The DPO GDPR Compliance Guide

The DPO GDPR Compliance Guide

Lars Hindsley's DPO GDPR Compliance Guide

The Importance Of This DPO GDPR Compliance Guide

Do you or your organization process personal data? Does your website(s), application(s) or peripheral assets store data? Is this your first exposure to the letters, GDPR? Or DPO?

If you answered ‘Yes’ to any of the previous questions, continue reading. You may now be vulnerable to catastrophic financial liability. You may need a DPO. Fast! They may need this guide.

You may now be exposed to catastrophic financial liability.

Reading this means your organization may be in need of vital GDPR guidance. The GDPR regulation became a law of the Internet land on May 25, 2018. Those of you late to GDPR compliance have good news. This comprehensive guide is loaded with checklist gems not found in other guides.

The General Data Protection Regulation (GDPR) regulation 2016/679 was adopted on April 14, 2016, and became enforceable on May 25, 2018. The European Union Parliament created the GDPR to protect individuals data privacy.
The General Data Protection Regulation (GDPR) regulation 2016/679 was adopted on April 14, 2016, and became enforceable on May 25, 2018. The European Union Parliament created the GDPR to protect individuals data privacy.

You can right your ship and put yourself ahead of others with peace-of-mind. We advise you to save a copy of the GDPR and read it. This checklist and no part of this guide should be construed as legal advice.

Let’s get started.

To best understand the value of this GDPR Compliance Guide, let’s establish a clear understanding of the GDPR. Enacted by the European Union (EU), The GDPR directive is a complex 11 chapter document designed to be the most comprehensive personal data privacy regulation in the world.

Think of the GDPR as empowered digital rights of your intimate intellectual property, such as your name, personal address and your geographic location set by a device or network you randomly accessed.

GDPR Purpose & Scope

On behalf of public privacy, the European Parliament and Council of the European Union (EU) enacted a regulation under EU Law named the General Data Protection Regulation 2016/679.

The GDPR is designed to protect EU citizens (subjects) personal data. It applies to EU residents and those inside EU borders. Example: A U.S. citizen (subject) would be protected on a hotel stay in Spain or any other EU country.

Subjects now have the power to control their private data within the EU the European Economic Area. GDPR has effectually enacted that requirement worldwide. Every business and organization must be in compliance. Non-compliance and/or violations can result in penalties of up to $10,000,000 million and more.

On May 25, 2018, the EU implemented the final alignment of the General Data Protection Regulation. It’s groundbreaking legal enforcement that has covers the globe. This governing standard was enacted to cover the 28 EU member states. Keyword: standard.

The GDPR is a living document and subject to change by legislators influenced by outside forces such as ordinary citizens.

Six Guiding Principles

In collecting, processing and managing data, businesses and organizations must follow these six privacy guiding principles.

    1. Lawfulness – Article 5 clause 1(a)  Article 6
    2. Purpose Limits – Article 5 clause 1(b)
    3. Data Minimisation – Article 5 clause 1(c,e)
    4. Accuracy – Article 5 clause 1(d)
    5. Storage Limits – Article 5 clause 1(e)
    6. Integrity and Confidentiality – Article 1(f) Article 30

1

Data Protection Officer (DPO)

Article 37: A Data Protection Officer is an impartial party, not (or in theory should not be) an officer of the company as the name implies. A DPO is more of an ombudsman than an officer of the company. The DPO is tasked with leading the initiative of ensuring processed subject data is in compliance with the GDPR.

Your business or organization may appoint a Data Protection Officer (DPO), however once appointed they can be difficult to remove. As they are expected to be an impartial figure, it may be prudent to initially outsource this task and evaluate the long term need over time.

Criteria of Necessity

    1. Public Authority (EU only)
    2. Special Personal Data
    3. Regular & Systematic Monitoring of Subjects
    4. Large Scale Personal Data

The ICO has a more exhaustive rundown in determining if your business or organization is required to appoint a DPO.

