FivePhasestoManageEUGeneralDataProtectionRegulation Compliance
Thisguidedistillsthe200+pageEUGDPR1 intofivediscretephasestohelpabusinessachieveandmaintainitsGDPRcompliance ItisdesignedforprofessionalsacrossawiderangeoffunctionswhowillbeimpactedbytheGDPR Youcanfindacopyofthefull GDPRtextat:https://gdpreu/tag/gdpr/ Aswithallregulatorymatters,pleaseconsultwithyourlegalteamtoensureyour plansareconsistentwithinternalguidelinesandrequirements.
Buildingorenhancingaprivacyordataprotectionprogramrequiresalotofwork,strategicallyandtactically
morethanthestateofthelawstoday,butalsotheunexpected Investtimeup-fronttoperformtheproperanalysisandplanning, sothatyoucanbeconfidentyourcompany’sGDPRComplianceProgramwillefficientlyandeffectivelymitigateriskwhilemeeting businessobjectives
GDPRComplianceRoadmap-5Phases
Level Risk Assessment
Identify Privacy Lead & Appoint DPO if Needed
Develop Policies, Procedures & Processes
Data Transfers & 3rd Party Management
Data Necessity, Retention & Disposal
Internal & External Reporting
Individual Data Protection Rights
Data Integrity & Quality
Define Program Mission & Goals
Communicate Expectations & Conduct Training
Physical, Technical & Administrative Safeguards
Privacy Notice & Dispute Resolution Mechanism
Data Breach Incident Response Plan Certification
1 InlargeparttheEUGDPRisreplicatedintheUnitedKingdom,withmostdifferencesatthistimebeinginreferencestoMemberStates,etc However,the decisionsadoptedbeforetheUKexitedtheEuropeanUnion(finalizedJune30,2021)andunchangedstillapplyastheUKwaspartofthebodythatadopted them
PracticalStepstoManagetheEUGDPR
Youneedtoplanfor
BUILD ASSESS IMPLEMENT MANAGE DEMONSTRATE Identify Stakeholders Conduct Data Inventory & Data Flow Analysis Obtain & Manage Consent Conduct PIAs (DPIAs) for Business Processes & Systems Evaluate & Audit Control Effectiveness Allocate Resources & Budget Conduct Organizational
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 2
PracticalStepstoManagetheEUGDPR TableofContents ChapterI:IntroductiontotheEUGeneral DataProtectionRegulation(EUGDPR) 4 Whodoesitapplyto? 4 Non-ComplianceImplications 5 ChapterII:HowtoComply 6 Overview–People,Process,andTechnology 7 Phase1–BuildConsensusandaTeam 7 Phase2–AssessRisksandCreateAwareness 9 Phase3–DesignandImplementOperationalControls 14 Phase4–EnhanceControls 17 ChapterIII:MaintainCompliance 19 MaintainingRecordsofProcessing 19 DPIA/PIAandDPIA/PIAProgram 23 Consent 27 IndividualRights 30 ChapterIV:OngoingCompliance 33 Phase5–DemonstrateOngoingCompliance 33 ChapterV:TrustArcGDPRComplianceSolutions 34 Phase1-5Solutions 34 TrustArcGDPRCompliancePlatform 38 © 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 3
ChapterI:IntroductiontotheEUGeneralDataProtectionRegulation (EUGDPR)
TheEUGDPRisalawdesignedtoenhancedataprotectionforEUresidents,peopleintheEU,andindividualswhosedatais processedbycompaniesintheEU ItprovidesaconsolidatedframeworktoguidebusinessusageofpersonaldataacrosstheEU, replacingthepatchworkofexistingregulationsandframeworks The200+pageGDPRreplacedthe20yearoldDirective (95/46/EC) Sinceitenteredintoforce,therehavebeeninnumerableguidancedocuments,officialstatements,andcourtdecisions -allofwhichimpactwhatcompaniesneedtodoundertheGDPR
Whodoesitapplyto?
ThereachoftheGDPRextends quitebroadlyandextendsoutsidetheEUdependingoncertainfactors
AnsweringthesefourquestionscanhelpdeterminewhetheryourcompanyisimpactedbytheGDPR
DoesmycompanyoffergoodsandservicestopeopleintheEU?
DoesmycompanymonitorthebehaviorofindividualsintheEU (includingviatechnologysuchaswebsitetrackers)?
DoesmycompanyhaveemployeesintheEU?
DoesmycompanyhaveaphysicalbuildingintheEU?
Iftheansweris“yes”toanyofthesequestions,theGDPRmayapplytoyourcompany
Gainingacomprehensiveviewonwhetheryourcompanyisinvolvedinanyoftheseactivitiesrequiresinputfromdifferent departmentswithinyourcompany Thinkbroadly–conductareviewwithkeycontactsacrossdepartments:
• Engineering
•
PracticalStepstoManagetheEUGDPR
• Productmanagement • Websitedevelopment • Sales • IT • CustomerService • Compliance © 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 4
Humanresources • Informationsecurity • Legal • Marketing • Procurement
Ifadepartmentdealswithpersonaldataofanykind(employee,contractor,vendor,consumer,orcustomer),thenyouneedto researchfurthertoseeiftheGDPRapplies Inparticular,keepinmindthatpersonaldataincludesbusinesscontactinformation andpubliclyavailableinformationanddoesnotneedtohaveaperson’snameattachedtoit Also,mediaphotos,videos,and biometricsareallpersonaldataundertheGDPR
SomeThingstoKeepinMind
• TheGDPRprotectsthepersonaldataofIndividuals,whichincludesanyonephysicallyresidingintheEU,evenifthey arenotEUcitizens
• BydefiningthescopeoftheGDPRtoincludemonitoringthebehaviorofIndividuals,theapplicabilityisbroadand encompassing.Practicallyeverywebsiteandapptracksdigitalactivitiesofitsvisitorsinsomefashion.
• TheGDPRnowextendsduediligenceobligationsandpotentialliabilitytoDataProcessors,notjustDataControllers
• TheGDPRdefinespersonaldatafairlybroadly Forexample,businesscontactinformation,suchasanindividual’s workemailaddress,istypicallycoveredbytheGDPR
GDPRDataControllervs.DataProcessor
Whoisresponsibleandforwhat?
KeyAccountabilities
● Implementappropriateandeffectivemeasuresfor compliance
● Demonstratecompliance
● Providenoticetodatasubjectsaboutprocessing: who,where,why
● Communicatewithregulatorsaboutadatabreach
● Vetprocessors
● Approvesub-processors
● Payfines(ifnecessary}
KeyAccountabilities
● Implementappropriateandeffectivemeasuresfor compliance
● Demonstratecompliance
● Conductsprocessingondocumentedinstructions
● Person(s)processingcommittedtoconfidentiality
● Supportcontrollerwithbreachnotification
● Returnsordeletesdataatrequestofcontroller
● Vetsub-processors
● Payfines(ifnecessary)
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 5
A DataProcessoristheentitythatprocessesdataonbehalfoftheDataController Forexample,acompany providingaSaaSbasedCRMplatformthatstoresdataforitsClient,alargebank,wouldbeaDataProcessor
ThecompanythatcollectsthedataistheDataController Intheexampleabove,theBankwouldbethe DataController
Non-ComplianceImplications
TheGDPRcomeswithsignificantpenaltiesfornon-compliance-finesupto20,000,000EURor4%oftotalworldwideannual turnoveroftheprecedingyear(whicheverishigher)
$102millionforviolating consentarticlesoftheGDPR
$877million
$255million
Thesepenaltiesdonotincludeanylossofbusiness,lossofbrandtrust,lossofgoodwillthatmaycomealongwithnon-compliance violations,orlegalfeesassociatedwithrespondingtoaninquiry
Aside from financialpenalties,manybusinesseswillrequiretheirvendorstobefullycompliantwiththeGDPRasaconditionto doingbusiness TheserequirementswilltypicallybepartoftheRFPprocessand/orprivacyandsecurityaudits Non-compliance couldleadtosignificantlossofbusinesstocompetitorswhoareabletodemonstratetheirGDPRcompliance
ChapterII:HowtoComply
Formanycompanies,GDPRwastheirfirstforayintoprivacycompliance-evenifthepriordirectiveapplied,itwasnotasextensive andabsoluteastheGDPR Despiteitscomplexityandnewrequirements,complyingwiththeGDPRcanbeaccomplishedby followingtheroadmapoutlinedbelow
PracticalStepstoManagetheEUGDPR AmIaDataProcessororController?
Amazonhasbeenfined
WhatsAppwascharged
BUILD IMPLEMENT DEMONSTRATE © 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 6
Overview–People,Process,andTechnology
Forallfivephases,useacombinationofyourteam,adefinedprocess,andtechnologytools.
People-Identifytheteammemberswhowillberesponsibleforconductingthetasksandwhose informationalinputsarenecessaryforacomprehensiveassessment Ensurethateveryoneinvolvedis trainedontheprocessandtechnology Ideally,teammemberswillbewellversedindataprivacy managementrequirementsandbestpractices
Process-Designtheworkflowofinformationgatheringandidentifygapsagainsttherequirements Leveragingbestpracticesandtemplatesinquestionnaireforminsteadofmanualchecklistswillbuild efficiency Abusinesswilllikelyneedmultipletemplatestoaddressdifferenttypesofrisk;however,asingle templatemaybeeffectivelyusedtoaddressasetofprocessingoperationsthatpresentsimilarhighrisks
Technology-Dataprivacymanagementtechnologyplatformswithbuilt-indigitaldatadiscovery,data inventory,DPIA/PIAandassessmenttemplates,cookieconsent,workflows,andreportingwillenableateam tocollaborate,guidetheworkflowprocess,serveasthecentralrepositoryofcomplianceevidence,and facilitateongoingperiodicauditsthatreflectbusinesschanges
PHASE1 BuildConsensusandaTeam
Begin by going back to the stakeholders you first spoke towhendeterminingwhethertheGDPRappliestoyourcompany Key stakeholdersmayresideinthesedepartments:
• Engineering
• Humanresources
• Informationsecurity
• Legal
• Marketing
• Procurement
• Productmanagement
• Websitedevelopment
Withhelpfromthesestakeholders,youcangainahighlevelunderstandingofyourcurrentcomplianceposture Youneedto compareyourcurrentpracticesagainstacomprehensivelistoftherequirements,includingthefollowingareas:
CollectionandPurposeLimitation-Doesyourcompanyhavetherighttocollecttheinformationitcollects,anddoesit usetheinformationonlyforthoselimitedpurposes?
