“Demonstrating Compliance” to Regulators: What does it mean?
The GDPR is very clear on one thing: Organisations need to be able to demonstrate compliance with all requirements of the law. Out of 99 articles in the GDPR, we have identified 39 that require evidence of compliance, and this evidence will need to be provided at both the project and enterprise levels.
The enterprise level is the core of your privacy program and is based on Article 24 of the GDPR: the requirement to put in place appropriate technical and organisational measures to demonstrate compliance. This mean you will need to ensure that all your privacy procedures are in place to address your requirements under the GDPR (i.e. data breaches, consents, processing agreements, etc.). Since this is generally coordinated by the data protection officer or central privacy office team, it is a top-down approach.
This level is based on two key documentation requirements of the GDPR:
- Record of Processing Activities Register as required by Article 30, and
- Data Protection Impact Assessment (DPIA) as required by Article 35 for “high risk” operations Since the responsibility here is spread throughout the organisation, we call this approach “bottom up”. This level will help you to assess the purpose of each processing operation, understand what type of data is being processed, and how long you have retained the data elements, and link this to the policies and procedures you have put in place to protect personal data. For each data processing operation (a “project”) you will be able to explain how the data is protected.
What does it mean to “demonstrate compliance” to a regulator?
It is important to keep in mind here that demonstrating compliance is more than just a snapshot of your operations during a moment in time. It’s an ongoing awareness and understanding of how your organisation processes data. This is what we call the capacity to comply.
Article 24 requires the implementation of appropriate technical and organisational measures. “Appropriate” is subjective to each organisation. To demonstrate compliance, you will need to develop a process of data management, and be able to show how you use that process to protect the data, what safeguards you have in place, and how often these procedures are reviewed and brought up-to-date.
Preparing for 2018
Nymity believes that there will be three groups of organisations at the time of the GDPR deadline:
Organisations that are either not aware of the new laws, or have not invested the resources to implement a compliant privacy program.
Organisations that are aware of the new laws and have taken the necessary precaution to update privacy programs for GDPR compliance.
- Capacity to Comply
Organisations that are aware of the GDPR, are compliant, and have all the processes in place to comply on an ongoing basis. These companies are able to provide evidence of the processes in the form of documentation. These organisations are “accountable organisations.”
The goal for any company should be to qualify under number three. An accountable organisation:
- Invests in compliance with structured privacy management
- Embeds privacy throughout the organisation
- Ensures data protection is not only the responsibility of the privacy office
- Has one “lead” individual per department reporting back to privacy office
- Tailors appropriate technical and organisational measures on the characteristics of department and organisation
The Compliance Capacity Report
To show how an organisation can demonstrate the capacity to comply, Nymity has developed a Compliance Capacity Report template. The report assists our clients by:
- Linking the technical and organisational measures to the relevant provisions of the GDPR
- Showcases the organisation’s structured approach to recording appropriate technical and organisational measures (collected evidence, questions, and owners)
- Scaling up or down to report on a single department, multiple departments, an entire organisation, or an entire geographical territory
- Generating new reports as needed
It is relatively easy to create your own Compliance Capacity Report. You can start with the GDPR Accountability Handbook that you can find in our GDPR Compliance Toolkit, which links the provisions of the GDPR to relevant technical and organisational measures and suggests accountability mechanisms and evidence to demonstrate compliance. We also have sample pages of a Compliance Capacity Report published as part of our recent Demonstrating Compliance to Regulators research paper.
There are several potential uses of a Compliance Capacity Report:
During an investigation or audit by supervisory authorities, this report can demonstrate how the privacy program was built, how it is run and maintained, the current state, and what documents are available as evidence. This allows the DPA to determine what documents they wish to see, or which parts of the organisation they wish to take a closer look at.
- Internal Reporting
The Compliance Capacity Report can be used by the Data Privacy Officer to inform management of the state of the privacy program, as well as any departments or countries that are behind the others.
- Audit Reporting
The internal audit department or external auditor could use the report as part of a regular audit.
Records of Processing: Demonstrating Compliance at the Project Level
The project level of compliance is important because it ensures that the appropriate technical and organisational measures that have been developed at the enterprise level are being applied to day-to-day operations. The core of this component of your privacy program is the Records of Processing Activities Register (the Register), where you document every data processing operation in the organisation.
In the Register you’ll show:
- What the process is
- What the grounds for processing is
- Whether there is a contract
- Consent (where required)
- How the data is maintained
This information will also help to determine whether your operation is “high risk” and will need a DPIA. A thorough DPIA will provide information on the operation’s risk assessment, and help you develop risk mitigation measures. Nymity recommends approaching the DPIA from an “Accountability Approach”, with our Accountability PIA. In this process, you’ll develop reporting to be able to demonstrate to the DPA what risks you have, and which processes you have developed to mitigate that risk moving forward. You therefore have documented evidence of your accountability.
Bottom Up and Top Down: Working Together
To fully demonstrate compliance, your organisation will need to coordinate activities happening at both the enterprise and business levels, ensuring that processes developed are implemented each day.
The methodology explained in this blog post was developed as part of Nymity’s ongoing Regulator Projects. Since the spring of 2016, we have been examining demonstrating compliance under the GDPR, starting with self-reporting. In addition, we are looking into ways self-reporting can be verified and certified by a third-party monitor. During these Regulator Projects, we are working closely together with industry partners and data protection authorities to test our thinking. The intermediate results of the Projects are now available in our most recent Demonstrating Compliance to Regulators research paper.
Supporting the privacy office and privacy professionals around the world, Nymity has embarked on an ongoing effort to research and benchmark the state of GDPR compliance, offering insights into how regulators and organisations can benchmark and measure GDPR compliance.
Our latest study: GDPR Compliance Benchmarking: Measuring Accountability is also now available for download.