Anyone managing personal data within the EU or across EU boundaries
Click here to access the templates
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Parliament, the Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).
Click image to enlarge
It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The data protection reform package includes the General Data Protection Regulation ("Regulation") and the Data Protection Directive ("Directive") for the police and criminal justice sector.
General Data Protection Regulation (GDPR)
The GDPR will replace the data protection directive (Directive 95/46/EC). It was adopted on 27 April 2016, enters into application 25 May 2018. It does not require any enabling legislation to be passed by national governments.
The Regulation updates and modernizes the principles from the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The new rules include:
- Stronger enforcement of the rules: data protection authorities will be able to fine organizations who breach the rules up to 4% of their annual global turnover or €20 Million (whichever is greater) for the most serious infringements.
- Extended jurisdiction: GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of where the processing takes place who are offering goods or services to EU citizens (paid or free) or monitoring behaviour within the EU. Non-Eu businesses processing the data of EU citizens have to appoint a representative in the EU.
- Consent: Consent must stand out, use clear language, and include the reason the data is being gathered. It must be simple to both give and withdraw consent.
- A "right to be forgotten": If a person no longer wants their data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
- Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
- The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk within 72 hours and communicate to the data subject all high risk breaches as soon as reasonably possible so that users can take appropriate measures.
- Privacy by design: ‘Data protection by design’ means that data protection is included at the start of the design stage for a new system. Controllers can only hold and process data that is absolutely necessary and restrict data access to those who need to process it.
- Data Protection Officers (DPO): A DPO is mandatory if there is regular and systematic monitoring of people on a large scale, or related to criminal convictions and offences. There are internal record keeping requirements for all organizations. The DPO is appointed on their skill set, may be a member of staff or an external service provider, report directly to the highest level of management, and cannot carry out any other task that could result in a conflict of interest. The organization must provide them with resources and training to execute their tasks successfully. Their contact details must be provided to the relevant Data Protection Authority (DPA).
The data protection reform package helps business to realise potential through:
- One continent, one law: a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
- One-stop-shop: a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
- Technological neutrality: the Regulation enables innovation to continue to thrive under the new rules.
The new rules will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law should they wish to offer their services in the EU.
Data Protection Directive (DPD)
The DPD will replace Framework Decision 2008/977/JHA which previously governed data processing by police and judicial authorities. It enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
The Directive ensures the protection of personal data of individuals involved in criminal proceedings: witnesses, victims, or suspects. Personal data should be processed lawfully, fairly, and only for a specific purpose. It facilitates a smoother exchange of information between authorities, improving cooperation to prevent crime. The directive provides robust rules on personal data exchanges at national, European and international level.
Data Protection Impact Assessments (DPIA)
Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA). A DPIA is a process for reviewing and demonstrating compliance. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms” of a Data Subject.
A DPIA must be carried out prior to the data being processed, and may need to be updated once processing has begun. It contains the organisational and technical measures to secure the personal data and mitigate the absolute risk to an acceptable risk.Regular reviews should be scheduled, and these are compulsory when something material changes.
The Data Controller is responsible for the DPIA, with assistance from the Data processor as needed. They must seek the advice of the Data Protection Officer (DPO) if one has been appointed under the GDPR.
The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals 84 and 90):
- “a description of the envisaged processing operations and the purposes of the processing”;
- “an assessment of the necessity and proportionality of the processing”;
- “an assessment of the risks to the rights and freedoms of data subjects”;
- “the measures envisaged to:
o “address the risks”;
o “demonstrate compliance with this Regulation”.
However, there is no specific process or methodology to follow.
Here are the key benefits of the RequirementONE GDPR Solution.
Improved Data Protection
Reduce the time and expense of implementing the new data protection regulation before GDPR enters into law. Reduce risk within current programs by identifying areas for improvement.
The Framework creates a common language for the discussion of data protection issues that can facilitate internal and external collaboration.
Mapping Controls and Policies
Individual controls and policies may apply to numerous frameworks. These can be maintained as an interlinked set of procedures to avoid duplication of effort.
A Single Point of Truth
Each compliance element is stored as a record and can be updated, commented, controlled and audited individually. Data is accessible to all stakeholders with no version control issues.
All links and interfaces can be defined and maintained showing dependencies between various policies.
Track the progress of data protection projects. In-line analytics highlight gaps in data protection, traceability of changes and status of data protection efforts.
Internal and External audit teams benefit from a specialized interface with full visibility to review and evaluate procedures.
Typical Use Cases
Here is a typical, but not exhaustive, list of roles and associated use cases that would interact with this solution.
|Data protection team||
|Data protection officer||
These apps and templates are used for the solution.
|Implementing the General Data Protection Regulation (GDPR)||A plan to help businesses implement the GDPR regulation, which can be used to ensure that all policies, controls and procedures are updated before the GDPR becomes law.
1) Download the Implementing the General Data Protection Regulation (GDPR) specification from the Solution Store
2) Assign each task to a member of the team.
3) Follow each step of the plan according to the plan instructions.
|General Data Protection Regulation (GDPR)||A specification containing the GDPR regulation, which can be used to ensure that all policies, controls and procedures are updated before the GDPR becomes law.
1) Download the Implementing the General Data Protection Regulation (GDPR) specification from the Solution Store
2) Mark each record to show whether it is applicable to your organization.
3) Link each applicable record to the corresponding policy / control / procedure record
4) As the linked records are updated, mark the status of the work.
5) Use filters to identify work still to be done
6) If there are people in the organization who need to be informed, but do not have access to RequirementONE, Export the completed document to Word.
|Data Protection Impact Assessment (DPIA) Checklist||A checklist to determine whether a DPIA is necessary or not.
1) For every operation, create a new record where you give the data operation a name, and describe it in sufficient detail that you will be able to identify it during an audit. Answer all the questions fully.
2) Depending on your organizations appetite for risk, you may decide that a single "Yes" is enough to mean that a DPIA is required. Other organizations set the bar at two.
3) Log your decision in the outcome field, and add an explanation of how you reached your decision to the Reasons field. This will mean that should your decision ever be scrutinized, you will be able to show the decision process.
4) If a DPIA is required, add a hyperlink to the DPIA document.
|Data Protection Impact Assessment (DPIA)||Sample Data Protection Impact Assessment (DPIA) which can be adapted to meet your business and legislative needs.
1) Rename the specification to 'Data Protection Impact Assessment (DPIA) for [Name of Processing]'
2) Work your way through each of the records, answering the questions fully.
3) Use the custom fields to keep track of the record status
4) Create User fields and assign Owners, Reviewers and Approvers to each Record
5) Set up a Review and Training Schedule to ensure your DPIA are constantly up to date, and everyone is aware of them.
|Sample GDPR Risk Register||Sample GDPR Risk Register which can be adapted to meet your business and legislative needs.
1) Create a new record for each risk, filling in all the custom fields
2) Add user fields for Assigned to, Reviewer and Approver to ensure that the appropriate oversight is maintained.
3) Use the status field to manage the progress of the work.
- Select an existing, or create a new project
- Click on the Solution Store, and select the GDPR Templates
- Once you have the templates, add your custom data and work through the plan.
Combine GDPR with other compliance frameworks to provide a holistic Compliance solution for your organization.
Questions or Comments?
Respond to this post if you want to comment on the template or ask the author a question.