Doesthecompanyhavealegalreasondefiningwhythedataonorfromindividualsisprocessedinanyway?TheGDPRrestricts processingdataunlessthereisalegalbasisfordoingso
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 7
GDPRLawfulnessPersonalDataProcessing
Legalgroundsandlawfulbasis-processinglawfulifatleastoneoflegalbasesbelow
Consent
Theconsentofadata subjecttotheprocessingof his/herpersonaldata
LegitimateInterests
Thereisaweighted&balanced legitimateinterestwhere processingisneededandthe interestisnotoverriddenbyothers
PublicInterest
Publicauthoritiesand organizationsinthescopeof publicdutiesandinterest
ContractualNecessity
Processingisneededin ordertoenterintoor performacontract
LegalObligations
Thecontrollerisobligedto processpersonaldatafor alegalobligation
Vitalinterests
Itisvitalthatspecificdata areprocessedformatters oflifeanddeath
Oneofthemostproblematicbasishasbeen“legitimateinterests”Relyingonthisbasismeansthatthecompanyhasalegitimate interestsinprocessingthedataandtheirreasonsandinterestsindoingsodoesnotimpinge(havenegativeimpact)onthe fundamentalrightsandprivilegesoftheindividuals.
Consent–doesyourcompanyobtaintherightconsentforitsdataprocessingactivities?Consentisnottheidealbasis forprocessingasthereareadditionalresponsibilitiessurroundingfullyinformedconsent(andanyconsentmustbefully informed)
DataBreachReadinessandResponse–isyourcompanyreadytohandledatabreachesaccordingtotheGDPR’s requirements?Breachesmustbereportedtothedataprotectionauthoritieswithin72hours
● TwitterInternationalCompanywasfined450,000Eurosforinsufficientfulfillmentofdatabreachnotifications
whatmeasuresdoesyourcompanytaketohelpensuretherelevance,timeliness,accuracy,and completenessofthepersonalinformationitholds?Thisincludesmeasuresinplacetoensurethedataisnotalteredin transmissionoratrestwithoutauthorization-andeventhenitshouldbelogged
DataQuality
IndividualRightsandRemedies–akeyelementundertheGDPRistheexpansiveindividualrightscomprisingthe RighttoInformation,RighttoAccess,RighttoRectification,RighttoRestrictProcessing,RighttoObject,RighttoErasure, andRighttoDataPortability Youshouldreviewyourcompany’sexistingpolicies,processes,andprocedures Insome casestechnologicalchangeswillneedtobemade Inothers,ifgrantingcertainrightswouldbreaktheunderlying databaseorcompromisesomeoneelse’srights,youneedtodocumentthoserestrictions Youalsoneedtoaddressthe technologicalinfeasibilitywithinthedatabaseandseeifthereisawaytoaccommodatetherequestatsomelevel-and
PracticalStepstoManagetheEUGDPR
–
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 8
seeifthereisawaytomodifythetechnologytoaccommodatesuchrequestsinthefuture 2
PrivacyProgramManagement–howdoesyourcompanybuild,oversee,anddemonstratesoundprivacypractices?
SecurityintheContextofPrivacy–whattechnicalandproceduralmeasuresareinplaceanddesignedtoprotectyour company ’spersonaldata?
Transparency–howdoesyourcompanydiscloseitsdatahandlingpracticestodatasubjects?
IdentifytheDesignatedDPO
SeeArticle37
ADataProtectionOfficer(DPO)mustbeappointedwherethecoreactivitiesofthecontrollerortheprocessorinvolve“regularand systematicmonitoringofdatasubjectsonalargescale”orwheretheentityconductslarge-scaleprocessingof“specialcategories ofpersonaldata”(e.g.,race/ethnicity,politicalbeliefs,definedinArticle9).
In2022,9outof10respondentsreportedtheircompanyhasadedicated privacyoffice.
2022TrustArcGlobalPrivacyBenchmarkReport:https://trustarccom/global-privacy-benchmarks-report/
TheDPOmaybeanemployeeorathirdpartyserviceprovider(eg,consultingorlawfirm),butshouldbeadirectreport“tothe highestmanagementlevel”andshalloperatewithsignificantindependence,(ie,theGDPRexpresslypreventsdismissalor penaltyoftheDPOforperformanceofdutiesandimposesnolimitationonlengthoftenure) Giventherightsandresponsibilities assignedtotherole,theproperselectionoftheindividualiscrucial
PHASE2 AssessRisksandCreateAwareness
ConductaComprehensiveDataMappingAnalysis
SeeArticles15;24;30;32
Tohelpensureyouhaveuncoveredalloftherisksandappropriatelyprioritizeyourplan,youmusthaveasolidunderstandingof yourorganization’scompletedatalifecycle Theprocessofdocumentingthislifecycleisreferredtoasadatainventoryanalysisor datamapping Thisprocessgenerallyinvolves
● Gatheringinformationfromkeycontactsacrossthecompanyaboutwhatinformationtheycollectanduse,howit’sused, whereit’sstored,howitflowsthroughandoutofthecompany,whohasaccesstoit,andwhatprotectionsareinplaceat eachpoint;inotherwords,gatherdetailsaboutdatacollection,storage,usage,transfer,processing,anddisposal
2 Itiswidelyacceptedthatbackupsmaynotbechangedordeleted Wherethatisthecase,youmustaccountforthetechnologicalinfeasibilityandifabackupis usedtorestorethedata,deleteorchangetheindividual'sdataonceagainintherestoration
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 9
● Documentingthisinformationintheformofinventoriesofdataandvisual“maps”ofthedatamovement
● AnalyzingriskpointsandtriggersforvariousGDPRorotherrequirements
Companiessurveyedindicatedtheirdatadiscoveryandclassificationinitiatives areonly30%complete
2022TrustArcGlobalPrivacyBenchmarkReport:https://trustarccom/global-privacy-benchmarks-report/
Conductingaproperdatainventoryisquitecomplexeveninitssimplicity Thereisnomagicbutton Usingtechnologytoidentify structureddataorevenunstructureddataisawonderfuloption,butisnotafulldatainventory Youneedtounderstandwhysuch dataisthere,whyitwascollectedandhow Soyouneedtocombinethebusinessknowledgeandcontextwiththetechnology Usingthetechnologytodiscoverdataisnotrequiredandmanycompanieshavesucceededwithoutit Youneedtofindtheoption thatworksforyourprocessesandpeople
However,whereyoucaptureandstoreyourdatainventoryiscritical Youneedtoidentifyyourbusinessprocesses,dataelements, andwhatsystemspopulateorspeaktoothersystems Wheredoesthedatagointernally,orrather,whocanaccessthatdata? Whetherthepersonactuallyaccessesthedataisimmaterialwhentheyhavetheabilitytodoso Youneedtoidentifythirdparties whoareinvolvedinanywaywiththedata,whethervendors,partners,affiliates,governmentreportingentities,oraparent company Storingthisinformationandorganizingitinawaythatisusefultoyouandfacilitatesongoingcomplianceisoneaspect ofyourprivacyprogramthatdeservescarefulattention
NorthAmericanorganizationsreportedusinganaverageof400+differentdata sourcesin2019tofeedtheirbusinessintelligenceandanalytics Over20%of organizationssurveyedreportedusingover1,000ormoredatasources CIO&Matillion(2019) OptimizingBusinessAnalyticsbyTransformingDataintheCloud https://pagesmatillioncom/rs/992-UIW-731/images/Optimize%20Analytics%20-%20Matillion Finalpdf
GettingBuy-In
Winningsupportrequiresyoutospeakthelanguageofthedepartmentyouaretryingtoengage Herearesomeexamples:
● InformationTechnology:identifyingstorageredundanciescanreduceITcomplexityandsaveITdollars
● InformationSecurity:understandingwhatdataresidesinwhichsystemscanhelpSecurityprioritizetheirprotection effortsandestablishappropriateaccesscontrols
● Operations:visualizingflowsandusesofdatathroughoutthecompanycanhelpOperationsidentifyredundanciesand improveefficiencies
● Procurement:identifyingpointsatwhichthecompanysharesinformationwiththird-partyvendorsandunderstanding thesensitivityofthedatabeingsharedcanhelpprocurementapproachthird-partymanagementandcontractsina risk-based,efficientapproach
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 10
Belowisanexampleofacommondataclassificationschema:
Definitions& Examples
Datathathasbeenexpressly madepublicthrough reporting,disclosures requiredbylawor regulation,orasexpressly authorizedbytheindividual ororganizationtowhom thosedatarelateand the individualhasnotstatedthe datashouldn’tbeused
Ex:Blogs,address, leadership,openjobs
Businessinformationthatis notgenerallyreleasedtothe publicbutthatdoesnotrise tothelevelofConfidentialor SensitiveData.This informationshouldn’tbe sharedwithoutvalid reasons
Ex:Employeehandbook, memos,plansforemployee event.
