The Importance Of This DPO GDPR Compliance Guide
Do you or your organization process personal data? Does your website(s), application(s) or peripheral assets store data? Is this your first exposure to the letters, GDPR? Or DPO?
If you answered ‘Yes’ to any of the previous questions, continue reading. You may now be vulnerable to catastrophic financial liability. You may need a DPO. Fast! They may need this guide.
You may now be exposed to catastrophic financial liability.
Reading this means your organization may be in need of vital GDPR guidance. The GDPR regulation became a law of the Internet land on May 25, 2018. Those of you late to GDPR compliance have good news. This comprehensive guide is loaded with checklist gems not found in other guides.
You can right your ship and put yourself ahead of others with peace-of-mind. We advise you to save a copy of the GDPR and read it. This checklist and no part of this guide should be construed as legal advice.
Let’s get started.
To best understand the value of this GDPR Compliance Guide, let’s establish a clear understanding of the GDPR. Enacted by the European Union (EU), The GDPR directive is a complex 11 chapter document designed to be the most comprehensive personal data privacy regulation in the world.
Think of the GDPR as empowered digital rights of your intimate intellectual property, such as your name, personal address and your geographic location set by a device or network you randomly accessed.
GDPR Purpose & Scope
The GDPR is designed to protect EU citizens (subjects) personal data. It applies to EU residents and those inside EU borders. Example: A U.S. citizen (subject) would be protected on a hotel stay in Spain or any other EU country.
Subjects now have the power to control their private data within the EU the European Economic Area. GDPR has effectually enacted that requirement worldwide. Every business and organization must be in compliance. Non-compliance and/or violations can result in penalties of up to $10,000,000 million and more.
On May 25, 2018, the EU implemented the final alignment of the General Data Protection Regulation. It’s groundbreaking legal enforcement that has covers the globe. This governing standard was enacted to cover the 28 EU member states. Keyword: standard.
The GDPR is a living document and subject to change by legislators influenced by outside forces such as ordinary citizens.
Six Guiding Principles
In collecting, processing and managing data, businesses and organizations must follow these six privacy guiding principles.
Data Protection Officer (DPO)
Article 37: A Data Protection Officer is an impartial party, not (or in theory should not be) an officer of the company as the name implies. A DPO is more of an ombudsman than an officer of the company. The DPO is tasked with leading the initiative of ensuring processed subject data is in compliance with the GDPR.
Your business or organization may appoint a Data Protection Officer (DPO), however once appointed they can be difficult to remove. As they are expected to be an impartial figure, it may be prudent to initially outsource this task and evaluate the long term need over time.
Criteria of Necessity
- Public Authority (EU only)
- Special Personal Data
- Regular & Systematic Monitoring of Subjects
- Large Scale Personal Data
The ICO has a more exhaustive rundown in determining if your business or organization is required to appoint a DPO.
Upon assignment, the DPO would subsequently manage the remaining portions of this guide. The DPO should have expert knowledge of data protection law.
Your organization has one of three choices in establishing a DPO:
DPO tasks may be facilitated by an internal or external officer. If you are a data center, your risk to liability will be great enough to require an in-house DPO whereas a blogger will self-assign. Adding a form to their website may quickly place them in the position of outsourcing.
Begin with appointing a GDPR Compliance Manager in your business or organization to oversee GDPR Compliance. The Compliance Manager role will most often be fulfilled by a DPO operating as a project manager in initial deployment.
As DPO you must provide your contact details to the relevant DPA.
Organization Awareness of Compliance Accountability
Staff training should include all member of your business or organization. Educate and inform every team member, client, and stakeholder of the consequences of non-compliance.
GDPR Awareness Training Resources
Article 30: Your data inventory is your core document. You can’t have a truly GDPR compliant program without it. This task is your first course of action relates to Article 30, requiring data discovery & classification. Roadmap a checklist of data collection points to audit.
Your business or organization may hold subject data in three forms.
