GDPR compliance in three stages
The General Data Protection Regulation (hereinafter “GDPR”) was adopted on the 14th of April 2016 to replace the Data Protection Directive from 1995. The GDPR became enforceable beginning from the 25th of May 2018. As the GDPR is a regulation, it is directly binding and applicable. The EU, i.e. the GDPR aims at regaining the people’s trust, as well as control over their personal data. To be GDPR-compliant many entities must go through a time and money consuming implementation process. Even when the implementation process is done, compliance with the GDPR must be under constant revision. Many existing entities are not appropriately compliant or are not compliant at all. Of course, all newly established entities must go through the implementation process.
This article gives a very basic overview of the GDPR implementation process under the assumption that reader is familiar with the GDPR (e.g. rules, terminology etc.).
The GDPR implementation process is very complex and individually adapted to each entity. Considering complexity of the process, it can be divided into three stages.
The first stage of implementation
The first stage of implementation is primarily based on detailed analysis of business processes. This step is the most challenging and time consuming. Practice has shown that entities are not completely familiar with all business processes they conduct. That is why the audit of these processes is important and useful for other purposes too.
Every business process involving personal data must be listed in Personal Data Register. For example, if you have a HR business process related to working hours of employees, it must be listed in the Personal Data Register. Besides the name of the business process, Personal Data Register contains other important information regarding the relevant business process, for example: processed personal data, source of personal data, purpose of personal data processing, lawfulness of personal data processing, transfer of personal data to third parties, purpose of personal data transfer to third parties, data retention period, data transfer outside of the EU and etc.
After listing all business processes involving personal data in Personal Data Register, Privacy Policies can be drafted based on collected data. Privacy Policy is a document which provides mandatory information to data subjects regarding processing of their personal data. Provided information must be concise, transparent, intelligible and easily accessible, while using clear and plain language. As mentioned, Privacy Policy has mandatory content as it follows: name and contact details of the entity, contact details of data protection officer (if applicable), categories of data subjects and their processed personal data, purpose of the processing, lawful basis for the processing, the recipients or categories of recipients of the personal data, data retention periods, information about the rights of data subjects, as well as other mandatory information. Privacy information must be provided to data subjects at the time of collection of their personal data. That moment is called a contact point and can be different for each data subject. For example, some data subjects can provide you their personal data via Email, which means that Email will be a contact point where you must provide privacy information to those data subjects. In order to increase the level of transparency of information for data subjects, the tool of layered Privacy Notices can be very useful. Privacy Notice provides only the key information to data subjects in very concise way, while more information is provided, usually via link to Privacy Policy, for those who want to be informed in more detail.
If you have employees, they are also your data subjects and you should provide them certain information regarding their personal data. In other words, you should have Privacy Policy for Employees. The content of the Privacy Policy for Employees is almost the same as the content of the Privacy Policy regarding other data subjects. Employees must be introduced with this document in an appropriate way (e.g. Email, meeting etc.).
The next very important goal in the first stage is to implement the self-regulation procedures that help entities reach full compliance. Personal Data Rulebook is a document that helps reach that goal by creating a framework of binding internal rules of conduct in order to specify the application of GDPR provisions. Another necessary step ensuring the attainment of the objective pursued is amendment of the Labor Rulebook.
The second stage of implementation
The second stage of implementation is focused on the transfer of personal data, i.e. recipients or categories of recipients of the personal data. Also, this stage is continuously being focused on the self-regulation procedures by creating special internal guidelines regarding specific business processes involving personal data.
If there is a transfer of personal data between the entity implementing GDPR and third parties / recipients of personal data (e.g. IT service providers, accountant advisors etc.), it is important to determine those with whom it is necessary to conclude a Data Protection Agreement. Of course, mandatory content of Data Protection Agreement is prescribed by GDPR, but there is also a possibility of adding additional safeguards.
Special internal guidelines refer to specific business processes including personal data. Special internal guidelines do not have a binding legal effect, but they will establish a certain level of data protection and will give a practical interpretation of the abstract protection requirements set by GDPR. For example, if entities organize events such as seminars, conferences, educations etc., guidelines on photographing / video-recording of such events should help with compliance.
The most important guideline regarding internal matters of the entity is Data Breach Procedure Guideline. This Guideline determines mandatory actions in case of a data breach, for example how to draft a data breach report, deadlines about notifying data subjects or supervisory authorities about the data breach etc.
The third stage of implementation
The last stage of implementation is focused on assessing business processes regarding determined risks, as well as lawfulness of processing the personal data. Data Protection Impact Assessment (DPIA) and Legitimate Interests Assessment (LIA) must be conducted in order to assess the business processes.
Data Protection Impact Assessment is a documented assessment helping to identify and minimize the data protection risks in certain business processes. Data Protection Impact Assessment helps to prove that risks to a certain processing were considered, as well as that the entity met their broader data protection obligations.
If using legitimate interest as lawful basis for processing personal data, Legitimate Interests Assessment must be conducted. Legitimate Interests Assessment consists of three parts (purpose test, necessity test and balancing test) and it is designed to help when deciding whether the legitimate interests’ basis is likely to apply to certain processing.
Additional advice
Do not use templates found online for the purpose of GDPR implementation. Instead, do a thorough analysis of your business processes and draft you GDPR documentation in accordance with your needs, respecting mandatory content of GDPR.