EU Data Privacy Compliancy Process Steps
The 25th of May 2018 is nearing so compliancy with the EU GDPR will be a must for organizations processing or controlling large numbers of customers privacy data. In the scheme below the basic steps on how to comply with the EU GDPR are shown. This Process Scheme is based on the ISO27001 Information Security framework. Each step of this process will be explained below this process scheme.
The Organization Context describes the what of the organization. What is the organization about. What products and services does it offer. What business processes are in place. What is their context and what are the relations. Relations with customers, suppliers and third parties.
High Level Readiness Assessment
In the High Level Readiness Assessment the organization use of privacy data is described from a helicopter point of view. Also a description is given of the compliancy on high level of current usage of privacy data in relation to the basic principles of the GDPR. You could consider it like a GDPR Quick Scan of your organization.
Privacy Data Asset Register
A data mapping of all the assets and their owners of the organization where data is processed, collected, mutated, altered, transferred, stored. These assets vary from website forms where customers fill in their details to order a product, to contracts, to customer surveys, customer databases, connections to third parties or privacy data storage for example. Be aware that it is certainly not only IT related. The Privacy Data Asset Register is the basis of every assessment.
Data Privacy Impact Assessment(DPIA)
Based on the recitals and articles of the EU GDPR, an impact assessment of the privacy data mapped to the assets and the subsequent risks to be able to demonstrate compliancy with the EU GDPR should be carried out. It is strongly advised that changes(Privacy by Design!) in an organization will be subject to a Privacy Impact Assessment as well. Changes in this context could mean organizational changes, people changing functions, new services implemented, new or adjusted products, new business or even new laws introduced for example.
Data Privacy Risk Register
From the DPIA a Risk Register including Risk Owners will be determined and kept and maintained up to date in a Data Privacy Risk Register.
Data Privacy Risk Treatment Plan
Based on the DPIA a Risk Treatment Plan will be written which describes all the necesarry control measures to be implemented into the organizations processes and systems.
GDPR Implementation Plan
Based on the Risk treatment plan, implementation plans will be needed to implement the GDPR risk control measures in different parts of the organizations processes/systems/applications and departments in order to comply with the GDPR .
GDPR Pre Audit
Before a compliancy audit will be carried out a Pre Audit will be done in order to see if the control measures implemented by the risk treatment plan are still in place and operational effective. If needed corrective actions will be taken to remain or be compliant.
A GDPR Audit is to be carried out after all measures are carried out in the previous steps to ensure the organization’s compliancy with the GDPR.
GDPR Annual Surveillance Audit
Depending on the organizations life cycle an annual surveillance audit could be carried out to see if the organization is still compliant to the GDPR. It all depends on the complexity, scale and rate of change within an organization. Also an annual management review should be part of the surveillance audit to guarantee commitment of the management towards the continuity of GDPR compliancy.
In case of findings during the GDPR compliancy audits non-conformities with compliancy will have to be followed up by implementing corrective actions mitigating the non-conformities.
Depending on the non-conformities and pre audit findings Corrective Actions must be carried out in order to ensure compliancy to the GDPR. Corrective Actions should be registered seperately for verification purposes. Changes in Risks levels or new Risks should be registered and maintained in the Data Privacy Risk Register.