Preparing to implement GDPR: administration

21/04/2018
Insights

The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. Below we discuss the administration you need to go through when preparing implementation to be GDPR compliant.

1. Legal items

The following items should be covered from a legal perspective:

    Employee work rules

For most organisations, an extension to the employee work rules (arbeidsreglement/règlements de travail) is sufficient.

Employment/Labour contractWhen your organisation acts as a Data Processor for customers, or when you are in a B2C business, it is advised to add a privacy annex to your employment/labour contract.
Free-lancers
Management contracts
Add a privacy annex to your existing and new contracts.

Privacy statement

 

A general privacy statement – for example on your website – is a good practice to demonstrate to your customers how you take care of the protection of private information.

Privacy Data Agreement

 

A PDA (Privacy Data Agreement) is a good practice to stipulate details with regard to the handling of Personal Data in the relation between Data Controller and Data Processor. Even when there is no intentional processing of privacy-related data:

 

  • in case you handle Personal Data for customers
  • in case you handle Personal Data in a supplier’s platform
  • in case you share Personal Data with partners

Corporate binding rules

Are required for international organisations transferring Personal Data about EU citizens outside of the EU with the international corporate.

 

For the above, you can obtain examples from Knowliah.

 

2. Process/purpose documentation

The cover of a Register of Personal Data processes contains at least the following elements:

  • Company name
  • Official address
  • Legal form and company registration number
  • Name security officer or DPO
  • E-mail and telephone number of this person

For each of the Domains and processes (mentioned in Domains and processes),  the following minimal process description is needed:

Name of the processing operation

                                                 

                                                                                                                                                         

Date last changed

 

Purpose(s) of the processing

 

Controller

Name

Address

Department concerned

Contact person

 

Category of Data Subjects (1)

 

Category of Personal Data (2)

 

Legal basis of processing (3)

 

Recipients

Internal

External

Processor

 

Retention period/Personal Data
(Time limit for blocking and erasure)

 

Transfer to third countries or international organisations

 

Data collection based on profiling

 

Data containing sensitive information

 

Organisational protection measures (4)

 

Technical protection measures (5)

 

How is the Data Subject informed

 

How are Data Subject Rights delivered

 

Sources where Personal Data is stored

 

 

Whereby:

(1) Is one or more of the items mentioned in Categories of Data Subjects

(2) Is one or more of the items mentioned in Categories of (sensitive) Personal Data

(3) Is one or more of the items mentioned in Lawfulness of Processing

  • consent
  • performance of a contract
  • prior to entering into a contract
  • legal obligation
  • protection of vital interests
  • in the public interest
  • legitimate interests of the controller

(4)

  • security policy
  • risk analysis with regard to security
  • responsible DPO or Security Officer
  • physical security (room, closet, …)
  • organisational security procedures
  • supplier and processor agreement and procedures
  • compliance management:
    • security incident management
    • data breach management

(5)

  • automated Personal Information Identification
  • separation in a protected system (e.g. Knowliah Intelligent Repository):
    • with GDPR security rules
    • with Usage Register
  • (pseudo)anonymization of content
  • aggregation and summarization of content
  • encryption of content
  • compliance management:
    • DPO/Security Officer reporting tools

A complete example of Knowliah is available on request.

 

3. Data breach process

Registration

When a data breach occurs, a registration of the data breach and a predefined notification process towards the Data Privacy Authority should contain the following elements:

Report prepared by:

Date:

On behalf of:

1Summary of the event and circumstancesWhen, what, who, summary of incident
2Type and amount of Personal Data

Name of document/e-mail/record

Type of Personal Data disclosed

3

 

Actions taken by recipient when they inadvertently received the information 
4Actions taken to retrieve information and respond to the breach

Has information been retrieved?

When?

Has loss been contained?

5

Procedures/Instructions in place to minimise risks to data security

Communication, secure storage, sharing and exchange

6

Breach of procedure/policy by staff member

Has there been a breach of policy?

Has appropriate management action been taken?

7

Details of notification to affected Data Subject

Has a complaint been received from Data Subject?

Has the Data Subject been notified?

If not, explain why not

What advice is given to affected Data Subject?

8Details of Data Protection training providedWhich training session + date of last training prior to the incident by the staff member breaching security
9Details of security systemIndicate the security measures used and procedures covered in the affected system
10Procedure changes to reduce risks of future data loss 
11Conclusion

Serious/minor breach

Likelihood of it happening again

 

The left column contains topics to cover in the registration.

 

 

Want to learn more?

You can find information on the implementation guidelines of the GDPR, like processing principles, security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.


GDPR implementation guidelines

 

Share this insight