GDPR BEST PRACTICES ESSENTIAL PROCESSES TO MEET THREE KEY OBLIGATIONS

Transcription

1 GDPR BEST PRACTICES ESSENTIAL PROCESSES TO MEET THREE KEY OBLIGATIONS

2 1 The General Data Protection Regulation (GDPR) has 99 Articles and one clear intent: to protect the personal data of EEA/EU citizens. The GDPR applies to personal data processed manually, electronically and by third parties. Failure to identify, address and minimize risks, and meet obligations will results in fines, oversight burdens, litigation and settlement expenses. There are three primary requirements for GDPR compliance. DATA INVENTORY The first 50 GDPR Articles outline corporate obligations that cannot be met without a comprehensive data inventory and supporting data maps. Effective and defensible diligence requires at least two dozen reports. DATA MINIMIZATION GDPR Articles 5 and Article 25(2) mandate that personal data retention be limited to a strict minimum. Companies often retain 10 to 20 times more data than necessary, most of which contains sensitive content. VENDOR DILIGENCE GDPR Article 28 makes companies accountable for all third-party vendors that process personal data. Companies must know who their vendors are, and which vendors have access to systems or personal data.

3 2 Two pertinent articles within GDPR highlight the importance of compliance. Meeting these requirements requires assessment of both internal and external information practices. ARTICLE 77 FREEDOM TO COMPLAIN GDPR Article 77 provides data subjects the "right to lodge a complaint with a supervisory authority". Current or former employees can lodge a complaint with the Data Protection Authority (DPA) if they feel their rights have been infringed, which results in a mandatory investigation by the DPA. Could a demand for all documents pertaining to a specific person expose your over-retention of sensitive data? Is your company tightly controlling adherence to retention standards? Are your standards up-to-date? Can you demonstrate adequate compliance with your information governance, data retention and routine disposal directives? Article 77 poses great risk to companies lacking appropriate retention standards. ARTICLE 82 RIGHT TO COMPENSATION GDPR Article 82 provides data subjects the "right to compensation and liability". Under Article 82, "Any person who has suffered material or nonmaterial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered." In other words, harmed individuals will be able to claim compensation for distress, even where they are not able to prove financial loss. The potential for a surge in private claims add to the already exponential cost of a data breach. Have you assessed the defensibility of your current compliance processes?

4 3 DATA INVENTORY REPORTING At a minimum, companies are responsible for developing and maintaining a specifically formatted data inventory and supporting data maps to demonstrate due diligence and enable regulatory compliance. These are a few of the essential reports and data maps: ARTICLE 30 RECORD OF PROCESSING ACTIVITIES Companies are required to have a clear understanding of all personal data processing, locations, usage and other factors. GDPR Article 30 reporting must be comprehensive, complete and cover sections 30-1(A) through 30-1(G). ARTICLE 9 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA Companies must know where they store and how they process special categories of personal data as defined under the GDPR, which require more stringent conditions than other forms of personal data. Article 9 reporting must clearly identify where special categories of personal data exist, media types and storage locations, retention and other critical factors. ARTICLES 5, 7, 13 & 25 DATA MINIMIZATION OBLIGATIONS The most egregious GDPR violations will hit companies that over-retain records and information that containing personal data. Data Minimization reporting should highlight where personal data exists, identify associated record types, applications and processing activities, and define regulatory requirements and best practices for retention. ARTICLE 28 THIRD-PARTY PERSONAL DATA ACCESS & PROCESSING GDPR Article 28 makes your company responsible for the actions of your third-party vendors. Companies are required to identify and document all processing activities, including those conducted by third-party processors. Article 28 reporting must identify which third-party vendors access, store or process personal data, methods of transfer and departments providing access.