Anydatathatisprotectedby Laws,acontract,orother formofagreementwitha thirdpartythatprotectsthe dataandforwhichtheloss, misuse,orunathorized access,disclosure,alteration ordestructionislikelyto resultinlessthanahighrisk fortheindividualstowhom thosedatarelate,tothe partythatdisclosedthe information,and/ortothe organizationsthatprocess thosedata Confidentialdataalso includescorporate informationthatifshared outsideofthebusiness, coulddamagethecompany.
Ex:Policiesandprocedures, strategicplans,projects, code,andpartner development.
Anydatathatiseither subjecttoadditional protectionorobligations underLawsorundera contractorotherform agreementwithathirdparty thatprotectsthedataand forwhichtheloss,misuse,or unathorizedaccess, disclosure,alteration,or destructionislikelytoresult inahighriskforthe individualstowhomthose datarelateandtothe organizationsthatprocess thosedata.
Thiscategoryincludesdata onorfromchildren,and specialcategoriesofdataas designatedbycertainlaws.
Ex:Alldataonchildren, accountinformation, governmentIDnumbers, creditcardorfinancial numbers,health information,andraceor ethnicity
Sharing Publiclyokay
Internallyokay-externally onlywithOperations approval
ConductGapAssessmentandAssignaLevelofEffort
Internallywhererequired ExternallyonlywithNDAand Departmentapproval
Internallywhereabsolutely necessary.Externallyonly withNDAandapprovalby Legal/PrivacyorCISO.
WiththeresultsfromyourDataInventoryyoucannowconductaGapAssessmentanddevelopaLevelofEffort(LOE)Matrixto helpprioritizewhatneedstogetdonefirst ThetablebelowillustratessampleLevelofEffort(LOE)estimates–Low,Medium,and High,whichwillhelpvisualizeyourplan’spriorities
PracticalStepstoManagetheEUGDPR
Public Non-Public Classification Public Internal Confidential Sensitive RiskLevel LowRisk ModerateRisk Moderate-HighRisk HighRisk
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 11
DevelopPolicies,Procedures,andProcesses
ArmedwiththeresultsoftheGapAssessmentandunderstandingofLevelofEffortrequiredtoaddressthesegaps,assigntasksto eachfunctionalareaincludingatimelineforcompletion Theriskandlevelofeffortassociatedwitheachgapcaninformtask scheduling,withhighriskitemsprioritizedfirstandtasksrequiringsignificantlevelsofeffortbeginninginadvanceofeasierones However,the“low-hangingfruit”canbeaccomplishedquicklyandalsohelptheteamfeelaccomplishmentandprogress
Mostcompanieswillfindthatpolicies,procedures,andtrainingarecriticalcomponentsoffillinginGDPRcompliancegaps Documentingexpectationsforemployeesandvendors,carefullydescribinghowindividualsshouldapplythoseexpectationsin theirdailyworklives,andtrainingindividualstothestandardsofthoseexpectationsareessentialtocompliancewiththeGDPR RememberalsothatitisnotenoughtoconformtodatahandlingrequirementsundertheGDPR–yourcompanyalsomustbeable todemonstratethatitconforms.
HighRiskProcessing
SeeArticles9;10;35
EUregulatorshaveidentifiedcategoriesofcriteriathatarelikelytoresultinhighrisk processingthatwouldtriggertheneedforaDPIA Thistablebelowprovidesthecategories
● EvaluationorScoring
● DataConcerningVulnerableSubjects
● AutomatedDecisionMakingwithLegalorSimilarSignificantEffect
● InnovativeUseorNewTechnology
● InterferencewithRightsorSystematicMonitoringOpportunities
● Sensitivedata
● FundamentalRightsorFreedomsofDataProcessedonaLargeScale
● IndividualsDatasetsthathavebeenMatchedorCombined
● OtherLikelyHighRiskstothePersonalNature
PracticalStepstoManagetheEUGDPR RiskLevelvs.LevelofEffort LevelofEffort R I S K L E V E L HIGH MODERATE LOW HIGH ● DataLifecycle ManagementProcess ● PrivacyAuditProgram ● VendorReview ● FrameworkEmployee Training ● PrivacyTeam ● DataFlowMonitoring ● PrivacyBreach Preparedness ● ContractLanguagefor Vendors ● PrivacyOwnershipacross Organization ● DataGovernance Committee LOW ● PrivacyTeamTraining
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 12
CommunicateExpectations
SeeArticle39
Buildingconsensusup-frontiscriticaltothesuccessofanyprivacyprogramwithinanorganization,especiallyaprogram addressingthecomplexityoftheGDPR.Fundamentalleadershipprinciplesandorganizationaldecision-makingmustcomeinto play.GiventhescopeoftheGDPRandthehighinvestmentslikelyrequiredtocomply,buildingconsensuswillbecriticaltosecure funding.
Somecompanieshavehiredprojectmanagerstodrivetheprivacyprojects,whichaddsalevelofdependenciesandvisual progressagainstidentifiedmetrics
MaketheCase
Approachthisprocesslikebuildinganybusinessrequirementscasebydevelopinganarrativethatshowstheprosandconsof makingtheinvestment YoushouldusethesekeycommunicationstrategiestoestablishacompellingstoryforyourGDPR complianceefforts:
DevelopthePitch
TheGDPRImpactsourCompany…PosingThreatsandOpportunities
● Lostbusinessduetoinabilitytomeetcustomerandpartnerprivacy/securitystandards
● Lossofgoodwillanddamagetobrand
● Lostbusinessversuscompaniesusingstrongprivacypostureasacompetitiveadvantage
● Finesand/orexpensesfromrespondingtoregulatoryinquiries
OurCompanyHasComplianceGapsThatRequireRemediation
● InitialGDPRAssessmentQuestionnaireresultsidentifiedmultiplegapsandrisks
● Citeanyinternalhistoryofprivacybreaches,regulatoryinquiries,orenforcementactions
OurGDPRComplianceProgramWillRequireNewInvestments
● Proposedprojectoverviewwithtimeline,methodology,andmetrics
● Outlinethepersonnel,tools,training,andnewprocessesrequired
● BenchmarkreportsdepictingGDPRactionsbycompetitors
SharethePitchwithKeyStakeholders
Facilitateaninternalkickoffandongoingplanningsessionswithrelevantstakeholdersacrosstheorganization Include representativesthroughoutthecompanyincludingcolleaguesatexecutiveandboardlevels Buildanddeliveranengaging presentationleveragingalloftheevidenceyougatheredtotellthestory Involveanydepartmentthattouchescustomeror employeedata,whethertheyareonthecollectionendorsimplyhaveaccesstothedata
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 13
Attheoutset,itwillbeimportanttoclearlystategoalsofthekick-offsession Ifpossible,setgoalstoestablishthefollowingitems:
● FormalizetheGDPRprogramteamstructure,roles,andresponsibilities
● EstablishtheGDPRprogramasapriorityinitiative
● Agreeonshort,medium,andlong-termgoalsoftheGDPRprogram
● Setmeasurableobjectiveswithsuccesscriteriaandkeymilestones
● SecurebudgetandresourcesbasedonLevelofEffortestimates
Ifyouarenotabletoachievethemall,prioritizewhichonesaremostimportanttogetstarted,thensetadatefortheothers They areallimportant
IfyourcompanyalreadyhasaPrivacyWorkingGroup,thiscampaignwouldbeanadd-ontothatexistingprocess.Ifyourcompany doesnothaveaworkinggroup,buildingonenowwillprovideongoingvalueforyearstocome.Scheduleongoingplanning meetingswitharegularcadencetodevelopthefullplan,implementallrequiredoperationalchanges,andprovideadashboard reportontheGDPRprogram’sprogress.
Ifyouarenewtotheformalprivacyofficerealm,youmayneedtoestablishaPrivacy(ordataprotection)SteeringCommitteeto organizefortheGDPRcomplianceneeds Youneedtheexecutives,managers,andkeystakeholderstobecommittedtothiseffort
Onceeveryoneunderstandstheurgency,conducttrainingtohelppersonnelunderstandwhatisrequiredandthetypesofchanges yourcompanywillbemaking Itmaybeeasiertostartwitheducatingthekeystakeholders(whichincludetheexecutivesand managers) TheyneedtounderstandthatGDPRwillgenerallyimpactthecompanyasawhole,unlessyouhavealreadydonethe worktoeliminatesomeareasfromtheeffort Inmostcases,however,youwanteveryoneinthecompanytounderstandatleast thebasicsatthispoint
SampleTrainingAgenda
• OverviewoftheGDPR–whyitisimportantandwhatitrequires
• DescribehowtheGDPRimpactsyourcompany
• Discussthecompany’sGDPRactivitiesandtimelines
• Explainhoweachstakeholderwillparticipateintheseactivities
A�eryouhavecompletedyourplanandachievedorganizationalsupport,youcanbegintoimplementthevariouscomponents requiredtooperationalizeyourcompliance Thesewillincludearangeofinitiatives,fromhiringnewpersonnel,trainingexisting personnel,establishingnewprocesses,andimplementingnewtechnology
Manyoftheseitemscanbecompletedinparallel,dependingonyourorganization’sresourcesandriskstatusasoutlinedinthe planningcycle Thetimetocompletethisphasewillvarygreatlybycompanysize,budget,andcompliancegaps
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 14
PHASE3
DesignandImplementOperationalControls
MechanismstoObtainandManageConsent
SeeArticle7
RequirementsregardingConsentundertheGDPRaresignificantlymorerobustandaredelineatedforspecificcircumstances The GDPRusestheterm“datasubject”torefertotheindividualtowhomGDPRprotects Nosinglegroupofindividualshasan exception-employeesaredatasubjects,contactswithcustomersorvendorsaredatasubjects
Informed/AffirmativeConsenttoDataProcessing.
