Top 10 Tips from the Nymity GDPR Compliance Webinar Series: Part 1

Written by Nymity
on December 21, 2017

Nymity’s GDPR Compliance webinar series has drawn to a close as we reach the end of 2017. As we head into the New Year, and approach the official enforcement date of May 25th, 2018, compliance will surely be front of mind for many organisations as preparations are finalised.

If you missed our GDPR Compliance webinar series, you can still view the full recordings to receive in-depth information on a variety of topics. Today is the first post in a two-part series, in which we will share the Top 10 most valuable tips for GDPR compliance gleaned from the webinars.

1) A New Approach to DPIA
Webinar: Does the GDPR Require PIA’s? Answer: Only Sometimes

At Nymity, our research has shown that companies can leverage investments they have made in accountability by operationalizing existing “accountability mechanisms” at the project level. This new approach to DPIA saves resources by combining the DPIA and the Article 30 Record of Processing Activities requirements.

The Accountability DPIA has three parts:

  1. Identify the benefits of data use to individuals
  2. Mitigate risks with accountability mechanisms
  3. Assess effectiveness of the process

Nymity’s ExpertPIA™ software solution takes a privacy by design approach, mitigating risk prior to conducting assessments. Not only do organisations satisfy DPIA requirements, the ExpertPIA™ also produces their Record of Processing Reports, making GDPR compliance easily demonstrated.

2) Save Time with Structured Privacy Management
Webinar: A Time Saving Method to Prioritize your GDPR Compliance

Our research has shown that one of the most efficient ways to achieve GDPR compliance is to embed ongoing technical and organizational measures throughout an organisation, resulting in the ability to demonstrate accountability and compliance with evidence. At Nymity, we refer to this technique as Structured Privacy Management. It has three essential components:

  1. Responsibility: Demonstrate on an ongoing basis that you have consistently maintained accountability mechanisms in place.
  2. Ownership: One or more persons in the organisation take the lead in maintaining certain technical and organisational measures.
  3. Evidence: Evidence is created as the result of existing accountability measures. It could be in the form of policies and procedures, decisions taken in the organisation, or log files. The structured approach:
    • works for any organisation, regardless of size, sector, or industry
    • embeds privacy management accountability throughout the organisation
    • works with available resources
    • enables the demonstration of GDPR compliance, and
    • documents the justification for resources to enhance GDPR compliance efforts

3) Privacy Management is an Ongoing Process
Webinar: GDPR and the Nymity Accountability Framework Advisory Forum

Responsible organisations do not view privacy management as a one-time “project”; instead they allocate resources to privacy management accountability and continually assess efficacy and needs to ensure that the activities are aligned. It’s an ongoing process that does not result in a “finished project”. Changes inside and outside the organization, including technology, business models, and best practices, will all require privacy management activities to be updated accordingly.

In this respect, privacy management activities can be characterized as either Periodic or Continuous.

Periodic Activities are performed on a set frequency, e.g. quarterly or annually. These activities are treated as discrete projects or tasks with a defined start and end. Continuous Activities are embedded into day-to-day operations. These activities often take a repetitive approach, wherein adjustments are made continuously toward the desired outcome.

Whether the activity should be performed periodically or continuously depends on a number of factors. Periodic activities may encourage structure, whereas continuous activities may provide more thorough coverage and risk prevention.

4) How to Use Consent as a Legal Basis
Webinar: Consent and the GDPR

The GDPR now clearly states that opt-out consent is no longer allowed. According to the GDPR, consent must be:

  • A clear affirmative act
  • Freely given
  • Specific
  • Informed
  • Unambiguous

When using consent as a legal basis for data processing, organisations will need to perform a number of additional tasks, including:

  • Demonstrating consent was legally obtained from the individual
  • Keeping transactional records so that consent can be traced and verified
  • Ensuring that consent is obtained using language the data subject is able to understand
  • Ensuring terms and conditions are specific enough to meet the requirements
  • Ensuring that the proper “age-related” protocol is followed for children and teens (this varies between countries in the EU between 13 and 16)

5) Stay Up-to-Date with Compliance Trends
Webinar: Less than a Year Until GDPR Compliance – Trends and Analysis from Real-world Activity

At the International Conference of Data Protection and Privacy Commissioners in Hong Kong, Nymity released the study, “GDPR Compliance Benchmarking: Measuring Accountability”. The study spans multiple industries, including 46 organisations that completed a GDPR benchmark.

To gather this information, we leveraged the Nymity Privacy Management Accountability Framework™ and Nymity Benchmarks™ (an automated solution for baselining and benchmarking organisational privacy management). When we mapped the GDPR to the framework, we identified 39 GDPR articles that create obligations to put in place a technical or organisational measure to demonstrate compliance, and those 55 measures were used to gather data from the 46 participating organisations in our research.

The 46 organisations engaged in the research were asked to rank the 55 measures as either:

  • Implemented: The activity is already in place, and has sufficient resources to be maintained
  • In progress: The decision has already been made, resources allocated, and action may be underway to implementing the activity
  • Desired: The activity is applicable or relevant to the privacy program, but is not currently implemented or resourced (planned)
  • N/A: Not applicable or relevant to the organisation

The results of the study can be incredibly helpful as organisations consider the next steps in their compliance journey.

Join us for Part 2
In Part 2 of this blog series, we will share the remaining 5 most valuable tips for GDPR compliance gleaned from our webinars. To view any of the recordings in full, visit

You may also like:

Top 10 Tips from the Nymity GDPR Compliance Webinar Series: Part 2

As we approach the 2018 enforcement date of the GDPR, organisations are swiftly progressing in their compliance preparat...