As a consultant there’s nothing I like more sitting around a table with a bunch of really smart people simplifying complex issues and guiding them towards an appropriate and effective security program.
Then someone has to go spoil the ride by saying; “That sounds great David, when can we expect the report?” [sob]
‘Documentation’ really should be a 4-letter word.
But with the GDPR, you have no choice. Documentation is your evidence of compliance. Even if you’re lucky enough not to have to maintain ‘records of processing activities’ (see Article 30(5)), you still have to document everything else, even WHY you don’t think you have to maintain records.
The word “appropriate” appears 115 times in the GDPR final text, and “reasonable” a further 23 times. That’s 138 times in one regulation that YOU have to make a determination of whether or not what you’re doing meets the grade. Lawyers can turn to precedent to agree what’s reasonable, where can WE turn to agree not only what’s appropriate, but to justify it?!
Here’s where the concept of Risk Management comes in, because like it or not, you WILL be taking a risk-based approach to GDPR compliance. And the one thing that risk management demands; documentation.
Note: The following is at a very high level, not comprehensive, and not representative of every organisation’s needs.
First, you will need policies. Not just the information security policies that I usually focus on, but policies that cover all relevant aspects of data protection. You will need policies on things like:
- General Data Protection / Privacy
- Employee Privacy
- Third Party / Third Country Transfers
- Data Subject Rights
- Engagement of Processors
- …and so on.
There are [of course] a bunch of vendors out there promising to provide every document you’ll ever need for £XX+VAT. But NONE of these #gdprcharlatans can provide the appropriate context that only comes from working with a person who knows that the Hell they are doing. These cannot just be paperwork, they must reflect your commitment to data protection by design and default, and the way you do business.
Second, you’ll need a documented record of what data you have a what you’re doing with it, but you should have taken care of this in your data discovery and business process mappings performed in Parts 2 and 3 of this series.
Third, all of your lawful bases for processing and corresponding data subject rights determined at Part 4 should be clearly articulated. Each will have its own idiosyncrasies:
- Consent – corresponding privacy notices in clear and plain language, no ‘bundling’ of conditions etc;
- Contractual – employee contracts, client contracts, data transfer agreements and so on;
- Legal – [I’ll let a lawyer supply samples here];
- Vital Interest – If lives are at stake you’d BETTER have a lawyer helping you out!;
- Public Interest – Assuming you’re a public body, you should already have appropriate representation; and
- Legitimate Interest – you will need to be VERY clear on how your ‘commercial’ interests are not “overridden by the interests or fundamental rights and freedoms of the data subject“.
Fourth, you will need to document all of your security controls in place around the personal data, as well as the risk assessment results that show that the controls meet the defined risk(s). Do not even THINK about showing a supervisory authority your PCI Attestation of Compliance, but a properly scoped ISO 27001 certificate would likely go a long way.
Finally, and if applicable, you will need to document your ‘records of processing activities’. Article 30(5) states; “The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.“
So most of us can probably avoid the ‘high risk’ and ‘special category’ caveats, but ‘not occasional’? While ‘occasional’ is hard to define (like reasonable and appropriate), if you are processing personal data as part of a defined business process, it is unlikely that you will get away with saying “it’s only once a month” (for example).
That said, the requirement for maintaining record are not THAT onerous, unless you have hundreds of separate processes. They should also be made very clear by your supervisory authority. The UK’s ICO for example has even provided two templates, one for controllers and one for processors (near the bottom of the page).
I know this sounds like a lot, but with the exception of the lawful bases and records, you should already have the rest of this. If you don’t, not only will next week’s GDPR Step-by-Step be impossible, so will GDPR compliance.
[If you liked this article, please share! Want more like it, subscribe!]