GDPR: Best practice Implementation Guide

Transforming GDPR Requirements into Compliant Operational Behaviours

Introduction

The General Data Protection Regulation (GDPR) is a revolutionary change in Data Protection and will
in all likelihood become the de-facto gold standard for Data Protection regulation globally. The two
areas most influential in this regard relate to Accountability and Enforcement.

1. Accountability: Organisations must embrace the new accountability principle introduced by the
GDPR and move from ‘theory to practice’ in terms of their Data Protection efforts.

2. Enforcement: The member state Data Protection Authorities (DPAs) must rigorously enforce the
Regulation by issuing substantive penalties where organisations cannot adequately evidence
compliance with the GDPR accountability principle.

One of the biggest challenges for organisations that fall within the broad extra-territorial scope of
GDPR, is transforming the legal requirements of GDPR into compliant and sustainable operational
behaviours. Whilst there will be many organisations, such as those in the financial services and

healthcare sectors, who are used to dealing with regulatory requirements, there are many others
who will be experiencing the challenge of implementing strict regulatory requirements for the first
time. Experienced or not, the May 25 deadline in 2018 is fast approaching and action needs to be
taken now by all organisations within the scope of GDPR.

The GDPR Accountability Principle

Recognition of the need for accountability in terms of data privacy is not new and can be seen in the
privacy guidelines issued by the Economic Cooperation and Development (OECD) back in 1980.

The OECD describes accountability as “showing how responsibility is exercised and making it
verifiable”

The intent of the new GDPR Accountability Principle, as defined in Article 5(2) of the GDPR text, is
similar to that of the OECD privacy guidelines. It is seeking to reaffirm and strengthen the
responsibility of Data Controllers and Data Processors, in relation to Processing of Personal Data,
and requiring them to demonstrate compliance with measures which give effect to the other six
GDPR principles (listed below).

GDPR Principle Description

Lawfulness, fairness and Processed lawfully, fairly and in a transparent manner
transparency
Purpose limitation Collected for specified, explicit and legitimate purposes and not further
Processed in an incompatible manner
Data minimisation Adequate, relevant and limited to what is necessary
Accuracy Kept accurate and up-to-date.
Storage limitation Not kept, any longer than necessary, in a form which permits
identification of a Data Subject.
Integrity and Appropriate security ensuring protection against unauthorised or
confidentiality unlawful Processing and against accidental loss, destruction or damage
The European Data Protection Supervisor (EDPS) has stated, in reference to accountability, that “EU
institutions and bodies should, at the most senior level, endorse and take responsibility for Personal
Data Processing inside their organisations which occurs as part of the tasks of their institution”.
Although accountability is undoubtedly a core tenet of the GDPR, it doesn’t offer a specific
definition. The EDPS, in their Accountability Fact Sheet, do provide some insight in this regard by
stating that accountability in Personal Data Processing requires:

• Transparent internal Data Protection policies, approved and endorsed by the highest level of the
organisation’s management.

• Informing and training all people in the organisation on how to implement the policies.

• Responsibility at the highest level for monitoring the policy implementation, assessing and
demonstrating to external stakeholders and Data Protection Authorities the quality of the
implementation.

• Procedures for redressing poor compliance and data breaches.

The GDPR Accountability Life Cycle

This GDPR Best Practices Guide puts forward a GDPR implementation methodology designed to:

• Engage stakeholders to ensure timely and efficient organisational readiness for GDPR.

• Implement effective procedures that embed GDPR-compliant operational behaviours.

• Establish assurance criterion that will sustain and evidence GDPR accountability.

The methodology consists of three phases (Prepare, Operate, Maintain), with each incorporating a
number of supporting activities. The objective defined for each phase is attained once all of the
activities for that phase have been successfully executed. The ultimate goal of the methodology is
sustaining and evidencing compliance with the GDPR Accountability Principle.

Phase I: Prepare Ensures stakeholder engagement and organisational readiness for GDPR
Phase II: Operate Implements effective procedures that embed GDPR-compliant operational
behaviours
Phase III: Maintain Delivers assurance and evidence of ongoing GDPR accountability

Accountability Life Cycle Activities

The table below lists the phased activities that support the Accountability Life Cycle.

