The General Data Protection Regulation (GDPR) hasn’t been a stranger to news headlines lately, and rightfully so. It’s reshaping the way businesses manage their data, and though it is currently an EU law, it affects any business that deals with data coming from its European-based customers. So, as you can imagine, it’s a pretty big deal for many of today’s organizations, and with the May 25 deadline in clear view, it’s officially crunch time.
The 4-step Plan
Step 1: Define reference data for DPIA and record of processing activity
This is a process that includes identifying and defining reference data and a valid list of values for critical GDPR elements like data categories, data subjects, legal basis, etc. which will be used by every step in the compliance process.
a.) Catalog and classify data categories- Create a glossary of your data categories and elements. Classify the items in this glossary according to their high-level GDPR category (i.e. special, sensitive, personal, etc.) with the help of your legal and compliance team.
b.) Identify data subject categories- Designate the categories of individuals whose data is processed within your organization. Example: employee, customer, student, consultant, etc.
c.) Legal and compliance approvals- Define and gain approval of the valid values for legal basis, ranges of information volume, processing category, risk level, criticality level, and type of consent from your legal and compliance teams.
There are additional tasks you can complete either prior to or following the three items above. These include the collection of legal entities, agreements with third parties, and software platforms, databases, and applications which process personal data within the organization.
Step 2: Prepare record of processing activities
The second portion of this process is the most time consuming for most organizations; however, it’s crucial to follow these steps to build a foundation for the rest of your GDPR project and mitigate issues closer to the deadline.
a.) Document your enterprise business process- Create a comprehensive list of all your business processes that have any kind of relationship with personal data and collect the information required for prioritization. This will serve as a base for this project.
b.) Document your purpose of processing- Identify and document your purpose of processing activity.
c.) Assessment of risk elements- Identify the risk elements and the level of risk (check guidelines and policies around when DPIA’s required) to determine whether a data protection impact assessment (DPIA) is required. This will also be useful in determining prioritization.
d.) Capture DPIA requirements- Document the process steps to outline how to conduct impact assessments for programs, processes, and systems.
e.) Demonstrate how to complete the DPIA- Arrange workshops and trainings to demonstrate the DPIA process to the individuals who will be responsible for completing one.
f.) Demonstrate how to complete the processing activity template- Schedule these workshops to demonstrate how to use and populate the personal record inventory.
g.) Conduct DPIA for high-risk business processes- Initiate DPIAs for the high risk processes, which are prioritized based on their determined classification, criticality, and business value.
h.) Send processing activity templates to business process owners- Share these templates to be completed by the business owners and stewards as part of DPIA.
i.) Capture high-level data flows for processing activities- This includes determining which data is processed and consumed by the processing activity.
Step 3: Assess external risk
This step focuses on assessing risk with your third parties. Collect their data and business processes so they can be cataloged and documented clearly.
a.) Determine if external information systems and end-user tools are catalogued.
b.) Catalog the third parties with and without agreements- Identify and catalog the third parties that were not available in the initial inventory and notify the respective parties to collect the required attributes.
c.) Assign a legal basis to each of business processes-The legal basis will differ depending on whether you are processing special categories of data or sensitive personal data.
d.) Identify operational impact based on legal basis- Each lawful basis will have a different operational impact because it affects which data subject rights can be fulfilled and which cannot.
e.) Conduct software security assessment- Identify and document asset vulnerabilities, threats (both internal and external), etc. These factors are used to assess risk. The risk responses should then be captured and documented.
f.) Third-party risk assessment- Send a risk assessment questionnaire to the relevant third parties and collect the results.
Step 4: Document
The final step in this checklist is all about documentation. Having your policies, subjects’ rights, and remediation plans in place is a key element of GDPR compliance and establishing trust in your data, and it makes communicating this information a more seamless process, as well.
a.) Document the remediation plan for identified risks- Document the remediation plan for each of the identified risks and third parties, as well as out-of-country data transfers. Risk management processes should be established, managed, and shared with stakeholders.
b.) Identify data subject rights that apply to your business- Determine the data subject rights that apply to your business, which can be done by examining the lawful bases for processing on which you rely and listing the data subject rights that align with them.
c.) Document policies and standards- Document the processes for data subject rights, code of conduct, consent management, processing notices, procurement privacy,information security , data quality, data masking, data encryption, and retention policies.
d.) Refine the data breach management framework- This is done to accommodate the timeline (notifications are expected without undue delay and where feasible within 72 hours) for reporting (to regulators, credit agencies, law enforcement, etc.) tracking and notifying (to affected individuals) breaches, and so that you can establish a process for breach management and the channels through which they are reported. This is a very important step in building a breach response infrastructure that facilitates compliance, for quick assessment of privacy breaches, and designating the individuals responsible for coordinating reporting and notification.
GDPR is a sizable undertaking for organizations of all sizes and industries. Establishing and following a clearly defined, comprehensive plan will help you meet the compliance standards by the deadline and achieve trustworthy, scalable results.
*This document is intended for general informational and educational purposes. The above plan is only applies to Article 5,6,30,32,33,34,35, and 36. The actual sequence of activities and the number of days can vary based on organizational readiness, resource availability, and GDPR expertise. It is not offered as and do not constitute legal advice or legal opinions. Use of any Collibra product or solution does not provide or ensure any legal or other compliance certification and does not ensure that the user will be in compliance with any laws, including GDPR or any other privacy laws.
Ram is responsible for fast-tracking Collibra engagements and centralizing data governance thought leadership to influence product features.