GDPR Compliance: Only Four Months to Go. How Will You Prioritize Your Efforts?

Written by Nymity
on February 22, 2018

By examining our most popular references on Nymity Research™, the status of GDPR compliance using Nymity  Benchmarks™ and the most downloaded GDPR resources in Nymity Templates™, we are able to gain a birds-eye view of the issues that are currently top of mind for organisations facing GDPR implementation. This is particularly interesting in light of recent insights and comments from data protection authorities.

Last month, the European Commission raised concerns that many organisations, and even member states, may not be ready in time to comply with the GDPR upon the implementation date. In the Netherlands, the business lobby is even calling for an extension of the deadline by an additional year. This has by the way quickly been refuted: no further grace periods for GDPR compliance will be extended.

Most Popular References:
The most popular downloaded References from Nymity Research™ in the final quarter of 2017 centered around the following three areas:

1.Member State Implementing Legislation

Within the GDPR, some exceptions and exemptions are foreseen that can be imposed by national law. These may include the processing of public sector data. The enforcement of the regulation needs to be arranged at a national level, because the EU has no authority to legislate administrative procedural law. So, in practice, all EU members will still have a data protection law. These laws will work alongside the GDPR, and (re)create the national data protection authority. In this sense, keeping track of these individual national laws will remain key for organisations operating within EU member states.

Nymity Research™ provides up to date information on national implementing legislation allowing the user to easily see how to deal with your organisation’s specific requirements within each region.

2. Article 29 Working Party Guidance

Guidance from the data protection authorities may help organisations better understand compliance requirements. A new EU-wide law requires consistent interpretation, and that consistency is what the guidelines are trying to achieve. Naturally, these guidelines are very helpful for data controllers and data processors around the world, providing a little bit more legal certainty for everyone.

However, also the guidelines – how extensive they may be – are not always conclusive in every situation. There may be situations where the GDPR nor the guidelines provide the answer you are looking for in a specific case. Or you may conclude that in your situation, the guidance provided is really not helpful. That is not immediately a problem – the GDPR first and foremost puts the responsibility for compliance on the data controller. IF you believe a solution you have designed is compliant, make sure you thoroughly document it.

Nymity has consistently advocated that documentation is key to demonstrate compliance, so make sure all your decisions can be reconstructed with the necessary underlying evidence.

Currently the WP29 party has issued final guidance on the following topics:

  1. Lead Authority
  2. DPOs
  3. Data Portability
  4. Profiling
  5. Breaches
  6. DPIAs
  7. Fines
  8. BCRs
  9. Adequacy

3. Post-Brexit

By now, it is pretty sure that by 29 March 2019, the UK will leave the European Union, with all of its consequences. What these are, is still being negotiated. However what is clear, is that GDPR will nevertheless apply as of 25 May. Post-Brexit, or possibly after the transition period ends at the end of 2020, the GDPR will no longer apply formally in the UK, but as things stand now, the material provisions will continue to apply nevertheless.

All the content of the GDPR is likely to be converted into the new UK Data Protection Act 2018, that is currently being discussed in the UK Parliament. The UK government has made clear they wish to ensure an adequate level of data protection, in order to be obtain an adequacy decision.

4. DPA Priorities
When looking at the prioritization of your privacy program, it is helpful to take a look at the website of the DPA’s in the regions and countries where you are active. The following is a list of priorities gleaned from those DPA websites:

1) Awareness
Make sure that your teams are aware that the legislation is changing, that the requirements are changing, and that there may be new obligations for you and them to follow.

2) Inventory
Your Article 30 register of processing activities is very important. Make sure that you have at least started by the 25th of May, ensuring that your most important, high risk operations are recorded.

3) Impact Assessments for Key Projects
Make sure that you undertake your impact assessments for key projects, particularly if they are high risk.

4) Procedures for Data Subject Rights and Breaches
Ensure that these procedures are in place prior to May 25th.

5) Notice/Communication
All your privacy notices and general communication about data protection need to be compliant with the treaty. The legislation spells out which elements should be part of the notice.

6) Consent & Other Legal Grounds
For consent to remain valid if it was obtained prior to the GDPR, you must ensure that it meets all the requirements now given under the current legislation. You will need to be able to illustrate that consent was legally obtained.

7) Children
Look at national legislation if data is being collected from children online, because depending on the country, the age could vary from 13 to 16. If it is mandatory in your situation, appoint a DPO to handle this concern.

Nymity Benchmarking Research
It is important for you to know that your organisation is not the only one struggling to attain compliance in anticipation of the May 25th implementation date. To give you an idea of what companies are currently working on, we analyzed and studied the aggregate data of 250 companies, 46 of whom are specifically EU-based, or global organisations. A variety of industries were represented- from finance to manufacturing to healthcare.

Each organisation benchmarked their program based on our Nymity FrameworkÔ, which is mapped to 55 GDPR measures. They ranked each measure as either “implemented”, “in progress”, or “desired”.

The top 10 “implemented” activities were as follows:


Of the companies that were part of this research study, the most heavily focused areas were data subject rights, privacy training, breach management, cross-border transfer mechanisms, and privacy notices. These align quite well with what we consider to be the DPA priorities. If you have gaps in your program, we recommend that you too focus on these areas first.

The top 5 “in progress” activities were as follows:


Three of the top 5 “in progress” activities relate to monitoring operational practices. We identified seven different measures that relate to this category, and all of them mapped to obligations of the GDPR: Privacy by design, requirement activities around DPIA, conducting DPIA for new programs, conducting changes to existing programs, tracking issues, and reporting on these issues to external stakeholders.

Nymity Templates
Nymity Templates™ is a product that contains over 900 downloadable, practical templates. These include sample privacy notices, workbooks, spreadsheets, and checklists of guidelines that can be used to create your privacy program, based on policies and procedures. To give you an idea of what your peers are currently utilizing from Nymity Templates™, the following are the top downloaded GDPR resources overall:


Moving Towards Compliance
One of the “must do’s” for organisations that may not attain full compliance by May is to refer back to the DPA priority list. Raise awareness within your organisation of the need to focus on those tasks specifically. Ensure that you update your internal policies and procedures on how your organisation deals with data subject rights, and make sure that you are transparent about your data processing operations in your privacy notice.

In the event of a DPA investigation, the first thing they will ask for is to see your processing activity register. The further ahead you are in documenting your processing operations that are ongoing, the better off you will be.

To learn more about which specific activities organisations like you are currently working on:

You may also like:

GDPR Article 30: Are you ready for the new records of processing activities requirements?

One of the main tenets of the GDPR is accountability; the obligation that companies be responsibility for the data they ...