Phase Activity
PHASE I: Prepare Activity A: Obtain the buy-in of key business stakeholders
Activity B: Establish your GDPR readiness program team
Activity C: Identify and assess relevant business functions
Activity D: Identify and assess in-scope Third Party Processing activities
Activity E: Establish a central Personal Data register
Activity F: Distribute updated Data Protection policies and Privacy Notices
Activity G: Educate internal Personal Data Handlers and external Data Processors
PHASE II: Operate Activity H: Disseminate and maintain external Privacy Notices
Activity I: Justify and record lawful Processing mechanisms
Activity J: Process and record Data Subject rights requests
 Activity K: Validate and record Third Country data transfers
Activity L: Report and manage Personal Data Breach incidents
PHASE III: Maintain Activity M: Evidence understanding of Data Protection policies
Activity N: Ensure the ongoing integrity and quality of the Personal Data Processing
register
Activity O: Trigger impact assessments for business change events
Activity P: Verify compliance of Third Party Personal Data Processing activities
Activity Q: Demonstrate effectiveness of Personal Data handling practices

PHASE I: Prepare

This initial phase considers the activities necessary to ensure GDPR readiness for your organisation.
It is very important that you engage key business at the outset to inform and educate them. If done
effectively, you will obtain their buy-in and support, a fundamental success factor for achieving your
GDPR readiness goals. Following on from this you will need to appoint your GDPR program team,
identify and assess relevant Personal Data Processing activities, prioritise a set of remediation
actions, establish a centralised Personal Data register, educate Personal Data Handlers and Data
Processors and update your Data Protection policies and Privacy Notices. Each of these activities are
explained in more detail below.

Activity A: Obtain the buy-in of key business stakeholders

The importance of obtaining buy-in from your Senior Management and Executive teams should not
be underestimated when embarking on any organisation-wide initiative. In a GDPR context, the
ongoing cooperation of key business stakeholders is fundamental to the overall success of the GDPR
program.

The substantial financial sanctions associated with GDPR noncompliance, should assist in getting the
attention of your Senior Management and Executive teams. It is in their best interest to ensure that
the risk of GDPR non-compliance features prominently on your Corporate risk register

It is encouraging that several Data Protection Authorities have already reinforced the importance of
making senior business stakeholders aware of the requirements of GDPR. In their GDPR guidance,
the UK, Belgium and Hungry are all recommending a focus on stakeholder awareness as the first step
on your journey towards GDPR compliance.

It is important to look broadly across your organisation to ensure that you identify and educate all
relevant stakeholder groups. Stakeholders from Customer Relations, Human Resources, Marketing,
Procurement, Systems Development, IT, Information Security, Legal, Risk and Compliance are
obvious candidates for inclusion. In addition, you should consider other business functions specific
to your industry, such as Engineering, Research & Development and Manufacturing.

There are various approaches that can be taken to achieve stakeholder awareness, education and
buy-in. The one chosen will depend various factors such as your organisation size, company culture,
local or global reach and the number of Data Protection personnel your organisation has at its
disposal.

If you are a local or regionally focussed company with a relatively small number of staff, you might
prefer to engage in-person with your Senior Managers and Executives regarding GDPR. If, on the
other hand, you are a large multinational organisation with thousands of globally distributed staff
you may choose to leverage web-based GDPR awareness and educational content that is now
available from some eLearning vendors.

Activity B: Establish your GDPR readiness program team

Before you embark on your GDPR compliance program it is critical that you clearly define the roles
and responsibilities of the personnel tasked with its delivery. The appointment of a Board level
program sponsor, a high-ranking Data Protection Officer (DPO) and an experienced compliance
program manager would be an ideal way to get the ball rolling.

There are circumstances in which organisations must appoint a Data Protection Officer (DPO). This is
the case if your organisation is a Public Authority, carries out online behavioural tracking or conducts
large scale Processing of Special Categories of Data. Even if your organisation is not obligated to
appoint a DPO, you must still ensure that you have deployed sufficient staff with the appropriate
skills to meet all requirements of the GDPR.

Only once you have a formal GDPR program team in place, clear goals outlined, key milestones
defined, measurable objectives set, key milestones defined, adequate budget assigned and
resources are fully engaged, are you truly ready to embark on your GDPR journey.

Activity C: Identify and assess relevant business functions

Expecting to successfully deliver any project, compliance related or otherwise, without identifying all
the in-scope business functions or consulting the people who perform the operational tasks
involved, is a mistake common to many organisations. This is typically a result of incorrect
assumptions made by those in charge of managing the project or business managers assigning
inexperienced operational personnel to work on the project. Regardless of the reason, failure in this
regard makes it impossible to deliver a successful GDPR compliance program.