Upon assignment, the DPO would subsequently manage the remaining portions of this guide. The DPO should have expert knowledge of data protection law.

Your organization has one of three choices in establishing a DPO:

    1. Assign/Appoint
    2. Hire
    3. Outsource

DPO tasks may be facilitated by an internal or external officer. If you are a data center, your risk to liability will be great enough to require an in-house DPO whereas a blogger will self-assign. Adding a form to their website may quickly place them in the position of outsourcing.

Begin with appointing a GDPR Compliance Manager in your business or organization to oversee GDPR Compliance. The Compliance Manager role will most often be fulfilled by a DPO operating as a project manager in initial deployment.

As DPO you must provide your contact details to the relevant DPA.


2

Organization Awareness of Compliance Accountability

Staff training should include all member of your business or organization. Educate and inform every team member, client, and stakeholder of the consequences of non-compliance.

GDPR Awareness Training Resources


3

Data Inventory

Article 30: Your data inventory is your core document. You can’t have a truly GDPR compliant program without it. This task is your first course of action relates to Article 30, requiring data discovery & classification. Roadmap a checklist of data collection points to audit.

Data Classification

Your business or organization may hold subject data in three forms.

    1. Structured Data
    2. Unstructured Data
    3. Web Data

Analysis trends indicate unstructured data and web data such as subject social media posts are being orphaned in siloed databases and applications exposing businesses and organizations to penalties for non-compliance.

Conduct interviews with all process owners such as business owners to IT managers. The integrity of all work ahead relies on this stage of work.

Note: ISO 27001 certification is not by itself GDPR compliant. ISO 2701 is a question debated in periodicals, with the consistent answer of no.


4

Personal Identifiable Information (PII) Audit

Establish all Personal Identifiable Information (PII) data details including anonymous identifiable data. Examples:

  1. Metadata
  2. Selfies
  3. Click-Stream Data
  4. Profile Vital Stats
  5. Subject’s IP
  6. CRM Data
  7. Subject’s geographic access point
  8. Family
  9. Birthdate
  10. Passwords
  11. Personal Nude Images
  12. Satellite Images
  13. Credit Card Information
  14. Call Center Transcripts
  15. Malicious Personal Details
  16. Former Names
  17. Email Address
  18. Home Address
  19. Phone Number
  20. Disability Status
  21. Gender
  22. Ethnicity
  23. Loyalty Card Data
  1. Religion
  2. Weight
  3. Personal Description
  4. Websites Visited
  5. Materials Downloaded
  6. Drivers License or License Plates
  7. Social Security Number
  8. Medical Records
  9. Marital Status
  10. Biometric Data
  11. Salary
  12. Benefits
  13. Donor Information
  14. Passport Number
  15. DNA Profile
  16. Alias
  17. Maiden Name
  18. HIPPA data
  19. Audio Files
  20. Video Files
  21. Forum Posts
  22. Financial Records
  23. Trouble Ticket Information

Fair Use Policy

Clarify and document your business or organization’s purpose in holding data.

  • Possession of subject data must be justified in its use or face penalties
  • Possession of the subject data must be permitted or face penalties

With heavy fines in the balance, destroying non-compliant subject data must be executed with extreme attention to detail.

Establishing and documenting a fair use policy will provide a standardized measurement for data possession. It will further assist in determining if current data should be purged to meet GDPR compliance regulations.

  • Where is the subject’s personal data is stored
  • How is the subject’s personal data is stored
  • How long is the subject’s data being stored?
  • Who’s personal data is being stored
  • Why is the subject’s personal data is stored
  • Is the data relevant?
  • Identify and purge redundant subject data
  • Were subjects PII collected through an affirmative action

Establish Personal Identifiable Information

With heavy fines in the balance, destroying non-compliant subject data must be executed with extreme attention to detail. In the absence of a Fair Use Policy guide, deleting questionable data can only mitigate risk.

