertaining to lawful Processing where your front-line Personal
Data handling staff have a role to play. For example, the further Processing
of Personal Data for new purposes requires that front-line staff be trained to
identify scenarios where further Processing may be incompatible with the
original lawful Processing mechanism. Ideally, they will also be given clear
guidance that allows them to establish whether or not the proposed further
Processing is legitimate, removing the need to refer to your legal personnel.

Activity J: Process and record Data Subject rights requests

The GDPR significantly increases the rights of individuals and as a result,

organisations will see an increase in requests and complaints from Data
Subjects. Organisations are obliged to respond to such requests within one
month, unless they are manifestly unfounded, excessive or a National legislative
measure has been introduced allowing the access to be refused.

Under the current EU Data Protection Directive, requests from Data Subjects
have been focused on the ‘right of access’ and are commonly referred to as
Subject Access Requests or SARs. The GDPR expands the access rights of Data
Subjects and introduces an array of new and enhanced rights as described in
the table below. Under GDPR, referring to the broad array of requests that may
come from Data Subjects as Data Subject Requests or DSRs rather than SARs
would seem more appropriate.

Data Subject Right Changes under GDPR

The right of access The GDPR expands the mandatory categories of information which
must be supplied in connection with a Data Subject access request
including information about a Data Subjects right to complain to the
Data Protection Authority (DPA).

The right to erasure The GDPR creates a broader right to erasure such as where the
Personal Data is no longer needed for its original purpose or where
the lawful basis for the Personal Data Processing is the Data
Subject’s consent.
 18

The right to restrict Processing Under the GDPR, there are a much broader range of circumstances
in which Data Subjects can require that the Processing of their
Personal Data be restricted. Examples include the accuracy of the
Personal Data being contested or the Personal Data is no longer
needed for its original purpose.

The right to data portability A new right under GDPR which provides Data Subjects the right to
receive a copy of their Personal Data in a commonly used machine-
readable format, and have their Personal Data transferred from one
Data Controller to another.

The right to object The GDPR now puts the obligation on the Data Controller as it
requires the Data Controller to cease Processing unless it can
demonstrate that it either has compelling grounds for continuing
the Processing, or that the Processing is necessary in connection
with its legal rights.

The right to rectification As per the current EU Data Protection Directive, Data Subjects
have the right to rectification where their Personal Data is shown to
be incorrect.

Organisations should ensure all staff who Process Personal Data

are appropriately trained, allowing them to quickly recognise, and
appropriately respond to, rights requests from Data Subjects. The use of
decision trees7 can aid the provision of guidance to front-line operational
staff. They are an effective decision support tool because they are simple
to understand and therefore require minimal training. An example of a
decision tree is provided in Activity K below.

7
https://en.wikipedia.org/wiki/Decision_tree
 19

PHASE II: Operate

Activity K: Validate and record Third Country data transfers

The GDPR restricts the transfer of Personal Data to recipients located outside
the European Economic Area (EEA). These locations are referred to as Third
Countries. Unless one of the following conditions can be met, the transfer of
Personal Data to Third Countries is prohibited:

• The European Commission has deemed the Third Country

jurisdiction adequate.

• The organisation transferring the Personal Data puts in place

appropriate safeguards (e.g. model clause contracts).

• A derogation or exemption applies (e.g. consent, vital publ interests).

The GDPR retains the current EU Data Protection Directive transfer

mechanisms pertaining to the above conditions, but it also provides
additional mechanisms, including DPA clauses, codes of conduct,
certifications and a new derogation for the purposes of Legitimate Interests.

Understanding the appropriate use of the available lawful Personal Data

transfer mechanisms is essential for all organisations that wish to carry out
transfers of Personal Data to Third Countries. These can prove tricky for
your front-line operational staff to navigate, particularly in relation to ad-
hoc data transfers. As with the handling of Data Subject requests discussed
in Activity J, decision trees are also suitable in the case of Personal Data
transfer decisions. Provided below are screen shots that illustrate how a
decision tree approach could work in practice.
 20

Data Recipient Location Personal Data Test

Countries that make up the European Economic Area (EEA): Personal data is any information by which a living individual is identifiable, either
directly or indirectly. An individual is identifiable if you have distinguished that
Austria Finland Lithuania Slovenia individual from other members of a group. This can be done in a ‘direct’ or ‘indirect’
Belgium France Luxembourg Spain manner. In some cases there is no question that an individual can be ‘directly’
Bulgaria Germany Malta Sweden identified. A government issued ID, for example, is explicitly and uniquely personal
Croatia Greece Netherlands United Kingdom and would always be considered personal data. In other cases, a combination of
Republic of Cyprus Hungary Poland Iceland data is required for the data to be deemed personal data. Importantly, the data
Czech Republic Ireland Portugal Liechtenstein does not need to be already combined, there just needs to be a possibilty for it to
Denmark Italy Romania Norway become combined at some point in the future.
Estonia Latvia Slovakia
Watch this video:

Is the intended data recipient located in one of the European

Economic Area counties listed above?