To successfully identify all the relevant key business processes and understand the information life
cycle (collection, Processing, storage and transfer) of the Personal Data associated with those
processes, organisations must be prepared to commit the time of experienced personnel. Assigned
personnel will need to participate in an assessment of the privacy risks related to the Personal Data
Processing activities that have been identified. Establishing a risk threshold is an important step in
the assessment process as it allows you to quickly focus on and further assess at an appropriate
level, the areas of greatest risk.

Having identified and assessed the key risk areas across your business functions, you are now in a
position to define and prioritise a set of remediation actions based on the compliance gaps
uncovered. Each of these remediation actions must be well defined, have a specific deadline, be
adequately resourced, have clear ownership and be tracked through to completion.

Activity D: Identify and assess in-scope Third Party Processing activities

The process described here for identifying and assessing the Personal Data Processing activities of
your Third-Party Data Processors, such as business partners and service providers, is similar to
Activity C. However, there are number of considerations, specific to engaging with and managing
Third Parties, that do not apply to internal business functions.

Identifying the relevant stakeholders within the organisational structure of your Third Parties is the
first step. Depending on the type of relationship you have with them, this may or may not be a
straight-forward exercise. If you are not getting adequate engagement from your Third Parties, it is
important that you initiate the agreed contractual escalation process sooner rather than later. This is
to ensure that any associated delays don’t leave insufficient time to identify and assess the Third-
Party Processing activities and carry out any remediation activities necessary to meet your GDPR
readiness deadlines. One of the key changes that GDPR brings for all Data Processors is a level of
direct accountability and liability which does not apply under the current EU Data Protection
Directive. In addition, the GDPR imposes significant new requirements that must be included by Data
Controllers in all Personal Data Processing agreements (including existing agreements that extend
beyond May 2018). This will lead to the negotiation of Processing agreements becoming more
complex and Data Processors being more careful about agreement terms and the scope of the Data
Controller’s instructions. The end result being a high likelihood that you will need to re-negotiate at
least some of your existing Personal Data Processing contracts.

Having identified and assessed the in-scope Third Party Processing activities, you are now in a
position to define and prioritise a set of remediation actions based on any identified compliance
gaps.

Activity E: Establish a central Personal Data register

The assessments carried out for the key business processes of the relevant business functions and
Third Party Processing activities will have established answers to the following list of information
gathering questions.

• What data is being collected?

• From whom is data collected?

• Why is the data being collected?

• How is the data being processed?

• What is the legal basis for each processing operation?

• Where is the data being stored?

• How long is the data retained?

• Who has access to the data?

• To where and to whom is the data being transferred?

The answers gathered need to be collated to form a comprehensive Personal Data register. The
register becomes your centralised ‘single source of truth’ detailing the characteristics and Processing
activities for all Personal Data which your organisation is ultimately accountable. The register must
be regularly checked and updated to ensure its integrity over time. It would also be beneficial to
build a data flow map based on the register contents to provide a visual representation of the
various flows of Personal Data both internal and external to your organisation
Activity F: Distribute updated Data Protection policies and Privacy Notices

The GDPR states that all organisations must implement appropriate Data Protection policies
outlining the technical and organisational measures needed to ensure that Personal Data Processing
is performed in accordance with the Regulation. In addition, you must provide Privacy Notices as a
means of being transparent, with your customers, ensuring that they know how their information
will be used.

It is important that updates to your Data Protection policies and Privacy Notices are made after
identifying and assessing the Personal Data Processing activities of your business functions (Activity
C) and Third Party Data Processors (Activity D). Without doing so, it will prove very difficult to obtain
a complete view of the content requiring inclusion in your policies and Notices. The example
scenarios below are provided to further illustrate this point.

Example 1:

In this example we focus on the information collected from assessments that relating to the purpose
of data collection. Purposes of collection may include provision of goods or services, direct
marketing activities, legal obligations, etc. Without knowing the reason behind collection, you
cannot establish a definitive legal basis justifying that Processing. This then means you are unable to
ensure all appropriate information is included in the Privacy Notice you provide to your customers.

Example 2:

In this example we are looking at the information collected from assessments that relates to data
transfer. Without knowing the details of what data is being sent to and Processed by Third Parties,
you cannot ascertain the extent of Third Party Processing being performed on your behalf. Without
this information, you cannot be sure that your Data Protection policy adequately defines the rules to
be followed when interacting with your Third Party Data Processors.