Audit third-party data-sharing technology partners.

Identify all EU subject datasets.

A business account will not require country validation. All subject data should include country validation adding forms fields: Country of Residence.

Has your business or organization met the requirements to define your data as being obtained legally according to the GDPR?

Consider established audit programs which evaluate if your GDPR compliance is being effectively governed, monitored and managed.


5

Consent Audit

Articles 121314; Articles: 78: With a completed a PII Audit, your organization has taken a huge first step in lowering your risk in confirming full compliance of the GDPR. Use your organized PPI audit data to complete your consent audit. Keyword: Documentation

Challenge
    1. Notice content – consent mechanism.
    2. Notice availability – placing an affirmative action confirmation (ex. checkbox) at every point you’re collecting information (not the bottom of the website). Notice to include a link at every point you are collecting that data.
Resolution
    1. Review data inventory – provides answers in advance to where notices of consent will be placed.

Verification

You must verify if an affirmative action of consent was secured to collect the subjects personal data. This may require re-establishing consent from every subject across every platform of managed data in your organization.

Consent to hold data must be explicit. Encrypted data is not in compliance if it is not held with consent. Create, test and maintain a cookie consent notice.

Determine where every area of data collection occurs. Send a double opt-in email to re-verify consent of all previous subject data in receiving push notifications, email, mobile in-app and direct mail contact.

Update your business or organization’s privacy policy to conform to the GDPR.

Make permission part of every initiative. Permission, permission, permission. Always get permission as requests to collect data through double opt-ins should be voluntary.

Can subjects withdraw consent at any time?


6

Consent Age Disparity

Article 8: Parental consent. Unlike adult subjects, children are identified as vulnerable individuals. Furthermore deserving of special protection. The only exception in Article 8 is preventative or counseling services offered directly to a child.

The GDPR does not define a child’s age. Observe all laws in jurisdictions you operate with attention to policies. i.e. COPPA in the U.S.. and GDPR-K in some European states with the age of consent varying between the ages of 13 and 16.  Legal counsel for age restriction is highly recommended.

Observe current standards and changing dynamics in the process of appropriating parent consent mechanisms and verification.

Keep abreast of legislation directed towards children of offline data processing.

Back up all data on legitimate interests.


7

Data Protection

Article 25: Risk management is the name of the game. The information security standard of fail to safe applies equally to PII data protection. With a proper risk management process established, a well trained IT security project manager who will understand the required framework, conduct a gap analysis, and execute an optimization plan.

Network Ability and Strength

Determine your IT system’s ability and strength to manage and support GDPR compliance.

Due in part to the GDPR high-value data is no longer standard high-risk data. Any breach can result in catastrophic costs to your business under the authority of the EU. Pressure test all data against the Data Protection Impact Assessments (DPIA) (Article 35) standard to meet compliance.

Audit Trail

Is there an audit trail on each subject record? If not the data is not in compliance and must be re-verified with an affirmative action of consent through a means such double opt-in.

Redundancy

Confirm current levels and means of redundancy are in GDPR compliance.

No Data Trading

One area of concern is marketing. A no data trading policy must be enacted and enforced. While managers will enforce this in part, the policy is ultimate enforcer is the DPO.


8

Data Breach Report Response System

Article 33: Incident response under the GDPR regulation is an upper management challenge to take seriously. Any breach or loss must be reported in a proactive process within a 72-hour time frame. Specifically 72 clock hours, not 72 business hours.

The good news is the incident response challenge is more easily met if you established organized data inventory your company ecosystem. Your organized data will serve as the single source of truth to the DPA as you provide answers for the breach.

Plans to notify the affected parties and controller should include detailing the risk of affecting the subjects freedoms and rights. They should communicate the mitigation measures being deployed. Coordinate a response:

  • Internal employee training
  • Social Media Response Plan
  • Deploy public relations to inform the public with clear details and instructions for assistance
  • Prepared Customer Service Response Unit

Every member of the organization should have a pre-planned duty in response.


