1 GDPR presents a new, risk management approach to data protection compliance
2 The data subject is at the heart of the Regulation benefiting from new and enhanced rights. Data subjects are entitled to additional information about personal data processing activity. There is a higher standard for consent and special rules for processing children’s data.
3 The security net tightens with breach reporting, outsourcing controls and greater penalties for non-compliance. Data protection regulation comes of age with fines up to twenty million euros or four per cent of annual global turnover and increased powers such as audit rights for the regulator.
What to do towards compliance
Part one – Managing data protection risk
New record keeping requirements
The Information Commissioner says that if you do not know what personal data you process, then you cannot be sure that you are complying with data protection standards. So, an initial step is to identify what personal datasets the organisation processes, for example marketing dataset, hr and payroll dataset, customer accounts dataset, health and safety dataset. Identify a business owner for each and gather details of why the processing takes place, what data is involved and who the subjects are together with the compliance attributes such as how long the dataset is held, the conditions for fair processing that is being met, whether the processing is outsourced or the data is sent outside of the European Economic Area (EU Member States, Iceland, Norway and Lichtenstein).
This also starts to meet the requirement for enhanced recordkeeping under Article 30 of GDPR.
New Principle of Accountability means organisations must demonstrate compliance with GDPR
The next step is to identify the risk around processing (including simply holding) each data set. Document the risk assessments to meet the new GDPR Principle of Accountability. Manage the risk and document any activity to avoid or mitigate risk to meet the Accountability criteria.
Some organisations must designate a Data Protection Officer with prescribed duties
Accountability reaches its ultimate expression in the new requirement to designate a DPO in certain circumstances. This individual is responsible for communicating compliance issues to the board or senior management and to the ICO when issues get out of hand.
Mandatory DPIA risk assessments for higher risk processing and Privacy by Design principles
To pick up risks in new projects, developments and initiatives, use Data Protection Impact Assessments to identify inherent risk in the project. DPIAs are mandatory under GDPR. Failure to demonstrate that DPIAs have been done before new processing activity is undertaken will increase the level of any fines levied in respect of breaches of GDPR.
This is the outline of a risk management framework.