Activity G: Educate internal Personal Data Handlers and external Data Processors

Providing meaningful education to Personal Data Handlers across your organisation is critical to
ensure that they fully understand their role in achieving and maintaining GDPR compliance. The
training offered needs to enable them to:

• Identify the Personal Data under their control.

• Understand how and why Personal Data Processing is taking place.

• Protect the Personal Data from an Information Security perspective.

• Deal appropriately with Data Subject requests.

• Respond promptly to any suspected Personal Data Breaches.

As discussed in Activity A, it may be feasible to engage and educate a limited audience such as key
business stakeholders on a face-to-face basis. However, doing so for Personal Data Handlers and
Data Processors, who represent a much broader user population is unlikely to be practical.
Organisations may be better placed looking to vendors who can deliver web-based GDPR training
courses to a decentralised global audience.
The approach you take with regard to education of your Third Party Data Processors requires
additional consideration. Given that the GDPR now clearly imposes legal obligations directly on Data
Processors and liability exists where a Data Processor has acted outside or contrary to the lawful
instructions of the Data Controller, the Data Controller could take the view that all responsibility for
GDPR compliance (including education) lies solely with the Third Party. While this approach may be
considered prudent from a legal point of view, Data Controllers need to think carefully about this as
they could easily come to regret taking a such a stance. At the end of the day, it is the Data
Controller’s reputation, arguably its greatest asset, that is ultimately at stake

At a minimum, Data Controllers should offer the following list of basic training elements to any Third
Party Data Processor who is Processing Personal Data on its behalf:

• The need to act solely on the Data Controller’s documented instructions.

• The confidentiality obligations applicable to Data Processor staff charged with Processing
Personal Data.

• The security practices necessary for protecting (in an equivalent manner to that of the Data
Controller), the Personal Data being processed.

• The rules to be followed regarding appointment of sub-processors.

• The provision of assistance to the Data Controller in complying with the rights of Data Subjects.

• The return or destruction of Personal Data at the end of the relationship.

• The provision of any information needed by the Data Controller, to assist them in demonstrating
compliance with the GDPR

PHASE II: Operate

This phase of the life cycle addresses the need to define and embed procedures that enable staff
who handle Personal Data to carry out their duties in an efficient and compliant manner. The GDPR
requires not just that your Personal Data Handlers perform their duties in alignment with GDPR
obligations, but that there is also a record maintained of their decisions and actions in relation to
carrying out those duties.

Given the substantial GDPR obligations (e.g. Data Subject rights, data transfer rules, lawful
Processing) that relate to the operational handling of Personal Data, it is critical that front-line staff
are provided with targeted and specific procedural guidance for Personal Data Processing

Activity H: Disseminate and maintain external Privacy Notices

The GDPR emphasises the need for transparency in relation to the use of Personal Data by
organisations. An individual’s right to be informed requires that organisations provide ‘fair
processing’ information to their customers and employees via a Privacy Notice.

The ‘fair processing’ information that must be provided is extensive and includes items not currently
mandatory under the EU Data Protection Directive. Examples include:

• The legal basis for Processing.

• The categories of Personal Data being Processed.

• Details of any Third-Party recipients.

• The intended retention periods.

• The logic associated with any automated decision-making being undertaken

The information supplied and when to supply it can also vary based on whether you have obtained
the Personal Data via direct (i.e. from the Data Subject) or indirect means.

Responses received from the Business Functions and Third-Party Processing assessments completed
during the Preparation phase will assist in supplying the correct information in Privacy Notices. Such
Notices must remain accurate and up-to-date to reflect any new or amended Processing activities. A
revision history is also required to clearly establish which version of a Privacy Notice was in
operation at any point in time. This can prove very useful when determining how best to deal with
Data Subject requests.

Integrating the external publication of your Privacy Notices with your internal Policy Management
system is a very effective method of managing your Privacy Notice revision process. There are
vendors emerging who plan to offer this type of functionality

Activity I: Justify and record lawful Processing mechanisms

One of the fundamental requirements of GDPR is the need to establish, justify and document the
legal basis for the Processing of Personal Data. The legal basis will vary based on the nature of the
Personal Data being Processed. As an example, the Processing of Special Categories of data requires
explicit Data Subject consent to be obtained.

It is also important to note that the legal basis chosen for Processing can have an effect on Data
Subject rights. For instance, if you rely on obtaining an individual’s consent to Process their Personal
Data, they will then have the ‘right to erasure’ available to them.

