Nymity Privacy Management Accountability Framework™ at a Glance, Part 2

Written by Nymity
on January 25, 2018

As your organisation continues to implement technical and organisational measures for the purpose of providing evidence of GDPR compliance, the Nymity Privacy Management Accountability Framework™ can serve as a helpful tool. This free resource was developed through years of research, and has been mapped to hundreds of laws and privacy frameworks, including the GDPR.

The team at Nymity identified 39 GDPR articles that create obligations to put in place technical or organisational measures to demonstrate compliance, and those articles map to 55 measures within the Framework™.

In Part 1 of our blog series, we looked at the first 7 categories of the Framework™, and in particular, which measures directly applied to the GDPR. Today, in Part 2, we will examine the remaining 6 categories, and their GDPR-relevant activities.

8) Maintain Notices
Your organisation will need to maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance.

Privacy Management Activities include:

  • Maintain a data privacy notice that details the organisation’s personal data handling practices
  • Provide data privacy notice at all points where personal data is collected

9) Respond to Requests and Complaints from Individuals
Ensure that you maintain procedures for interactions with individuals about their personal data.

Privacy Management Activities include:

Maintain procedures to respond to requests for:

  • Access to personal data
  • Updates or corrections to personal data
  • Opt-out of, restrict, or object to processing
  • Data portability
  • Being forgotten or for erasure of data

10) Monitor for New Operational Practices
It is important for your organisation to monitor practices to identify new processes or material changes to existing processes and ensure the implementation of Privacy by Design principles.

Privacy Management Activities include:

  • Integrate Privacy by Design into system and product development
  • Maintain PIA/DPIA guidelines and templates
  • Conduct PIAs/DPIAs for changes to existing programs, systems, or processes
  • Engage external stakeholders (e.g. individuals, privacy advocates) as part of the PIA/DPIA process
  • Track and address data protection issues identified during PIAs/DPIAs
  • Report PIA/DPIA analysis and results to regulators (where required) and external stakeholders (if appropriate)

11) Maintain Data Privacy Breach Management Program
An effective data privacy incident and breach management program will need to be maintained for compliance.

Privacy Management Activities include:
Maintain policies/procedures for:

  • Maintain a data privacy incident/breach response plan
  • Maintain a breach notification (to affected individuals) and reporting (to regulators, credit
  • agencies, law enforcement) protocol

  • Maintain a log to track data privacy incidents/breaches

12) Monitor Data Handling Practices
Verification will be required to prove that your operational practices comply with the data privacy policy and the operational policies and procedures. You will also need to measure and report their effectiveness.

Privacy Management Activities include:

  • Conduct self-assessments of privacy management
  • Maintain documentation as evidence to demonstrate compliance and/or accountability

13) Track External Criteria
Your organisation will need to continually track new compliance requirements, expectations, and best practices.

Privacy Management Activities include:

  • Identify ongoing privacy compliance requirements (e.g. law, case law, codes, etc.)

The Nymity Privacy Management Accountability Framework™ is a free resource available on our website. For more information, or to view the Framework™ in full, click here.

You may also like:

GDPR ccpa
New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Survey explores differences in data and privacy practices based on company size, location, sector and geographic reach

GDPR ccpa
TrustArc’s Nymity Awareness Tracker Enables Privacy Knowledge Across Entire Business

Tailored Information Empowers Privacy Champions at Every Level

GDPR ccpa
REIMAGINING PRIVACY: TrustArc Acquires Nymity

Terry McQuay, President and Founder at Nymity Today we’re pleased and proud to be announcing that Nymity, the company ...