Top 10 Tips from the Nymity GDPR Compliance Webinar Series: Part 2
Dec 28, 2017 GDPR Webinar Series
Blog / Top 10 Tips from the Nymity GDPR Compliance Webinar Series: Part 2
As we approach the 2018 enforcement date of the GDPR, organisations are swiftly progressing in their compliance preparations. Over the last several months, the team at Nymity drew several subject matter experts together to present key ideas and guidance for GDPR compliance in a series of webinars.
In Part 1 of this blog series, we shared the top 5 tips for GDPR compliance gleaned from our GDPR webinars. In today’s conclusion, we will share the final 5 best tips for use as organisations continue to build their privacy management infrastructure.
6) Prove Your Organisation has the Capacity to Comply
Webinar: Demonstrating Compliance to Regulators
Nymity believes that there will be three groups of organisations at the time of the GDPR deadline:
- Non-Compliant: Organisations that are either not aware of the new laws, or have not invested the resources to implement a compliant privacy program.
- Compliant: Organisations that are aware of the new laws and have taken the necessary precaution to update privacy programs for GDPR compliance.
- Capacity to Comply: Organisations that are aware of the GDPR, are compliant, and have all the processes in place to comply on an ongoing basis. These companies are able to provide evidence of the processes in the form of documentation. These organisations are “accountable organisations.”
To show how an organisation can demonstrate the capacity to comply, Nymity has developed a Compliance Capacity Report template. The report assists our clients by:
- Linking the technical and organisational measures to the relevant provisions of the GDPR
- Showcases the organisation’s structured approach to recording appropriate technical and organisational measures (collected evidence, questions, and owners)
- Scaling up or down to report on a single department, multiple departments, an entire organisation, or an entire geographical territory
- Generating new reports as needed
It is relatively easy to create your own Compliance Capacity Report. You can start with the GDPR Accountability Handbook that you can find in our GDPR Compliance Toolkit, which links the provisions of the GDPR to relevant technical and organisational measures and suggests accountability mechanisms and evidence to demonstrate compliance.
7) How to Address BCR’s
Webinar: Leverage Your GDPR Compliance Efforts to Support BCR’s
Article 47(2) of the GDPR provides an overview of all necessary inclusions in BCRs. A great deal of this information will overlap with documentation your organisation is compiling for GDPR readiness, and in particular, much of the same information will be captured in your Article 30 Records of Processing Activities (RPA). This includes, but is not limited to:
- The data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question
- The application of the GDPR principles
- Rights of data subjects, complaint procedures, compliance verification and reporting structures
- Mandatory cooperation with the lead DPA
Nymity has identified 39 Privacy Management Activities (PMAs) that should be maintained to deal with BCRs within an organisation. Out of these 39 PMAs, 28 overlap with the PMAs that organisations are maintaining for GDPR compliance. Some of these PMAs include:
- Conducting self-assessments of privacy programs
- Maintaining documentation as evidence to demonstrate compliance
- Conducting privacy training
Therefore, it is easy to see how an organisation already well on its way to GDPR readiness will be able to use some of those existing measures to also satisfy BCR requirements.
8) Follow Worldwide Privacy News
Webinar: Lessons Learned from International DPA Conference in Hong Kong
This year, the Nymity team had the pleasure of attending and presenting at the ICDPPC in Hong Kong. The conference brings together over 80 DPA from across the globe, providing a forum for discussion, and the sharing of techniques and ideas regarding various approaches to privacy and compliance.
There were four main themes from the conference, all of which are helpful to keep in mind when crafting an effective privacy management program:
1) Data Privacy in Asia: Legislation in Asia is rapidly changing to support ethical processing practices. Though the right to privacy has been inspired by the West, it will continue to be implemented in Asia in accordance with Eastern traditions.
2) Notice and Consent in Latin America: The Standards of Personal Data Protection in Latin America was recently released and made available to the public. Historically, privacy legislation in Latin nations has been heavily consent-based. This new legislative document, however, makes many suggestions for revisions, and presents itself as an important way forward, modelling the drafting of legislation for nations new to privacy protection.
3) Cross-Border Data Transfer: In many countries that have enacted data localization laws, research is proving that the data is far safer when kept inside their borders. Experts at the conference stated that security is best protected when law enforcement retains access to the data.
4) Challenges of New Technology: Looking forward into the future of data processing, there is a high likelihood that we will increasingly need to rely on Artificial Intelligence (AI) for cyber security efforts. Legislation needs to ensure that people will come first, and enhance the accountability and transparency of data stewardship.
9) Certify Your Privacy Program
Webinar: Certify Your Privacy Program: Why and How?
The certification of products, services, and privacy programs under GDPR is detailed in article 42 and 43. There are two different types of certification: Self-certification, and certification by a third party. While self-certification is not an official certification required by, or provided for in, the GDPR, it can be a very valuable tool in demonstrating compliance, and reporting to the DPA should they have questions.
The largest reason to seek third party certification is international data transfers. An organisation in a non-adequate third country, for instance, can apply to an EU accredited certification service provider to verify their organisation’s compliance. The certification received is then sufficient to allow personal data to be transferred from an EU organisation to a the organisation in the non-adequate third country. This negates the need for negotiations, contracts, binding corporate rules (BCR), and other transfer instruments.
Another advantage to certification is in dealing with regulators. Having the certification proves that your organisation has prioritized compliance and worked hard towards building organisational and technical measures to support the legislation. Similarly, third party certification prepares the path to obtaining an official seal or trust mark.
There is also the possibility that certification will provide a monetary advantage by reducing insurance fees.
10) Conduct These Activities with Vendors for GDPR Compliance
Webinar: GDPR and Vendor Management
Many organisations are currently struggling with vendor management under the GDPR. One thing is clear: A more detailed and continued scrutiny of your vendors is now required from a data protection perspective.
Some of the key activities that organisations must now conduct with their vendors include:
- Appropriate technical and organizational measures to protect data according to its sensitivity must be communicated during initial engagement with vendors (such as requests for proposal);
- Data controllers must create screening questions for potential vendors/data processors to assess their capacity for supporting GDPR compliance;
- Data controllers need to implement contractual language imposing GDPR requirements in all contracts; and,
- Data protection by design and by default must be required from vendors to build in appropriate technical and organisational measures designed to implement data protection principles.
It is worth noting that Articles 30, 32, and 35 apply even when using a vendor! This means that Records of Processing, Security of Processing, and DPIA must be conducted and maintained by your vendor, in addition to your own organisation.
The positive feedback from the 2017 GDPR Webinar Series was overwhelming. We’ll continue to share insights on the GDPR and other compliance requirements in 2018. Stay tuned for our new webinar details to be announced early in the new year.
View the Full Webinars Today!
To learn more about each of the topics discussed in our two-part blog series, view the full webinars today, or contact a Nymity team member and request a free trial.