“A statement or a clearaffirmativeaction”fromthedatasubjectmustbe“freely given,specific,informedand unambiguous”Whilethedatasubjectcanaffirmativelytickabox,“silence,pre-tickedboxesorinactivity”would beinsufficient Consentmustbespecifictoeachdataprocessingoperationandthedatasubjectcanwithdraw consentatanytime
ExplicitConsenttoProcessSpecialCategoriesofData.
Explicit consent is required for “special categories” of data, such as genetic data, biometric data, and data concerning sexual orientation Make sure you are familiar with special categories of data because different regionsorculturesdefinesensitivedatainvariousways
ExplicitParentalConsentforChildren’sPersonalData.
Affirmative parental consent is required for data belonging to children under the age of consent (16 years). Memberstatesmaysetaloweragethatisnotbelow13years.“Reasonableefforts”mustbemadetoverifythat theparentorguardianprovidedproperconsent.
Someoftheoperationalaspectsthatarisewithconsentincludecookieandtrackerconsentanddarkpatterns
CookiesandTrackers
CookieandtrackerconsentarenotspecificallyaddressedintheGDPR,otherthanthegeneral requirementsfordatacollectionandconsent.Infact,theGDPRonlymentionscookiesonce,inRecital30 (OnlineIdentifiersforProfilingandIdentification)whichstates:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags This may leave traces which, in particular when combined with unique identifiers and other informationreceivedbytheservers,maybeusedtocreateprofilesofthenaturalpersonsandidentifythem
Recital30ismappedtoArticle4,whichcontainsthedefinitions
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 15
Cookies
TherearecommonmisunderstandingsaboutcookiesandtheGDPR OneisthattheGDPRincludescookierequirementsandthe otheristhattheGDPRdoesnotapplytocookies Neitheraretrue CookiesaregovernedundertheePrivacyDirective,whichhas beenundergoingrevisionsforyearstobecometheePrivacyRegulation Cookieandtrackermanagementisbecomingincreasingly complexwithregulatorstryingtomakeitsimplerfordatasubjects(includingintheUS,notjustunderGDPR) 3
DarkPatterns
“Darkpatterns”havebecomeasensitivetopic,beingthephrasedujourforconsentprocesseswherethewebsitehasdesign elementsthatareintendedtomanipulatetheuser(consumer,datasubject)intomakingthechoicethatthecompanywishestobe made Examplesincludecookieconsentbannerswherethe“AcceptAll”isabiggreenbuttonandthe“DeclineAll”isinatinyfont, thesamecolorasthegeneralfont Also,usingwordingthatencouragespeopletoagree,suchas“Cookiesaregreat,wouldyou shareyourswithus?”Inthisone,sharingisasociallyencouragedaction,thus,peopleareconditionedtoshare Therearealotof darkpatternsandnotjustrelatedtocookies
Startbuildingtrustwithyourconsumersbyprotectingtheirprivacy
AddressInternationalDataTransfer
SeeArticles44-50
TheGDPRallowsfordatatransferstonon-EUcountriesbywayofmechanismsthatprovideappropriatesafeguards UnderArticle 46,appropriatesafeguardsinclude:BindingCorporateRules(BCRs),ModelContractClauses(MCCs)alsoknownasStandard ContractualClauses(SCCs),certifications,andlegallybindingdocumentsandenforceableinstrumentsbetweenpublicauthorities orbodies
OnJuly16th,2020,theEuropeanCourtofJustice(CJEU)releaseditshighlyanticipateddecisioninCaseC-311/18,otherwise knownasSchremsII TheCJEUruledthattheEU-US PrivacyShieldistobeinvalidated Inturn,theCourtruledthatthesystemof StandardContractualClauses(SCCs)whichallowsfordatatransfersfromtheEUtothirdcountries,isvalid WhiletheCourtruled thatexistingSCCsremainvalid,supervisoryauthoritiesanddatacontrollersmustnowassessthesituationinthedestination countryonatransfer-by-transferbasis Companiesmustalsonowassessanycountrytowhichtheysenddata,especiallyassessing governmentsurveillanceandguaranteedrightsandredressfordatasubjects
TrustArccanassistyouindeterminingwhatrouteisbestforyouandassistinPrivacyShieldVerificationforthoseremainingpartof theprogram,eventhoughitisnolongeradatatransfermechanism GDPR-approvedtransfermechanismsincludeSCCs(which haveundergonesignificantrevisionandbusinessesmusthavetransitionedtothenewversionsbyDecember27, 2022),Binding CorporateRules,codesofconduct,certifications,andderogations
Dependinguponyourorganizationanditsgoals,therecanbebenefitsanddrawbacksofeachmechanism Forexample,BCRsare o�enconsideredthegoldstandard,butthecostandeffortrequiredisprohibitiveforsomecompanies However,theEUhas implementedprocessesthatmakeBCRsnotquiteasexpensiveorlengthyasithasbeeninthepast BCRsareavailableforboth controllersandprocessors(actuallyBindingSafeProcessingRulesforprocessors) Youcancheckrequirementsandcompanies whoareapprovedhere,buttherearenotverymanycompanieswhohavechosentotakethisdirection
3 FormoreinformationonCookieGuidance,pleaseseeourresourcesathttps://trustarccom/international-data-transfers/
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 16
IndividualDataProtectionRights
SeeChapterIII;Articles12-23
TheGDPRprovidesthefollowingprotectionsforindividualrights,forexample,RighttoInformation,RighttoAccess,Rightto Rectification,RighttoRestrictProcessing,RighttoObject,RighttoErasureandRighttoDataPortability Newprocessesand technologicalcapabilitiesmayhavetobecreatedwithinyourorganizationtoreceive,escalate,andaccommodaterequests pertainingtotheserights
Inordertoprovideindividualrights,youmustknowwherethedataisinyoursystems.Thisrequiresalevelofdatainventoryto identifyrepositoriesandtodetermineifgrantingcertainrightsaretechnologicallyfeasible.Forexample,ifadatasubjectrequests rectification,willchangingthedatabecapturedbyanyAPIstoprocessthechangedownstream?Canthedatabeexportedtodata subjectsforaccessinacommonlyused,machinereadableformat?Willdeletingdatabreakthedatabase?Theseactionsmustbe consideredasawholealongwithpermissibleexceptionsidentifiedandappropriateresponsestodatasubjectsprovided.
Datadeletionmayhavebroaderimplications,especiallywhenconsideringthedatathatisinyourbackupsystems Itisusually technologicallyinfeasibletodeletepersonaldatafrombackups ThedataprotectionauthoritiesintheEUhavegenerally recognizedthisasalegitimatecomplication Toaddressthisappropriately,otherthanfiguringoutifthedatacanbedeletedfrom backup,istoinformthedatasubjectuponarequestfordeletionthattheirdatahasbeendeletedotherthanwhatisinthebackup systems Reassurethemthatshouldthedataeverberestoredfromthebackupsystems,youwill “re-delete"theirdata
Physical,Technical,andAdministrativeSafeguards
SeeArticle32
TheGDPRrecognizesthatsoundprivacyisnotpossiblewithoutgoodsecurity Withthisinmind,companiesmusttakephysical, technical,andadministrativemeasurestokeeppersonaldatasafe ThoughtheGDPRdoesnotrefertoaspecificsecuritystandard orcertification,aspartofitscomplianceefforts,yourcompanyshouldcarefullyreviewsecurityprotectionsandaddressgaps
PHASE4 EnhanceControls
DevelopDPIAProgram
SeeArticle35
ConductaDataPrivacyImpactAssessmentforanydataprocessingthatmayresultin“highrisk”.
EachDPIAshallcontain:
● Asystematicdescriptionoftheprocessingoperationsandtheirpurposes
● Anassessmentofthenecessityandproportionality
● Anassessmentoftherisks
● Themeasuresneededtoaddresstherisks
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 17
ResearchconductedbyTrustArcshowedthatthemajorityoforganizationsuseariskassessmenttooltoindicatetheirprivacy programperformance
51%oforganizationsusePrivacyImpactAssesment(PIA)completionrates asakeyperformanceindicatoroftheirprivacyprogram
2022TrustArcGlobalPrivacyBenchmarkReport:https://trustarccom/global-privacy-benchmarks-report/
With the increased requirement to do more DPIAs, and be able to produce records on demand, ensure you have an efficient processandacentralizedsystemdesignedspecificallyforDPIAs
Ifyoudon’talreadyhaveaDPIAprocessinplaceatyourorganization,it’scriticaltostartbuildingonesothatyoucanconductthe initialDPIAsandadditionalDPIAstocoverongoingchangestothebusiness
Only 28% of organizations reported having a completed privacy assessmentprocessthroughouttheirsupplychainin2022
2022TrustArcGlobalPrivacyBenchmarkReport:https://trustarccom/global-privacy-benchmarks-report/
AsyouworkthroughtheDPIAsandidentifycompliancegapsandthemeasuresneededtoremediate,thenextstepistoremediate It’simportanttodocumentremediationactivitiesandtrackgapclosureinonecentralplacesoyou’llhave accountability-on-demandintheeventofaninquiry
DataNecessity,Retention,andDisposal
SeeArticle25
Processonlythedatathatyouneed.Companiesshouldpracticedataminimizationandconsideranonymizationand pseudonymizationtechniquesa�eritisnolongernecessarytoretainorstoreinformationinanidentifiableform
DataIntegrityandQuality
SeeArticle32
Maintainassurancethatdataarenotchangedwithoutauthorization;andtakemeasurestohelpensurethatdataareaccurate, relevant,timelyandcomplete
BuildSecurityandDataBreachResponsePlans
SeeArticles33-34
Reviseinformationsecuritypolicies,breachincidentresponseplansanddeploytrainingsothatyourcompanycancomplywith thenew72hournotification(whichappliestonotificationoftheDPA),“withoutunduedelay”,forbreacheswithpotentialfor seriousharm
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 18
ChapterIII:MaintainCompliance
A�eryourcompanyhastakenthetimetodiligentlyworkthroughalloftheactivitiesintheplan,youwillhavestartedtosecure GDPRcomplianceandprotectthecompany’shard-earnedbrandreputation,goodwill,andbusinessvaluation
Nowit’stimetomaintaincompliancebymaintainingtheseactivitiesgoingforward
This che yp g p ,p g g p , g ngfor yourDataProtectionOfficer(ifapplicable),andestablishingacalendarforreviewofcomplianceactivities Thirdparty managementshouldincludeauditingthirdpartiesyourcompanyworkswithandspotcheckingon-boardingandoff-boarding procedures Additionalmaintenancecanincludecheckingopt-ins,opt-outs,anddatabasequality
ThisguidewillprovidetipsonhowtomaintainthefollowingcomponentsofaGDPRcomplianceplan:maintainingrecordsof processing,conductingDPIAs/PIAs,consentmanagement,andindividualrightsmanagement.
