Auditor Insights: Where to Start with GDPR Compliance
As GDPR becomes a more and more prevalent data privacy law, we want to give organizations four actions to start with when working towards GDPR compliance. These areas should help organizations understand what kind of personal data of data subjects that they have, where it goes, and what role (data controller or data processor) they fit into under GDPR. I chose the areas of data mapping, contract management, documentation review, and security standards for a couple of reasons. First, because they are the most pressing areas upon an organization in terms of GDPR compliance and second, because they are the most universally applicable. No matter what role organizations fit into under GDPR, these areas will be useful places to start with for GDPR compliance.
I recommend that all organizations start with data mapping when beginning their journey towards GDPR compliance. It is a critical area for data privacy. I don’t see how it’s possible to determine whether an organization is a data controller or data processor without a full knowledge of the personal data it holds, where the personal data comes from, and how the organization processes that personal data. One of the benefits of data mapping, I believe, is that it provides the greatest value in terms of multiple areas under the law. It can cover multiple roles in the law, plus it fulfills other aspects of GDPR compliance. Data Protection Impact Assessments, records of processing, facilitating data subjects’ rights, required information that controllers must give to data subjects and supervisory authorities – these areas all require a documented understanding of what personal data of data subjects that organizations have and where it goes.
In the diagram below, you can see a very rudimentary data map to give you a sense of why data mapping is beneficial. In this case, the data map represents a data subject who is a candidate for employment. That data subject provides their personal data to a third-party staffing or recruiting firm for assistance in finding employment. That third-party staffing firm then submits that personal data to an organization’s Human Resources Department. From there, you can see that Human Resources sends the personal data to other parts of the organization, as well as a third-party background screening provider. If that data subject were to find out about a negative mark on their background screening, tests the accuracy, and requests that the data be rectified, both of the third parties and the organization considering hiring the candidate would need to know where the data is flowing in order to determine what kind of activities they should take if the data request is a valid one.
A data map may be where an organization first uncovers that they are both a data controller and data processor. Let’s take SaaS providers who perform support activities, for example. If the SaaS provider is involved with support activities (live or remote support) that directly involve receiving personal data from a data subject, they may move from thinking they are just a data processor to understanding they are both a data controller and data processor.
I believe data mapping is a critical area in terms of GDPR compliance efforts. On your GDPR compliance journey, has your organization considered starting with data mapping?
The second area to start with when working towards GDPR compliance is contract management. Whatever role you play, but especially if you have both controller and processor responsibilities, contract management includes a review of all vendor/partner contractual agreements to ensure they are GDPR compliant. This includes controller-processor contractual agreements, contractual agreements between processors and sub-processors, and creating a process for reviewing all new contractual agreements before signing.
You need to review the agreements you have between data controllers and data processors for a few different reasons:
- A written agreement is required to exist between data controllers and data processors in order to process personal data in a way that is GDPR compliant.
- There are elements of contractual agreements that are specifically outlined and required by GDPR.
- Processor discretion must be outlined.
Then, you must conduct a review of agreements between processors and sub-processors; these agreements must mirror the controller-processor contractual agreements. I recommend that your organization should conduct a one-time review of current contractual agreements with vendors and other partners to ensure that the agreements are appropriate for their role under GDPR. Going forward, you should create and implement a process for reviewing all new agreements before signing. This review should ensure that new agreements meet GDPR requirements.
What is your organization’s contract management process for GDPR compliance? With whom do you have contractual relationships and what kind of contractual relationship do you have? Do all vendors/partners have the appropriate contractual agreements for their role?
The third area that I would recommend when beginning GDPR compliance efforts is an internal documentation review. This documentation review should cover information that controllers must share with data subjects, records of processing, and policies and procedures.
- The law specifically requires documentation of information that data controllers must share with data subjects. Article 13 outlines when the personal data is directly received from the data subject and Article 14 outlines when the personal data is not directly received from the data subject.
- Article 30 references records of processing. Many data controllers and data processors will meet the threshold for this, although there are some different levels of requirements. The law lays out what elements of those records that controllers and processors should maintain. If data mapping is completed, I think you’ll have a much better ability to meet the requirements for records of processing.
- Policies and procedures must be reviewed and updated to address GDPR requirements. While some organizations may have to create new policies and procedures for things like data subject rights, most organizations should be able to just update current policies and procedures to include GDPR aspects.
How would your organization conduct a documentation review? Who would be involved? Who would update documentation to address GDPR requirements?
From my perspective, GDPR is a data protection law that is much more process-oriented and less technical in nature. The text of the law says both data controller and data processors have to have appropriate technical and organizational controls. The law does not specify what those technical and organization controls should be. In the future, supervisory authorities and other guidance from the EU may give us what those specifications are, but at this time, we don’t have it. Each organization must define what is “appropriate” based on the type of processing it’s engaged in and the type of data that it processes. Then, each organization must monitor that “appropriateness” going forward. If processing activities change, the controls that were once appropriate from a technical and organizational perspective may no longer be appropriate. If the processing changes but the type of data changes (like going into more sensitive categories of data), what was once appropriate may no longer be appropriate.
So, which security standards do you use? There are several ways to do this, your organization just needs to make a decision that defensible. You could use a third party to determine which security standards are appropriate for your organization, you could use a defined standard (like ISO 27000, NIST, or PCI), or you could develop an internal process.
Where to Start with GDPR Compliance
Data mapping, contract management, documentation review, and security standards are four key areas to start with for your GDPR compliance journey. We encourage you to follow the data, start the paper chase, perform thorough internal documentation review, and identify which security standards are appropriate for your organization. All of these activities will play off of one another and assist you in your GDPR compliance journey.
Want to take the next steps towards GDPR compliance? Contact us to speak with a data privacy expert.
About Mark Hinely
Mark Hinely, Esq., is a Regulatory Compliance Specialist with KirkpatrickPrice and a member of the Florida Bar, with 10 years of experience in data privacy, regulatory affairs, and internal regulatory compliance. His specific experiences include performing mock regulatory audits, creating vendor compliance programs and providing compliance consulting. He is also SANS certified in the Law of Data Security and Investigations.