In Part 1 of How to Get Started with GDPR Compliance, we covered the first 4 steps of GDPR compliance. This includes:
- Step 1: Documenting and Tracking All of Your Data Processing Activities
- Step 2: Doing Regular Processing Impact Assessments (PIAs)
- Step 3: Updating Privacy Notices & Identifying Product Changes
- Step 4: Streamlining Your Subject Access Request Process
In this follow up post, we'll reveal the next 3 steps to help you achieve GDPR compliance.
Step 5: Develop a Third-Party Sub-Processor Vendor Management Process
Data controllers are required to ensure that third party vendors (ie., data processors) properly handle all personal data shared with them. As with data mapping, modern systems and processes create data processing chains where data travels from one application to another and changes hands across SaaS and cloud service providers.
Almost every data controller should review how it handles data and its relationship with its providers, and how data processors manage their own vendors/processors, and how GDPR subject rights will be enforced across the entire data processing chain.
| Action: Develop a comprehensive approach to managing third party vendors
Review agreements with all vendors to cover all GDPR applicable articles
Compile and maintain an inventory of vendors
Implement a programmatic approach to managing vendor data-chain
Implement technologies to support vendor audits and SAR fulfillment compliance
Include vendor escalation processes and embed remediation plans
A note for Data Processors: if your company is not complying with GDPR requirements, you become a far less appealing vendor option. In other words, it’s in your business interest to make this process as easy as possible for data controllers to work with you.
Step 6 — Appoint a Data Protection Officer (DPO)
Under the GDPR, it’s mandatory to appoint a DPO if you are a public authority or if you carry out certain types of processing activities (i.e., any operations that require regular, systematic processing on a large scale). DPOs can help you demonstrate compliance to the authorities. But more than that, they should be a part of your overall decision-making processes and help you keep accountability and the protection of your customers data a priority.
DPO’s are responsible for the following tasks:
monitoring internal compliance
informing and advising on data protection obligations
provide advice regarding Data Protection Impact Assessments (DPIAs)
act as a contact point for data subjects and the supervisory authority
The selected appointee can be an existing employee, externally appointed or in some cases several organizations can share a single DPO between them. The key thing is that they must be independent, an expert in data protection and they should report to the highest level of management.
Step 7 - Ensure Due Diligence & Ongoing Maintenance
Due diligence is not only a staff and management responsibility, it goes all the way up to the board. In fact, board members can be personally liable if there is a data breach, so it’s very important to regularly update your board of data protection policies, product and service changes and most importantly, how you plan to manage a data breach should one occur. John Beardwood, a world renowned cybersecurity lawyer, recommends the following ten best practices for privacy and security compliance at the board level, one of which is to take notes at every board meeting to prove due diligence.
| Action: Inform your board regularly of privacy and security procedures and hire a Chief Privacy Officer or create a committee to stay on top of privacy changes & controls.
Another key issue to maintaining due diligence and privacy, is to ensure alignment across your organization and staff.
Why is alignment so important? In many organizations, business, operations, legal, and IT tend to work in isolation. This is especially true of transformation, privacy, and IT-based projects, wherein the business quickly defines requirements, then throws them “over the wall” to operations or cross-functional teams. These teams implement the requirement, only to be find out unanticipated roadblocks. This is one of the most common examples of lack of alignment. For successful programs, the path to ROI is secured with a real partnership across all of the stakeholders from business to legal, privacy, marketing, sales, HR, and IT departments working together towards a common goal. This goal and vision should be discussed, agreed and clearly documented.
| Action: Build a vision for how you will manage and protect customers data, and get everyone on board with educational programs and training. Keep this up to date.
For more insight on how to achieve alignment for privacy across your entire organization, check out our PrivacyOps Framework.
Whether you are a data processor or a data controller, it’s essential to gain the trust of your clients. There is no better way to do this than to become GDPR compliant and implement Privacy by Design. This means making privacy a priority at the beginning of your product design process and thinking proactively about how you will manage and protect data in an ongoing way.
Because privacy is not a one-off action, you have to put in practice a long-term strategy. To do this, make sure to document any new technologies and third party vendors into your data registry and keep all of your processing activities up-to-date. Root out any potential risks with regular PIAs and collaborate with your data controller or data processor to fulfill subject access requests. Finally, seek alignment across departments and keep your board and staff well informed of your data protection practices.
If you do all this, not only will you be compliant with existing laws like the GDPR and CCPA, you will future-proof your organization from emerging privacy laws. Most importantly, you will gain the confidence of your customers, which puts you far ahead of your competitors. In other words, privacy is good for business.
About Feroot Privacy
Feroot is a Privacy Operations Platform that transforms your static data map into a dynamic data registry, so you can automatically manage data across all departments, track consent across third-party vendors centrally and quickly respond to Subject Access Requests.