MaintainingRecordsofProcessing
Article30requirescompaniestoproduce“recordsofprocessingactivities”,whichwillallowregulatorstoseethatcompaniesare adheringtoGDPR Withthisgoalinmind,therecordsshouldshowwhyandhowthedataisbeingprocessed
AlthoughMay25thhaspassed,companiesstillneedtobecomplianteverydaya�er Afundamentalkeytostayingcompliantis introducingaprocess
AprocessthatfocusesonhowdataiscollectedandwhyitiscollectedwillhelpyouadheretoGDPRrequirements Strictlyfocusing onthedataelementsthemselvesmaycauseacompanytooverlookimportantelements Forexample,ifanonlineclothingretailer collectedacustomer’snationalidentificationnumber,askingwhytheyneedthisinformationwouldlikelytelltheretaileritisnot necessarytocollectthatinformation Havingaprocessinplacehelpsteammemberstokeepthesethingsinmind
FollowtheData
Yourprocessshould“followthedata”atahighlevel Decisiontreesaren’t
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 19
needed-lookatwhatdataisbeingcollected,whoisaccessingit,andhowlongitisstored IfyouuseanITsystemoriented architecturemapasastartingpoint,makesuredecisiontreesaren’tincluded Assumethatdatawillmovetothenextstepbecause youneedtoseehowthedataflowsthroughtheorganizationinordertoassessrisk
TieinDataInventoryUpkeeptoYourDPIA/PIAProcess
Eachtimethereisanewprocessoraprocesschangewithanorganization,vendor,orsystem,youshouldupdateyourdata inventory Additionally,changesinpracticesasreflectedinyourdatainventorymayindicateanewhighriskprocessingactivity Thekeyiskeepingrecordsuptodateandtreatingthemaslivingdocumentsbecausethiswillhelpinmanagingdataprivacyrisk profiles Itwillalsohelpinidentifyingchangesinprocessingactivitiesthatmaytriggerhighrisk,requiringfurtherassessment
PracticalStepstoManagetheEUGDPR
SampledataflowmapinTrustArcDataInventoryHub
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 20
TrustArcDataInventoryHubandAssessmentManagerareconnected
Bycreatingthisprocessyouwillbegoingbeyondjustcheckingoffcheckboxes,youwillbeimplementingaprivacyriskprogram
OnceyouhaveconductedinitialrequiredDPIAs,considertouchpointsinyourprocesses inwhichthePIA/DPIAprocessshouldbegin Someorganizationsuseabusinessprocess beingclassifiedas“highrisk”totriggeraDPIA,buttheremaybeotherpointsatwhicha riskassessmentisuseful
BestPracticeTip
Forexample,Procurementmaytriggerariskassessmentwheneveranewvendorisbeing considered ProductManagersmaytriggerariskassessmentwheneverauserstoryis beingconsideredthatimpactspersonaldata
Don’tchoosetoimplementthis processatthefinishoftheproject becauseatthatpointitwillbetoo latetomakechanges
Theprivacyofficeshouldworkwiththeownersofkeybusinessprocessestodeterminethefactorsforwhenaprivacyrisk assessmentneedstobeconducted Ensurethattheriskassessmentisbeingconductedearlyinthedatalifecycle,especiallyifthe organizationiscollectingorcreatingnewdata
Forexample,ifyourcompanyoffersaSaaStechnologyplatformforprivacycomplianceandtheproductteamthinksofanew featurethatwillbeincorporatedinanewversionoftheproduct,theprivacybydesignconceptthatyourcompanyfollowswill makesurethatprivacyconsiderationsareincorporatedintothedevelopment
TechnologyCanHelp
Trainyourorganization’sprivacystakeholdersontheassessmentprocess Providetraining,technology,and toolsneededtoimplementtheprocesses Someorganizationsusedatastewardsatthebusinessunitor productlineleveltohelpingraintheassessmentprocessthroughoutalllevelsoftheorganization Data stewardshelpdrivetheassessmentprocessbycreatingtheassessmentkickoff,updatingresponses,or respondingtogapsidentifiedduringtheassessmentprocess Likethestakeholders,thedatastewardsalso needtobetrained,haveaccesstotools,andhavevisibilityintotheorganizationtodrivetheseactivities
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 21
TestYourProcess
A�erdevelopinganewprocess,suchastyingindatainventoryupkeepwithyourDPIA/ PIAprocessasdescribedabove,testthatprocesstoensureitisworking Agreatwayto testyourprocessisbyconductingasimulateddatabreach,witheachteammember runningthroughhisorherrole Torespondtothesimulatedbreachtheteamwillhaveto identifythedatathatwasbreached,whichwillrequirefindingwhereitwasresidingand whichprocesseswereaffected
Theserequirementswillforcetheteamtoseewhetherinformationisbeingkeptupto date Forexample,wouldtheteambeabletoidentifyeveryvendorthathadaccesstothat data?Similarly,manycompaniesfindprocessesthatuseaparticularvendorthatmaynot havebeendocumented Or,evenifprocesseshavebeendocumentedproperly,a companymayrealizeitrequiresamoregranularlevelofdetail Thesesimulationsshould beconductedwitharegularcadence
AccountabilityonDemand
SeeArticle30
BestPracticeTip
Simulatingadatabreachwillallow youtotestyournewprogramtosee whetherit’sworking
HavinguptodatebusinessprocessinformationwillbekeytomeetingArticle30compliancereportrequirementsbecausethe companymustproducethereportsuponrequestfromaDataSupervisoryAuthority Maintainingup-to-dateandaccurate informationonyourorganization’sprocessingwillalsohelptodemonstrateaccountabilitythattheprocessingactivitiesare compliantwithGDPR.Usinganautomatedsolutionthatcanhelpkeeprecordsofthesebusinessprocessesupdatedandproduce on-demandreportingcanbehelpful.
MeetingArticle30requirementsmayrequiresomecompaniestoshi�thewaytheyapproachlookingathowdataexistsintheir organization InsteadofcreatingstaticlistsofITapplications,mappingbusinessprocessescanhelpexplain“thehowandwhy”ofa company ’sdataprocessing,therebymakingArticle30reportingeasier RecordinginformationnecessaryforanArticle 30 reports while building visual maps of howthedatamovesthroughouttheorganizationisanefficientwaytokeeptrackofa company ’sdataflowsandbetteraddressrisk
Inaddition,ifyouareusingatechnicalsolutiontoidentifydataflows,makesureyouincorporatethebusinessknowledgeintothe processandmapping Atechnicalsolutioncannotprovidethecontextinaprocess Butalso,doverifydataelementsbeingshared byrequiringanactualupload,download,orAPIformbecausebusinessownersmaythinktheyknowwhatisbeingsharedbecause they know the data elements that areneeded However,theactualsharingmaybequitedifferent Remember,GDPRdoesn’t careifaprocessororemployeedoesn’tusethedatatheyhaveaccessto,onlyiftheyhavetheabilitytoaccessit.
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 22
SampleArticle30reportinTrustArcDataInventoryHub
DPIA/PIAandDPIA/PIAprogram
PrivacyImpactAssessment(PIA)
APIAisatoolthatcanbeusedtoidentifyandmitigateriskassociatedwithaproduct,service,businessprocess,orother organizationalchange PIAsaretypicallyconductedbefore:
● anewproductlaunches;
● anewbusinessprocessisimplemented;
● newcompaniesareacquired;
● existingproducts,processesorsystemsarechanged;or
● acompanyexpandsthecountriesinwhichitconductsbusiness
Dependinguponthelevelofriskinvolved,anorganizationmaychoosetoconductamoreorlesscomprehensivePIA
ADPIAisdesignedtohelpanorganizationassesstheriskassociatedwithdataprocessingactivitiesthatmayposeahighrisktothe rightsandfreedomsofindividuals 1 TheGDPRdoesnotspecificallylistthetypesofprocessingthatarelikelytoresultinsuchrisk, however,itdoesindicateexamplesofadverseoutcomestoindividualsthatmayresultfromsuchprocessing,suchasidentitythe�
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 23
orfraud,discriminationandfinancialloss,whicharesimilartothetypesofharmsrecognizedundersomesecuritybreach notificationlawsintheUS 2
TheEUArticle29WorkingParty(A29)has,however,definedninecriteriaforhighriskprocessingwhichcanserveasguidance The categoriesinclude:evaluationorscoring,automated-decisionmakingthathaslegaleffects,systematicmonitoring,theprocessing ofsensitivedata,dataaboutvulnerablesubjects,dataonalargescale,datasetsthathavebeenmatchedorcombined, developmentofnewtechnologyorinnovativeuseofexistingtechnology,andprocessingthatpreventsindividualsfromexercising arightorusingaserviceorcontract 3
1 GDPRArticle35(1),illustratedbyArticle35(3)andcomplementedbyArticle35(4)
2 SeeGDPRRecital75;Fla Stat Ann §501171;Ind Code§24-49;
3 Article29DataProtectionWorkingParty (2017) WP248rev01:GuidelinesonDataProtectionImpactAssessment(DPIA)anddeterminingwhetherprocessingis“likelytoresultina highrisk”forthepurposeofRegulation2016/679 Retrievedfromhttp://eceuropaeu/newsroom/documentcfm?doc id=47711
TheGDPRprovidesonlyageneraldescriptionabouthowDPIAsaretobeconducted Article35does,though,setforthfour elementsthataDPIAassessmentmustcontain: 4
1. asystematicdescriptionoftheprocessingoperationsandtheirpurposes;
2. anassessmentofthenecessityandproportionality;
3. anassessmentoftherisks;and
4. themeasuresneededtoaddresstherisks.