- Structured Data
- Unstructured Data
- Web Data
Analysis trends indicate unstructured data and web data such as subject social media posts are being orphaned in siloed databases and applications exposing businesses and organizations to penalties for non-compliance.
Conduct interviews with all process owners such as business owners to IT managers. The integrity of all work ahead relies on this stage of work.
Note: ISO 27001 certification is not by itself GDPR compliant. ISO 2701 is a question debated in periodicals, with the consistent answer of no.
Personal Identifiable Information (PII) Audit
Establish all Personal Identifiable Information (PII) data details including anonymous identifiable data. Examples:
Fair Use Policy
Clarify and document your business or organization’s purpose in holding data.
- Possession of subject data must be justified in its use or face penalties
- Possession of the subject data must be permitted or face penalties
With heavy fines in the balance, destroying non-compliant subject data must be executed with extreme attention to detail.
Establishing and documenting a fair use policy will provide a standardized measurement for data possession. It will further assist in determining if current data should be purged to meet GDPR compliance regulations.
- Where is the subject’s personal data is stored
- How is the subject’s personal data is stored
- How long is the subject’s data being stored?
- Who’s personal data is being stored
- Why is the subject’s personal data is stored
- Is the data relevant?
- Identify and purge redundant subject data
- Were subjects PII collected through an affirmative action
With heavy fines in the balance, destroying non-compliant subject data must be executed with extreme attention to detail. In the absence of a Fair Use Policy guide, deleting questionable data can only mitigate risk.
Audit third-party data-sharing technology partners.
Identify all EU subject datasets.
A business account will not require country validation. All subject data should include country validation adding forms fields: Country of Residence.
Has your business or organization met the requirements to define your data as being obtained legally according to the GDPR?
Consider established audit programs which evaluate if your GDPR compliance is being effectively governed, monitored and managed.
Articles 12 – 13 – 14; Articles: 7 – 8: With a completed a PII Audit, your organization has taken a huge first step in lowering your risk in confirming full compliance of the GDPR. Use your organized PPI audit data to complete your consent audit. Keyword: Documentation
- Notice content – consent mechanism.
- Notice availability – placing an affirmative action confirmation (ex. checkbox) at every point you’re collecting information (not the bottom of the website). Notice to include a link at every point you are collecting that data.
- Review data inventory – provides answers in advance to where notices of consent will be placed.
You must verify if an affirmative action of consent was secured to collect the subjects personal data. This may require re-establishing consent from every subject across every platform of managed data in your organization.
Consent to hold data must be explicit. Encrypted data is not in compliance if it is not held with consent. Create, test and maintain a cookie consent notice.
Determine where every area of data collection occurs. Send a double opt-in email to re-verify consent of all previous subject data in receiving push notifications, email, mobile in-app and direct mail contact.
Make permission part of every initiative. Permission, permission, permission. Always get permission as requests to collect data through double opt-ins should be voluntary.
Can subjects withdraw consent at any time?
Consent Age Disparity
Article 8: Parental consent. Unlike adult subjects, children are identified as vulnerable individuals. Furthermore deserving of special protection. The only exception in Article 8 is preventative or counseling services offered directly to a child.
The GDPR does not define a child’s age. Observe all laws in jurisdictions you operate with attention to policies. i.e. COPPA in the U.S.. and GDPR-K in some European states with the age of consent varying between the ages of 13 and 16. Legal counsel for age restriction is highly recommended.
Observe current standards and changing dynamics in the process of appropriating parent consent mechanisms and verification.
Keep abreast of legislation directed towards children of offline data processing.
Back up all data on legitimate interests.
Article 25: Risk management is the name of the game. The information security standard of fail to safe applies equally to PII data protection. With a proper risk management process established, a well trained IT security project manager who will understand the required framework, conduct a gap analysis, and execute an optimization plan.
Network Ability and Strength
Determine your IT system’s ability and strength to manage and support GDPR compliance.