Determining the legal basis by which your organisation will Process Personal Data is typically
something undertaken by the legal team in partnership with key GDPR business stakeholders. Such
decisions must have clear justification and are well documented. An example of this is where
Legitimate Interests is used to justify the Personal Data Processing. In this case, a record needs to be
maintained describing the assessment carried out to balance of the Legitimate Interests of the Data
Controller and the rights of the individual.

Although a lot of the initial work will be carried out by the legal team, there are also situations
pertaining to lawful Processing where your front-line Personal Data handling staff have a role to
play. For example, the further Processing of Personal Data for new purposes requires that front-line
staff be trained to identify scenarios where further Processing may be incompatible with the original
lawful Processing mechanism. Ideally, they will also be given clear guidance that allows them to
establish whether or not the proposed further Processing is legitimate, removing the need to refer
to your legal personnel.
Activity J: Process and record Data Subject rights requests

The GDPR significantly increases the rights of individuals and as a result, organisations will see an
increase in requests and complaints from Data Subjects. Organisations are obliged to respond to
such requests within one month, unless they are manifestly unfounded, excessive or a National
legislative measure has been introduced allowing the access to be refused.

Under the current EU Data Protection Directive, requests from Data Subjects have been focused on
the ‘right of access’ and are commonly referred to as Subject Access Requests or SARs. The GDPR
expands the access rights of Data Subjects and introduces an array of new and enhanced rights as
described in the table below. Under GDPR, referring to the broad array of requests that may come
from Data Subjects as Data Subject Requests or DSRs rather than SARs would seem more
appropriate.

Data Subject Right Changes under GDPR

The right of access The GDPR expands the mandatory categories of information
which
must be supplied in connection with a Data Subject access
request
including information about a Data Subjects right to complain to
the
Data Protection Authority (DPA).
The right to erasure The GDPR creates a broader right to erasure such as where the
Personal Data is no longer needed for its original purpose or
where the lawful basis for the Personal Data Processing is the
Data Subject’s consent.
The right to restrict Processing Under the GDPR, there are a much broader range of
circumstances in which Data Subjects can require that the
Processing of their Personal Data be restricted. Examples include
the accuracy of the Personal Data being contested or the
Personal Data is no longer needed for its original purpose.
The right to data portability A new right under GDPR which provides Data Subjects the right
to receive a copy of their Personal Data in a commonly used
machine readable format, and have their Personal Data
transferred from one Data Controller to another.
The right to object The GDPR now puts the obligation on the Data Controller as it
requires the Data Controller to cease Processing unless it can
demonstrate that it either has compelling grounds for continuing
the Processing, or that the Processing is necessary in connection
with its legal rights.
The right to rectification As per the current EU Data Protection Directive, Data Subjects
have the right to rectification where their Personal Data is shown
to be incorrect

Organisations should ensure all staff who Process Personal Data are appropriately trained, allowing
them to quickly recognise, and appropriately respond to, rights requests from Data Subjects. The use
of decision trees can aid the provision of guidance to front-line operational staff. They are an
effective decision support tool because they are simple to understand and therefore require minimal
training. An example of a decision tree is provided in Activity K below

Activity K: Validate and record Third Country data transfers

The GDPR restricts the transfer of Personal Data to recipients located outside the European
Economic Area (EEA). These locations are referred to as Third Countries. Unless one of the following
conditions can be met, the transfer of Personal Data to Third Countries is prohibited:

• The European Commission has deemed the Third Country jurisdiction adequate.

• The organisation transferring the Personal Data puts in place appropriate safeguards (e.g. model
clause contracts).

• A derogation or exemption applies (e.g. consent, vital public interests).

The GDPR retains the current EU Data Protection Directive transfer mechanisms pertaining to the
above conditions, but it also provides additional mechanisms, including DPA clauses, codes of
conduct, certifications and a new derogation for the purposes of Legitimate Interests.

Understanding the appropriate use of the available lawful Personal Data transfer mechanisms is
essential for all organisations that wish to carry out transfers of Personal Data to Third Countries.
These can prove tricky for your front-line operational staff to navigate, particularly in relation to
adhoc data transfers. As with the handling of Data Subject requests discussed in Activity J, decision
trees are also suitable in the case of Personal Data transfer decisions. Provided below are screen
shots that illustrate how a decision tree approach could work in practice