TrustArcAssessmentManagerDashboard
AnorganizationseekingmoreinformationonconductingacompliantDPIAshouldlooktotheA29Guidance 5 TheA29Guidance suggests,forexample,thatacompliantDPIAwillincludeasystematicdescriptionoftheprocessing,hownecessityand proportionalityareassessed,howtherisksandfreedomsofdatasubjectsaremanaged,andhowinterestedparties suchasthe adviceoftheDPO areinvolved.6
1 Article29DataProtectionWorkingParty (2017) WP248:GuidelinesonDataProtectionImpactAssessment(DPIA)anddeterminingwhetherprocessingis“likelytoresultinahighrisk” forthepurposeofRegulation2016/679 Annex2
Retrievedfromhttp://eceuropaeu/newsroom/documentcfm?doc id=47711
2 Article29DataProtectionWorkingParty (2017) WP248:GuidelinesonDataProtectionImpactAssessment(DPIA)anddeterminingwhetherprocessingis“likelytoresultinahighrisk”
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 24
forthepurposeofRegulation2016/679 Annex2
Retrievedfromhttp://eceuropaeu/newsroom/documentcfm?doc id=47711
3 Article29DataProtectionWorkingParty (2017) WP248:GuidelinesonDataProtectionImpactAssessment(DPIA)anddeterminingwhetherprocessingis“likelytoresultinahighrisk” forthepurposeofRegulation2016/679 Annex2 Retrievedfromhttp://eceuropaeu/newsroom/documentcfm?doc id=47711
BuildingandEmbeddingaDPIAProcess
WhilemostcompanieswillhaveaDPIAprocessinplacebynow,itisworthreiteratingthatDPIAsneedtobeconductedaccording toadocumentedprocesstoensureconsistency Manyorganizationslackadefinedprocess,orconductassessmentsonanadhoc basis,usingspreadsheetsandemail.Thisistimeconsumingandcostly.Maintainingdocumentationtodemonstrate accountability,andtomanagedataprocessingchangesacrossbusinessprocessesandsystemlifecyclesisalsodifficultwhen informationisstoredinvarioussystemsacrossmultiplestakeholders
Organizationsshoulddevelopandfollowaprocessthatmakessensefortheirsize,typeofprocessing,andresources Thefollowing sampleprocessisonethatcanbeadaptedtosuitthesizeandcomplexityofanorganization
Relyingonaconsistentandwell-documentedDPIAprocesswillmakeidentifyingissuesandrisksrequiringremediationeasierand moreefficient
thePIA/DPIAprocessthroughdocumentedmethodology,includingany supportingsystems
thePIA/DPIAprocessbyprovidingawarenessoftheprocessandengaging stakeholderstoparticipateintheprocess
businessactivitiesbyfollowingthePIA/DPIAprocessmethodology
completionofanyremediationandanychangestothosebusiness activitiesbyfollowingthePIA/DPIAprocessmethodology
DEMONSTRATE
complianceandeffectiveriskmanagementthroughreliableevidenceof thePIA/DPIAprocessandoutcomes
Forexample,anassessmentprocesscouldalertyourcompany’sprivacyteamordatastewardofapotentialchange Inturn,those changeswilldriveupdatestothedatainventoryoraninitialthresholdassessmenttoseewhetheraDPIAisneeded IfnoDPIAis needed,thenthereasonsshouldbedocumented IfaDPIAisneeded,thentheongoingDPIAprocesswillbetriggered Inmost casestheDPIAresultsinreportsthatdescribepotentialrisksandpotentialactionitemsthatthecompanyneedstoaddressor completeforthoserisks Leveragingatechnologyplatformwithbuilt-inDPIAtemplatesandothersolutionsthathelpwithGDPR compliancewillenableorganizationstoimplementaneffectiveandrobustDPIAassessmentprocess
PracticalStepstoManagetheEUGDPR
BUILD
ASSESS
IMPLEMENT
MANAGE
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 25
BestPracticeTips
· ComparechangestothedatainventorytoidentifypossibleneedsforadditionalDPIAs
· Traindatastewardsinkeyareas-likeProcurement,IT/Security,ProductDevelopment, Marketing/Sales,HR-tohelpidentifyandescalatenewDPIAneeds
EstablishawaytotrackremediationeffortsidentifiedintheDPIA
· EstablishaclearworkflowforDPIAidentification,creation,review/approval,andremediation handling/tracking Makesurethatatleastoneindividualisresponsibleforeachstepandprovide anynecessarytraining.
Forexample,somecompaniesusetickettrackingsystemstoensure thattheseitemsgetreviewedanddone Regardlessofthe technology,companiesshouldmakesurethatsomeoneisregularly reviewingandmonitoringprogressonthoseitems
Whilethatpersoniso�ensomeoneontheprivacyteamthisrolecan belongtosomeoneonthelegalandcomplianceteam,andsome companiessplitouttheactionitemsaccordingtojobfunction. Dependinguponacompany’spriorities,proceduralfixes,or technologyfixes,remediationitemscansometimestakeanywhere fromafewhourstooversixmonths.
AccountabilityonDemand
SeeArticle35
TrackremediationactionitemsidentifiedduringtheDPIAprocess.
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 26
Consent
ConsentasaLawfulBasisforProcessing
TheGDPRrequiresthatEUpersonaldatabe“processedlawfully,fairlyandina transparentmanner”Thelawsetsforthsixpossiblelegalbasesforprocessing,including adatasubject’sconsenttoprocessingpersonaldatafor“oneormorespecificpurposes” perArticle6 Ofnote,theGDPRfurtherobligatesdatacontrollerstoinformdatasubjects ofthelegalbasisforanyproposedprocessingofpersonaldata,fortransparency purposes(suchasviaacompany’sprivacynoticeorotherjust-in-timemethods) And, consentmustbemadeaseasytowithdrawasitistogive
Forcompaniesseekingtorelyonconsentastheirlegalbasisforaproposedprocessing, peritsdefinitioninArticle4,consentmustbea“freelygiven,specific,informedand unambiguous”indicationofadatasubject’sagreementtoprocessing,andthus providedbyaclearaffirmativeaction GDPRRecital32addsfurtherexplanatorycontext bynotingthatthe“affirmative”actestablishingadatasubject’sagreementtoprocessing maynotbebasedonsilence/inactivity,pre-checkedboxes,orbundledtogetherwith othertermsandconditions
BestPracticeTip
KeepyourDPIArecordsindefinitely, showingahistoryofchangesandreviews -theevolutionoftheprocessovertime Ifnot,keepingthemforatleastseven(7) yearsshouldbesufficientdocumentation forauthorities DPIAsmaycontainsome personalinformation,eg,thebusiness ownerortheapprover Wherepossible avoidpersonalinformationinthe documentation
Instead,consentcouldinclude--butisnotlimitedto--tickingaboxwhenvisitingawebsite,choosingtechnicalsettings,orother written/oralstatementsthatclearlyindicatethedatasubject’sacceptancetotheproposedprocessing Inotherwords,consent maynolongerbepresumed,implied,orviewedas“opt-out”bydefault--companiesmustbeabletodemonstratewhenandhowit wasobtained.
SpecialUseCasesforConsent
TheGDPRrequiresahigherlevelofconsent--explicitconsent--fortheprocessingofparticularlysensitive“specialcategories”of personaldatasetforthinGDPRArticle9,whichaddedgeneticdata,biometricdata,dataconcerninghealth,ordataregardinga person ’ssexlifeorsexualorientationtotheexistinglistof“specialcategories”underEUlaw
Explicitconsentcannotbecombinedwithotherconsents Forexample,anindividualcannotbeaskedtoconsenttoasingle statementthattheyconsenttousingtheiremailaddresstosendanewsletterandtousingtheirracefortrackingpurposes Keepin mindthatwithdrawingconsentmustbeaseasyasprovidingconsent Companiesarenotpermittedtousecomplexandmultistep processesforsomeonetowithdrawconsent
Processingofspecialcategoriesofpersonaldata
SeeArticle9
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processingofgeneticdata,biometricdata for the purpose of uniquely identifying anaturalperson,dataconcerninghealthordataconcerninga naturalperson’ssexlifeorsexualorientationshallbeprohibited”
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 27
GDPRArticle8alsosets16yearsasthedefaultageofconsentwithoutparentauthorization,butallowsEUMemberStatestoset theageaslowas13yearsold
HowtoOperationalizeConsent
Asaprerequisitetoanydataprocessingactivities,anorganizationshouldbesuretomapallitsdataflowsacrosseachbusiness process Seeabove,MaintainingRecordsofProcessing,whichdescribesthestepsandclaritythatcomefromundertakingdata inventoriesthatcanthenbeusedinserviceofGDPRArticle30record-keepingobligations,whetherintheorganization’scapacity asadatacontrolleroradataprocessor
Whenthisdataflowmappinghasbeencompletedorupdatedforthekeybusinessprocesses,andthegeographicalorigin, collection/receiptdate,type,sharing,sensitivity,andscaleofpersonaldataisunderstoodbytheorganizationacrossallpossible datatouchpoints,thentheorganizationmayidentifyanddocumentthelegalbasesforprocessinganyandallinformation
WhereitbecomesapparentthatEUpersonaldatathatwascollectedorreceivedonthebasisofconsentthatdoesnotmeetthe GDPR’sstandardforconsent,thecompanyshouldconsiderwithlegalcounselwhetheranotherlegalprocessingbasisapplies,or whetherdatasubjectconsentshouldbenewlyrequestedthatmeetstheGDPR’slevel.