Due in part to the GDPR high-value data is no longer standard high-risk data. Any breach can result in catastrophic costs to your business under the authority of the EU. Pressure test all data against the Data Protection Impact Assessments (DPIA) (Article 35) standard to meet compliance.
Is there an audit trail on each subject record? If not the data is not in compliance and must be re-verified with an affirmative action of consent through a means such double opt-in.
Confirm current levels and means of redundancy are in GDPR compliance.
No Data Trading
One area of concern is marketing. A no data trading policy must be enacted and enforced. While managers will enforce this in part, the policy is ultimate enforcer is the DPO.
Data Breach Report Response System
Article 33: Incident response under the GDPR regulation is an upper management challenge to take seriously. Any breach or loss must be reported in a proactive process within a 72-hour time frame. Specifically 72 clock hours, not 72 business hours.
The good news is the incident response challenge is more easily met if you established organized data inventory your company ecosystem. Your organized data will serve as the single source of truth to the DPA as you provide answers for the breach.
Plans to notify the affected parties and controller should include detailing the risk of affecting the subjects freedoms and rights. They should communicate the mitigation measures being deployed. Coordinate a response:
- Internal employee training
- Social Media Response Plan
- Deploy public relations to inform the public with clear details and instructions for assistance
- Prepared Customer Service Response Unit
Every member of the organization should have a pre-planned duty in response.
Mandate policy training. GDPR does not mandate policy training but without training, no one can be held accountable within the organization.
Policy notices should all be updated to reflect compliance of the GDPR. Conduct a comprehensive review and update of all your business or organization’s policies on data and privacy to meet the requirements of the GDPR. They must be modified and adhere to the GDPR.
Your notice should include how you are going to transfer subject data within your business or organization, or third parties.
Include a notification of How To Revoke Consent if your processing is based on consent.
Include that if a dispute resolution fails with the data controller a DPA is the subject is an alternate final route.
Clear Terms & Conditions
Update all legal documents.
Do all your forms have checkboxes to confirm an affirmative action? (Unless they are under lawfulness of processing.) Forms must now always offer a means to confirm the subject is giving specific consent.
Remember your business or organizations terms must now conform to the GDPR.
Third Party Contracts
Article 28: Article 28 establishes the ground rules for processors dictating the need to update third-party contracts. Having a clear understanding of what your 3rd party processors do with subject data is a critical part of your DPO duties. A compliant contract data processing agreement is your means of protection if legally constructed properly. TermsFeed.com has a great article citing a number of important legalities to understand. Here is a checklist to rundown:
Any legal decisions you make based on this guide should be run by your own business or organizations counsel. This is a guide, not legal advice.
Give Special Attention To Known Weaknesses
Phishing and social engineering will always be exploitable attack points if humans are not trained. This is a new area of security. Adjust.
Inventory a data removal tool to strip files of metadata before that same file is shared.
Anonymous identifiable data including cross-referenceable anonymous data can slip by less diligent DPO’s.
Implement a confirmation based deletion system. It’s widely known that Windows PC’s do not erase data immediately upon dragging a file to the trash and then executing the confirm delete command. Instead, the hard drive places the data in reserved space to be written over. It is similar vulnerabilities a DPO should fact find within their own network by consulting with the Information Security Officer responsible.
Digital Rights & Business Policy Alignment
- Terms & Conditions
- Terms of Service
- Return and Refund Policy
- Cookies Policy
- End User License Agreement (EULA)
GDPR Compliant Statement
It’s a proud moment when a business or organization can officially provide a statement of compliance to the public.
A GDPR Compliant Statement is now as ubiquitous as an FAQ or About page. Every web site or app collecting subject data must have one.
A proper Compliance Statement is broad and complete. It will mirror every measure stated in this guide as completed or in compliance. Here is an excellent example of an exceptional Compliance Statement.
GDPR is now a fundamental part of business in the Internet era. In time, compliance guides will be streamlined for training every individual entering the job market.
Currently, the best comprehensive guide this writer has found in research is produced by i-scoop. The Online Guide to the EU GDPR