Yes

No

Special Categories of Data (Sensitive Data)

Based on the information provided above, do you believe the
Special Categories of Data (Sensitive Data) as defined in the General Data Pro- data you intend to transfer to be personal data?
tection Regulation (GDPR) includes:

• Racial or ethnic origin Yes

• Political Opinions
• Religious or philosophical beliefs No
• Trade union membership
• Data concerning health or sex life and sexual orientation
• Genetic data
• Biometric data where processed to uniquely identify a person

Explicit Consent and Possible Risks Notification

IMPORTANT NOTE:
Check to see if any relevant National (Member State) variances are currently in
force pertaining to the transfer of Special Categories of Data (Sensitive Data).

Has the Data Subject provided explicit consent for this data
transfer and have they been informed of all the possible
associated risks?
Does the data that you intend to transfer contain any of the
Special Categories of Data (also known as sensitive data) Yes
listed above?
No, Contact DPO.
Yes

No
Formally record details of the transfer (including justification) and
proceed with data transfer ensuring application of all necessary
technical protection measures

· Replace with URLs linking to Organisational procedures for:

· Regarding details of data transfers
· Recording justification of data transfers
· Secure transfer of data.
 21

PHASE II: Operate

Activity L: Report and manage Personal Data Breach incidents

The GDPR defines a data breach as “a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorised disclosure
of, or access to, Personal Data transmitted, stored or otherwise Processed”8.
The GDPR also specifically sets out that each event must be documented
“comprising the facts relating to the data breach, its effects and the
remedial action taken”8.

To satisfy the GDPR, organisations will likely need to update their data
breach identification systems, notification procedures and response plans.
The GDPR prescribes criteria regarding the need for notification, to whom
notification should be provided, when notification should occur and
what information should be included. A summary of the requirements is
provided in the table below.

Given the complexities and sensitivities associated with Personal Data

Breach identification and handling, it’s important that your front-line
operational staff are familiar with your breach management procedures.
Clear guidance for applying the procedure must be provided to allow
staff to easily identify a breach, take prompt and appropriate action, and
record all necessary information pertaining to the incident. The use of a
decision tree in combination with a Incident Management tool would serve
you well for identifying, reporting and managing data breach incidents.

8
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
 22

Determination for Risk Category Breach Notification Timeline for Minimum Required
Notification Examples Recipient Notification Breach Information for
Notification
Where the breach is likely • Individuals Supervisory 72 hours • Description, in clear
to result in a risk to the deprived of Authority and plain language,
rights and freedoms of rights and of the nature of the
individuals freedoms; Personal Data Breach.

• Special • Details of the categories

Categories of of Personal Data involved
Data and an approximate
number of the Data
• Processing to Subjects concerned
create or use
profiles

Where a breach is likely • High likelihood Supervisory Without • Description, in clear

to result in a high risk to or severity of Authority undue delay and plain language,
the rights and freedoms risks stated of the nature of the
of individuals above Affected Data Personal Data Breach
Subject
• Large-scale • Details of the categories
Processing of Personal Data involved
of Special and an approximate
Categories of number of the Data
Data Subjects concerned
•
• Systematic • Name and contact
and/or details of the Data
extensive Protection Officer or
automated other contact from which
profiling more information can be
obtained

• Details of the likely

consequences of the
Personal Data Breach

• Information as to
the measures taken or
proposed to be taken
to address the Personal
Data Breach
 23

PHASE III: Maintain

This final phase of the life cycle incorporates a series of recurring activities that
address the need to evidence accountability with GDPR on an ongoing basis.

As mentioned earlier, the European Data Protection Supervisor (EDPS)

has stated that accountability involves assessing your organisation’s
implementation of GDPR and demonstrating, to external stakeholders and
Data Protection Authorities, the quality of that implementation. The ability
to demonstrate the quality of your GDPR implementation requires forward
planning regarding the areas that need to be assessed and the performance
metrics that will be used to measure and evidence effectiveness.