5 4 DATA MINIMIZATION Records and data must be eliminated as soon as they are eligible to reduce litigation risks and e- discovery costs. Data you don t have cannot be compromised. The GDPR Articles 5, 7, 13 and 25 require affected companies to dispose of any personal data once it has fulfilled its purpose, unless there is a legal regulatory obligation to retain the data longer. The most egregious GDPR violations will hit companies that over-retain records. An enforced retention and deletion program is no longer optional. STEPS TO DEFENSIBLE DELETION: 1. LEVERAGE PROVEN RETENTION & DELETION STANDARDS. Adopt retention standards that are industry-specific and processes that are effective and defensible. 2. DISPOSE OF OVER-RETAINED DATA. Appropriately and defensibly delete unnecessary records, s and other data. 3. COMMUNICATE PROGRAM EXPECTATIONS. Automate the process of distribution, tracking and assessing compliance levels with policies, training, and compliance notices with verified responses at the user level. 4. ESTABLISH ONGOING CONTROLS. Leverage proven experience, standards, and technology to streamline your program and ensure defensibility.

6 5 VENDOR DILIGENCE Full-scale vendor risk assessments are no longer optional. GDPR Article 28 clearly designates responsibility to companies for assessing all vendors that access or process personal data. This directive reaches beyond routine IT risk assessments targeted at vendors who are known to be high-risk. The greatest risks related to third-parties are likely found in the vendors that typically are not assessed law firms and presumed low-risk smaller vendors. The GDPR takes third-party diligence from helpful to essential. Every third-party that processes personal data or has direct access to corporate systems must be risk assessed routinely. Legal is responsible for ensuring that an effective diligence process is in place to demonstrate evidence of controls. A scalable, tightly-structured assessment is critical for maximum effectiveness and defensibility.

7 6 GDPR DATA INVENTORY IN LESS THAN 45 DAYS. Ongoing GDPR compliance requires keeping your data inventory and data maps up-to-date. A proven, efficient platform is critical to dial into risks, document reporting obligations and update and maintain accurate data maps. For over a decade, we ve been helping the world s leading companies develop the accurate data inventories and data maps needed to comply with legal obligations. Our Data Inventory Service leverages our world-class best practice standards, a powerful service delivery model and an experienced professional support staff. We help you rapidly develop and maintain a complete data inventory and supporting GDPR reports, so you can meet your obligations more effectively and defensibly. DATA MINIMIZATION IN LESS THAN 60 DAYS. Ongoing GDPR compliance requires keeping your data inventory and data maps up-to-date. A proven, efficient platform is critical to dial into risks, document reporting obligations and update and maintain For over 30 years, we ve been helping the world s leading companies develop effective and defensible information governance programs. Our Information Compliance Standards service includes: Renowned retention rules Data minimization workflows and documentation Program enforcement models We equip you with the best practices standards, tightly-structured processes and ongoing controls needed to meet your obligations and reduce risks. We provide deletion strategies for all media types so you can defensibly and systematically delete unnecessary records. You ll have clear documentation of your data minimization logic and initial cleanup efforts. VENDOR DILIGENCE IN LESS THAN 45 DAYS. The Vendor Risk Assessment service is built upon globally recognized frameworks and regulatory guidelines and delivered through our unique service delivery model. This powerful solution eliminates manual, resource-intensive processes, enabling you to broaden the scope of your third-party risk management program while documenting and automating the entire process.

8 7 ABOUT JORDAN LAWRENCE For more than 30 years, Jordan Lawrence has been helping companies manage their information compliantly and defensibly in line with the most pressing legal and regulatory requirements companies face today. We provide legal, compliance, privacy and IT executives with critical insights and defensible compliance solutions to meet their obligations while reducing risks and costs Jordan Lawrence offers comprehensive services designed to address your most pressing GDPR needs: GDPR DATA INVENTORY. Develop and maintain an accurate data inventory and data maps, and act on the insights gained. INFORMATION COMPLIANCE STANDARDS. Eliminate all eligible data especially personal data under an approved and enforced retention program. VENDOR RISK ASSESSMENT. Assess all third-parties including law firms and low-risk vendors to identify and correct insufficient processes. CONTACT US