UsingTrustArc’sConsentandPreference’sManagerisonewaycompaniescaneasilytracktheirvariousconsents
BestPracticesandTips--AccountabilityonDemand
Companiesmustbepreparedtoproviderecordsofdatasubjectconsentforvariouspossiblereasons:perrequestfromtheboard ofdirectors;torespondtoinquiriesfromregulators;toknowwhatprocessingpurposewasofferedatthetimeconsentwasgiven; toconfirmwhetherarequesttowithdrawconsentisvalid;toprovidetoadatasubjectuponrequest;andtobeabletoshow abusinesspartnerthatrequestwasdulyobtainedtoinformationthatanorganizationseekstopermissivelyselltothirdparties. Thesearejustafewpossibleusecasesforwhereconsentmayneedtobeevidenced,ifitisgoingtoberelieduponasalegal processingbasis.
PracticalStepstoManagetheEUGDPR
TrustArcConsent&PreferenceManager
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 28
Accordingly,andinkeepingwithArticle25’sDataProtectionbyDesignandbyDefaultrequirements,companiesshouldseekto builddatasubject-respectingconsentmechanismsfromtheideastagethroughtothedeployment(andongoingmonitoring) stagesofanyproduct,service,orformofdatacollection
Embeddingwithindigitalpropertiesandwebformsamechanismforprovidingnotice,settingforthprocessingpurposes,andthen capturingconsent,isonescalablewayofcreatingarecordofconsentforboththedatasubjectandtheorganization Thisconsent couldthenbetiedtooverallindividualrightsmanagementfordatasubjects Forinstance,whetherrequestingpermissiontodrop cookiesandothertrackingtechnologies,oraskingforconsentinthedirectmarketingcontextwhilesomeonewishestopurchasea product,describingtheprocessingpurposeandcapturingconsentisbothrespectfulofconsumersandbusiness-enablingby furtheringaccountabilityondemand
TrustArcCookieConsentManagerimplementedonsamplewebsite
BestPracticeTip
● Respondtopeoplewithoutmakingpromisesofhowyou’rehandlingtherequestbylettingthemknowyou’vereceived theirrequestandareworkingonit Takethetimetounderstandandworkouttheprocessesanddocumentthemsothat multipleresourcesaretrainedtomanagerequests
● Taketimeforeachrequestsothatyoucanunderstandwhatjurisdictionsareimpacted,andwhatrulesapply
● Don’tbeafraidtoreachouttothatindividualdirectlysothatyoucanbetterunderstandandauthenticatethem,orto betterunderstandthenatureoftheirrequestifit’snotclear
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 29
IndividualRightsManagement
WhileChapterIIIoftheGDPRhasmultiplerequirements,manycompanieswillalreadyhavecontrolsinplacewhichaddresssome ofthesearticles However,theGDPRexpandsuponsomeoftheexistingindividualrights,creatingwhatmayseemlike“new” requirements ThreeArticlesthatwillseemlikenewrequirementsformanycompaniesare:
● therighttoerasure(‘righttobeforgotten’),Article17
● therighttorestrictionofprocessing,Article18
● therighttodataportability,Article20
Whilemostcompanieswillhaveaprocessinplace,weareprovidingtwocasestudyexamplesofwhatcompaniescandoifthey havenotoperationalizedaprocessyet
CASESTUDY
GlobalCorp.receivedover500datasubjectaccessrequestsonMay26th,buttheydonothavea datasubjectaccessrequest/individualrightsmanagementprocessinplaceyet.
OneofthemajorchallengesthatGlobalCorp facesisauthenticatingthedatasubjectwhilealso understandingthenatureoftherequesttogetsomeassurancethattheneedofthatpersonisbeing fulfilled Authenticationisaresponsibilitythathastobehandleddelicatelybecauseofthe conflictingpressureofensuringthattheindividualisauthenticatedwhilenotfeelingliketheir privacyisviolated
Tomeetthischallenge,GlobalCorp shouldhaveaprocessdocumentedthatlistswhichkindsofauthenticationarerequiredin commonsituations
GlobalCorp canimplementwaystoauthenticatetheindividualthatdon’tinvolvethatpersonprovidingmoreinformation,but rathervalidatinginformationthecompanyhasalreadyobtained GlobalCorp alsoneedstodocumentaprocessforkeepingor disposingofthatnewinformationa�ertheindividual’sidentityisvalidated
BestPracticeTip
Thinkthroughhowdiligentyouneedtobe,giventhenatureof therequest,andtherisktothedatasubjectifyougetitwrong
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 30
CASESTUDY
RegionalCorp hasatechnologysolutioninplace,butnoprocesstoaddressindividualrights requests LastweekRegionalCorp wasbombardedwithrequestsandwasnotprepared
TofulfilltheserequestsRegionalCorp willneedtodosometriagefirst,thenmakesomeinitial decisionswhethertheywillhonorrequestsiftheyarenotlegallyrequiredto.Answeringthese questionswillhelpthemmakethatdetermination:
1) arewegoingtohandlealloftheseinthesameway?
2) howmanyrequestsdowehavefrom“requiredcountries”(EUandCanada)?
A�eransweringthosequestions,RegionalCorp shouldusethefirstoneasatestcase,anddocumenttheprocess Oncethat documentationisinplace,RegionalCorp shouldbeabletofollowthatprocess
TrustArcIndividualRightsManager
Oneofthemoredifficultrightstomanageistherighttoerasure This,however,isbecomingamoreprominentrightglobally,soit isimportanttomakesureyourprocessesforaddressingtheserequestsandhonoringthemarecorrect Thereareexceptionstothe righttodeletedatainArt 17p 3:
● forexercisingtherightoffreedomofexpressionandinformation;
● forcompliancewithalegalobligationwhichrequiresprocessingbyUnionorMemberStatelaw towhichthecontrollerissubjectorfortheperformanceofataskcarriedoutinthepublicinterest orintheexerciseofofficialauthorityvestedinthecontroller;
● forreasonsofpublicinterestintheareaofpublichealthinaccordancewithpoints(h)and(i)of Article9(2)aswellasArticle9(3);
● forarchivingpurposesinthepublicinterest,scientificorhistoricalresearchpurposesorstatistical purposesinaccordancewithArticle89(1)insofarastherightreferredtoinparagraph1islikely torenderimpossibleorseriouslyimpairtheachievementoftheobjectivesofthatprocessing;or fortheestablishment,exerciseordefenseoflegalclaims.
Inaddition,thereisacommontechnicalproblem-backups.Itisinfeasibleformostcompaniestobeabletodeletedatafrom backups,andthiscomplicationisknowntotheregulators.AlthoughtheEuropeanDataProtectionBoardhasnotissuedbroad guidance,severalofthedataprotectionauthoritiesinsomeoftheindividualcountrieshaveaddressedit.4
Whatcompanieso�enfailtodoistoexplainthatthedatarequestedtobedeletedstillexistsinbackups.Shouldtherebeaneedto restorefrombackups,theirdatawillbere-deleted,buta�er [timeframe],thebackupswillbeoverwrittenandtheirdatawill nolongerexist
4 Pleaseseeguidance(oratleastacknowledgement) fromtheDanish,French,andtheUKauthorities,Respectivelylocatedat:
Danish-https://wwwdatatilsynetdk/hvad-siger-reglerne/vejledning/sikkerhed-/sletning/sletning-emne
French-https://wwwcnilfr/en/sheet-ndeg13-prepare-exercise-peoples-rights
UK-https://icoorguk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/#ib5
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 31
Meetingtherequirementsforprovidingtheprotectionsforindividualrights(datasubjectrights)mayrequirenewprocessesand technologicalcapabilitieswithinyourcompanytoreceive,escalate,andaccommodaterequestspertainingtotheserights Thekey tohavingasuccessfulprocesswillbecommunicatingitthroughoutthecompany,documentingit,andincorporatingitintoyour overallprivacyprogram
Vendor/ProcessorManagement
OneofthemostimportantfacetsofaGDPRcomplianceprogramismanagingathoroughprocessforcross-bordertransfersof personaldata Companiesmustnowassessanycountrytowhichtheysenddata,especiallyassessinggovern
ChapterIIISummary
MaintainingcompliancerequiresdiligentplanningandtrainingforteamsontheirrolesinhelpingtosustainGDPRcompliance Technologycanhelpteamsautomatesomeoftheotherwisemanualprocesses,whichwillsavetimeandhelppromote consistency.Technologycanalsoassistteamstokeepcarefulrecords-bothforimplementingprogramsthatpertainto requirementssuchasrespondingtodatasubjectaccessrequests;and,fordemonstratingcompliance.