9

Privacy Notice & Privacy Policy

Article 32: A Privacy Notice tells the public what you are doing with their personal data. A Privacy Policy is a guiding internal document stating the business or organization’s posture. The privacy policy establishes the scope of data being addressed, principles, and level of commitment to protecting subject data.

Mandate policy training. GDPR does not mandate policy training but without training, no one can be held accountable within the organization.

Policy notices should all be updated to reflect compliance of the GDPR. Conduct a comprehensive review and update of all your business or organization’s policies on data and privacy to meet the requirements of the GDPR. They must be modified and adhere to the GDPR.

The Generally Accepted Privacy Principles (GAPP) is a good source of transferable principles. The GAPP offers many good transparency elements in constructing a privacy notice.

Your notice should include how you are going to transfer subject data within your business or organization, or third parties.

Include a notification of How To Revoke Consent if your processing is based on consent.

Include that if a dispute resolution fails with the data controller a DPA is the subject is an alternate final route.

Privacy in US vs EU

Your legal department should incorporate all the mandatory documents required by the EU into your privacy policy. See: List of Mandatory Documents Required By EU GDPR


10

Clear Terms & Conditions

Update all legal documents.

Cookies: Ease privacy concerns over cookies with clear friendly positive requests: This site uses cookies to offer you a better browsing experience.

Do all your forms have checkboxes to confirm an affirmative action? (Unless they are under lawfulness of processing.) Forms must now always offer a means to confirm the subject is giving specific consent.

Remember your business or organizations terms must now conform to the GDPR.


11

Third Party Contracts

Article 28:  Article 28 establishes the ground rules for processors dictating the need to update third-party contracts. Having a clear understanding of what your 3rd party processors do with subject data is a critical part of your DPO duties. A compliant contract data processing agreement is your means of protection if legally constructed properly. TermsFeed.com has a great article citing a number of important legalities to understand. Here is a checklist to rundown:

Any legal decisions you make based on this guide should be run by your own business or organizations counsel. This is a guide, not legal advice.


12

Give Special Attention To Known Weaknesses

Phishing and social engineering will always be exploitable attack points if humans are not trained. This is a new area of security. Adjust.

Inventory a data removal tool to strip files of metadata before that same file is shared.

Confirm Delete for GDPR Guide

Anonymous identifiable data including cross-referenceable anonymous data can slip by less diligent DPO’s.

Implement a confirmation based deletion system. It’s widely known that Windows PC’s do not erase data immediately upon dragging a file to the trash and then executing the confirm delete command. Instead, the hard drive places the data in reserved space to be written over. It is similar vulnerabilities a DPO should fact find within their own network by consulting with the Information Security Officer responsible.


13

Digital Rights & Business Policy Alignment

  • Privacy Policy
  • Terms & Conditions
  • Terms of Service
  • Terms of Use
  • Return and Refund Policy
  • Cookies Policy
  • End User License Agreement (EULA)
  • Disclaimer

14

GDPR Compliant Statement

It’s a proud moment when a business or organization can officially provide a statement of compliance to the public.

A GDPR Compliant Statement is now as ubiquitous as an FAQ or About page. Every web site or app collecting subject data must have one.

A proper Compliance Statement is broad and complete. It will mirror every measure stated in this guide as completed or in compliance. Here is an excellent example of an exceptional Compliance Statement.

It’s required to inform users in a ‘clear and unambiguous way’ if you use cookies. You should also have a cookie policy statement in your privacy notice.

In Conclusion

EU Textured Flag

GDPR is now a fundamental part of business in the Internet era. In time, compliance guides will be streamlined for training every individual entering the job market.

Currently, the best comprehensive guide this writer has found in research is produced by i-scoop. The Online Guide to the EU GDPR

 


RESOURCES

GDPR Online

GDPR Pocket Edition

EU GDPR

0/5 (0 Reviews)