Activity M: Evidence understanding of Data Protection policies

Having the ability to demonstrate a quality implementation with regard to

your Data Protection policies requires that you evidence:

• The dissemination of up-to-date Data Protection policies that have

been approved by senior management.

• Effective staff awareness and training for all people in the organisation
on how to comply with the policies.

Previous to GDPR, showing that you have disseminated policies to staff and
obtained basic confirmation from them that they have read those policies was
once widely accepted as best practice. This will no longer be the case. You will
need to show that you have targeted relevant training material to the correct
audience in a way that fits your organisational culture.

Metrics are a good way to measure the success of your awareness and
training program. The table below shows examples of how you could
demonstrate that the GDPR requirements have been met.
 24

GDPR Requirement Target Audience Related Training and Metrics

Awareness Content

Personal Data
Management

External Data

Procurement
Processors
Handlers

Maintain a policy that Data Protection policy Improving results

addresses Data Protection for policy related
for all staff knowledge assessments

Implement a formal Personal Data Breach Increase in reporting

awareness program to notification procedures of Personal Data
make all personnel aware related issues
of Personal Data Breach Personal Data Breach
handling procedures management policy Decrease in Personal
Data Breach incidents
Personal Data Breach and near-misses
response plan

Maintain and implement Third Party management Decrease the number

policies and procedures and monitoring policy and severity of audit
to manage Third Parties findings associated with
with whom Personal Data Third Party risk assessment Third Party Processing
is shared, or that could procedures
affect the security of
Personal Data
 25

PHASE III: Maintain

Activity N: Ensure the ongoing integrity and quality of the Personal Data
Processing register

The GDPR requires that Personal Data is “limited to what is necessary in

relation to the purposes for which they are Processed”8. In other words,
organisations should collect only the Personal Data they really need and
should keep it only for as long as is absolutely necessary.

It is estimated that data quality (i.e.completeness, validity, and accuracy)

of Personal Data deteriorates, on average, at a rate of 15% per year9.
Compounding this issue is the fact that most organisations store far more
Personal Data than they actually require in the form of duplicate and
out-of-date data. As such, there is an obvious need for organisations to
regularly review, update and purge their Personal Data register. Focussing
efforts on the identification of Personal Data that can be disposed of, has
the added benefit of vastly reducing the storage costs associated with
retaining data unnecessarily.

There are several existing data mining vendors who are evolving their
product offerings to allow for the automated discovery of the Personal
Data. Whilst beneficial for some organisations in identifying previously
unknown repositories of Personal Data, such products should not be
regarded as a panacea. Engaging the front-line staff who perform the
Personal Data related operational tasks will always yield the most insight.
This can be effectively accomplished through the distribution of intuitive
questionnaires to a carefully selected audience of business process
owners, Personal Data Handlers and Third Party Data Processors.
The feedback from these questionnairescan then be used to directly
update the related data elements in your Personal Data register.

9
http://www.bloorresearch.com/research/spotlight/the-data-management-implications-of-gdpr/
 26

Activity O: Trigger impact assessments for business change events

The GDPR mandates that organisations have procedures in place that define
when Data Protection Impact Assessments (DPIAs) need to be initiated in relation
to business change events. Examples of business change events include:

• Development projects relating to new business systems or processes.

• Operational unit changes to existing business systems or processes.
• Procurement that involves, Third Party access to or Processing of,
Personal Data.

Trigger points (or thresholds) are a good way of capturing any new project
or process re-design activities involving Personal Data. They can be built into
existing project management methodologies or introduced as part of legal,
procurement and finance review procedures.

The DPIA process must allow the Data Controller to assess the impact of, the
new or altered Processing operations, on the protection of Personal Data. As a
minimum the DPIA process should deliver:

• A systematic description of the Processing and its purposes.

• An assessment of the necessity and proportionality of the Processing.
• An assessment of the risks to the rights and freedoms of Data Subjects.
• The measures envisaged to address the risks.

The Data Protection risks that are identified as part of a DPIA process must be
prioritised and then have remediation plans agreed which are tracked through
to completion. To facilitate continuous improvement, it is also beneficial for
organisations to identify and treat similar Data Protection risks consistently, which
in turn allows for the remediation approach to be applied to subsequent DPIAs.
 27

PHASE III: Maintain

Activity P: Verify compliance of Third Party Personal Data Processing activities

Organisations need to establish an ongoing due diligence process to verify

that the operational behaviours of Third Parties, such as suppliers and
service providers, are in line with contractual agreements. To streamline
this process, organisations should establish a risk threshold that drives the
ongoing compliance monitoring efforts from a timing, frequency and scope
perspective. The level of compliance monitoring applied is then based on the
risk rating assigned.