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 32
ChapterIV:OngoingCompliance
PHASE5 DemonstratingOngoingCompliance
SeeArticles30-31
Thefinalstepsonyourroadmapshouldincludewaystodemonstrateongoingcompliance Setupmethodstoregularlyreview yourcomplianceactivities,andkeeprecordsthatcanbeusedforbothinternalandexternalreporting Asyoubuildoutyour privacyprogram,identifythewayorwaysyoucanprovetointernalstakeholdersandexternalregulatorsyourcompany’s compliancewitheachGDPRrequirement Rememberthatdocumentationofprivacynoticesandrecordsofprivacy-related escalationhandlingactivitiesformanimportantpartofthis“demonstrablecompliance”
MaintainOngoingReporting/AuditTrail
Onceallcomponentsareimplemented,circlebacktotheGDPRReadinessAssessmentandensureallgapsareclosed.Inorderto ensureasolidaudittrail,takethefollowingsteps:
● Keepdetailedrecordsofanyprocessingperformedonpersonaldata
● ScheduleperiodicauditsandongoingDPIAs,ensuringtheyreflectanyevolvingrequirements
● HaveaFindingsReportreadythatshowsthatallGDPRrequirementshavebeenmetandthatyouhave accountability-on-demandintheeventofaninquiry
● HouseallDPIAswithsupportingdocumentationinacentralrepository
MaintainOverallCompliance
TheGDPRisacomplexregulatoryregime.Somecompaniesmayfeelcomfortablewiththeirresourcesavailablein-houseto maintaintheirGDPRprogram,whereasothersmaywanttoconsultanexpertorworkwithateamofprofessionalstohelpwith certainpiecesoftheongoingassessmentplan,implementation,andmaintenance Lawfirmsandconsultingfirmscanbehiredto providerecommendations
Fullserviceprivacycompanieshavethestaffneededtoproviderecommendationsandthetechnologyneededtoleaveyour companywiththetoolstomanageongoingcompliance RegardlessofhowyouchoosetoapproachyourGDPRassessment, implementation,andmaintenance,takethetimetoassessthenatureofyourcurrentprogramstatus Youshouldhaveanannual (atleastannually,shorterifneeded)routineto
identifyhighriskprocessesandvalidatetheDPIAsarestillaccurate, identifyprocessorswhohaveyourhighriskorvolumedataandre-assessthoseprocessorsnolessthanannually, makesureyouhavetheproperdatatransfermechanisminplacewhereyouneedit, re-assesscountriestowhichyouaretransferringdata, trainemployeesincludingnewdevelopments,
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 33
performamockdatabreach,includingdisasterrecovery, considercertificationsorassessmentsbythirdpartiestovalidatecontrolsinplace, makesurecontractshavetheappropriatelanguageforthescopeofdata,and reviewallpoliciesandreviseasneeded(notereviewedevenifnochanges).
ChapterV:TrustArcGDPRComplianceSolutions
TrustArchasacomprehensivesetofprivacymanagementsolutionstohelpyoumanageallphasesofGDPRcompliance Our solutionsarepoweredbytheTrustArcPlatformalongwithourteamofprivacyexpertsandprovenmethodology Asummaryofour solutionsmappedintothefiveimplementationphasesisprovidedbelow Notethatmanyoftheseactivitiescanbeconductedin paralleldependingonyourorganization’srequirementsandresources
GDPRComplianceRoadmap-5Phases
PracticalStepstoManagetheEUGDPR
BUILD ASSESS IMPLEMENT MANAGE DEMONSTRATE Identify Stakeholders Conduct Data Inventory & Data Flow Analysis Obtain & Manage Consent Conduct PIAs (DPIAs) for Business Processes & Systems Evaluate & Audit Control Effectiveness Allocate Resources & Budget Conduct Organizational Level Risk Assessment Data Transfers & 3rd Party Management Data Necessity, Retention & Disposal Internal & External Reporting Identify Privacy Lead & Appoint DPO if Needed Develop Policies, Procedures & Processes Individual Data Protection Rights Data Integrity & Quality Privacy Notice & Dispute Resolution Mechanism Define Program Mission & Goals Communicate Expectations & Conduct Training Physical, Technical & Administrative Safeguards Data Breach Incident Response Plan Certification © 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 34
PHASE1 Solutions BuildProgramandTeam
Identifyingtherightpeople,aligningeveryoneonacommonsetofgoals,andprovidingthemwiththe righttoolsandresourcestoaccomplishthosegoalsarethefirstcriticalstepsindevelopingyourGDPR complianceprogram
PHASE2 Solutions
GDPRReadinessAssessment
ComprehensivesolutionwhichincludesaGDPRreadiness assessment,detailedimplementationplan,andcommunicationsprogramtobuildinternalawareness andhelpsecureresourcesandfunding TheGDPRReadinessAssessmentismerelyoneofmultiplelaws includedinPrivacyCentral
DataInventoryandBusinessProcessMapping Comprehensiveinventoryofyourdata, classificationbyriskandtype,anddataflows OurDataInventoryHubcanhelpmeetArticle30 requirementswhilemappingbusinessprocesses Ourconsultingteamisavailabletohelpifneeded
PrivacyRiskAssessments
Detailedreviewofprivacyrisksacrossyourorganizationanda findingsreportsummarizinggapsandremediationrecommendations
GDPRPoliciesandProcedures Developcustomizedprivacypoliciesandproceduresthat addressGDPRrequirements
PrivacyGovernanceCommitteeandEmployeeTraining Developthepolicies, procedures,andprocessesnecessarytoexecuteyourGDPRroadmap Thiscanalsoincludecustomized employeetrainingtoaddressawidevarietyofsubjects
PracticalStepstoManagetheEUGDPR
AssessRisksandCreateAwareness
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 35
PHASE3 Solutions DesignandImplementOperationalControls
PHASE4 Solutions
CookieConsentCompliance
Manageuserconsentregardingtheuseofcookies,asdiscussed aboveinthisguide.
DirectMarketingConsentCompliance ComplywithGDPRconsentrequirementsforactivities suchaspromotingproductsandservices,surveys,newslettersubscriptionsandothermarketing activities
OnlineandOfflineNoticeandConsent CreateFairProcessingStatementsforemployees, vendors,andcustomers
AdsCompliance Manageuserpreferencesregardinginterest-basedadvertisingtomeettheDAA, EDAA,andDAACself-regulatoryprograms
Cross-BorderTransferReviews Assessmechanismsappropriateforyourcircumstancesand evaluatecountry-by-countrytransferriskinRiskProfileusingcountrypageswithpre-assessedscores You canalsomaintainyourPrivacyShieldVerification,requiredforthosewhoparticipate,evenifitisnota transfermechanism
ThirdPartyManagement Managethirdpartyvendorriskbycreatingpoliciesandprocedures alongwithtraining,technologyimplementationandongoingmanagement
MaintainandEnhanceControls
DPIAProgramDevelopment
Definetheassessmentprocesses,createcustomized assessmenttemplates,trainpersonnel,andimplementthetechnologyrequiredtomanagea sustainableDPIAprogram
DPIAManagement
AutomatethemanagementofDPIAsviaasecure,centrallyaccessible solutionthatwillenableyoutoassessprivacyriskacrossyourcompany
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 36
PHASE5
Solutions
DataBreachIncidentResponsePlan
Developacustomizedincidentresponseprocess flow,retentionschedule,andrecordkeepingproceduresalongwiththetoolsrequiredtomanage themonanongoingbasis
DemonstrateOngoingCompliance
Certifications Comprehensivecertificationsandverificationprogram,encompassing standardsincludingFIPPs,OECD,PrivacyShield,andAPEC
Reporting GenerateavarietyofreportstohelpyoumeetGDPRcompliancerequirements, includingArticle30,andotherauditrequirements
GDPRValidation DemonstrateGDPRcomplianceeffortsandstatus,usingintelligent technology-poweredassessments,TrustArcmanagedservicesandanindependentTRUSTeGDPR compliancevalidation GDPRValidationisofferedatPracticesandProgramlevels
Training Trainyourteamswitheithercomputer-basedtrainingorcustomizedcomputer-based trainingpackagesandworkshopsthatcanbedeliveredtocertaingroupswithintheCompany
IndividualRightsManagement Respondtoindividualrequestswithaproven methodologyandstreamlinedworkflow
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 37
BuildandManageYourGDPRCompliancePlatform
TrustArccanhelpwithallphasesofGDPRcompliance–frombuildingaplantoimplementingprocessesandcontrolsto demonstratingandmanagingongoingcompliance
Buildadatainventory,dataflowmaps, andcompliancereportstomanagerisk
Conductandmanageprivacyassessments, includingPIAs,DPIAsandvendorrisk
Manageconsentpreferencesto meetGDPRandotherregulations
ManageDataSubjectRequests(DSR)for GDPR,CCPA,andotherregulations
PracticalStepstoManagetheEUGDPR
TakeControlwithTrustArcGDPRCompliancePlatform ScheduleaTailoredConsultation © 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 38
AboutTrustArc
Astheleaderindataprivacy,TrustArcautomatesandsimplifiesthecreationofend-to-endprivacymanagementprogramsfor globalorganizations TrustArcistheonlycompanytodeliverthedepthofprivacyintelligence,coupledwiththecomplete platformautomation,thatisessentialforthegrowingnumberofprivacyregulationsinanever-changingdigitalworld HeadquarteredinSanFrancisco,andbackedbyaglobalteamacrosstheAmericas,Europe,andAsia,TrustArchelpscustomers worldwidedemonstratecompliance,minimizerisk,andbuildtrust
Foradditionalinformationvisitwwwtrustarccom
PracticalStepstoManagetheEUGDPR
© 2022 TrustArc Inc | US 888.878.7830 | EU +44 (0)203.078.6495 | www.trustarc.com 39