For ‘low’ and ‘medium’ risks that are identified, a desktop audit will likely suffice.
A practical and efficient approach to take here, is the redistribution of the
initial Third Party Processing assessment requesting that the Third Party
make updates:

• Highlighting any changes to their Personal Data Processing activities.

• Providing evidence of the operational effectiveness of the controls in

place to meet contractual requirements.

• Highlighting any known compliance gaps in reference to the

contractual requirements.

For ‘high’ risks that are identified, you will likely want to perform an in-person
audit or have an external body do it on your behalf. It is important to ensure
that the auditor is well trained and understands how the requirements of GDPR
apply to the specific Third Party relationship being audited.

Irrespective of the risk rating and the approach taken, a review of the contract
should also be included to ensure:

• It remains fit-for-purpose from an organisational perspective, taking into

account any new or changed business requirements.

• It is amended to address any issues you may have uncovered when

soliciting feedback from internal stakeholders.
 28

Activity Q: Demonstrate effectiveness of Personal Data handling practices

Evaluating the effectiveness of Personal Data related operational practices is very

important as a means of evidencing accountability with GDPR. In addition to
demonstrating effectiveness, it shows a commitment to ongoing improvement.
A layered evaluation approach is considered best practice as it provides multiple
tiers of defence. As an example, an evaluation may consist of the following layers:

• Business process owner self-assessment.

• Internal audit review of business unit compliance.
• External party audit of organisation compliance.

Benchmarking is an excellent means of visualising the effectiveness of your

operational practices. As an example, your benchmarking could:

• Compare the results against previous assessments and audits.

• Make comparisons of operational compliance across business units.
• Measure the organisation’s operational performance against peer
organisations.

Performance metrics can also prove valuable for demonstrating the continued
improvement of your Personal Data related operational practices. For example,
you could develop specific performance targets for the metrics listed below.

• Satisfactory resolution of Data Protection complaints.

• Timely handling of Data Subject requests.
• Personal Data Breaches managed in line with document procedures.

By carrying out regular evaluations and collating benchmarks and performance

metrics, you stand ready to evidence accountability to your senior management
team, Data Protection Authorities and other external stakeholders.
 29

List of Definitions

Definition Meaning

Data Protection The process of safeguarding Personal Data from unauthorised

or unlawful disclosure, access, alteration, Processing, transfer
or destruction.

Data Controller A natural or legal person, Public Authority, agency or other body
which, alone or jointly with others, determines the purposes and
means of the Processing of Personal Data.

Data Processor A natural or legal person, Public Authority, agency or other body who
Process Personal Data on behalf of the Data Controller.

Personal Data Any information (including opinions and intentions) which relates to
an identified or identifiable natural person.

Personal Data Handlers Staff of the Data Controller who have been given responsibility for
handling Personal Data as part of their operational activities.

Third Party Any outside organisation with which your organisation has either
previously, or currently conducts business. Such organisations can
include business partners, vendors, suppliers and service providers.

Special Categories of Data Personal Data pertaining to or revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade-union membership;
data concerning health or sex life and sexual orientation; genetic data
or biometric data.
Privacy Notice A statement or document that discloses the ways an organisation
gathers, uses, discloses, and manages a customer or client’s
Personal Data.

Data Subject The identified or identifiable natural person to which the data
refers. Examples of Data Subjects include customers and web users,
individuals on e-mailing lists or marketing databases, employees,
contractors and suppliers.
Legitimate Interests A lawful means for organisations to Process Personal Data without
obtaining consent from the Data Subject. However, the interests of the
Data Controller must be balanced with the interests and fundamental
rights and freedoms of the Data Subject.
Third Country Any country not recognised by the European Commission as having
an adequate level of legal protection for the rights and freedoms of
Data Subjects in relation to the Processing of Personal Data.
 30

Definition Meaning

Process, Processing, Processed Any operation or set of operations performed on Personal Data
or on sets of Personal Data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.
Contact Information
MetaCompliance
The City Arc
89 Worship Street
London
EC2A 2BF

T: 0207 917 9527

E: info@metacompliance.com
W: www.metacompliance.com