The entire General Data Protection Regulation (GDPR) revolves around the protection of personal data, how personal data can be used and so forth. Below we discuss the administration you need to go through when preparing implementation to be GDPR compliant.
1. Legal items
The following items should be covered from a legal perspective:
Employee work rules
For most organisations, an extension to the employee work rules (arbeidsreglement/règlements de travail) is sufficient.
|Employment/Labour contract||When your organisation acts as a Data Processor for customers, or when you are in a B2C business, it is advised to add a privacy annex to your employment/labour contract.|
|Add a privacy annex to your existing and new contracts.|
|A general privacy statement – for example on your website – is a good practice to demonstrate to your customers how you take care of the protection of private information.|
Privacy Data Agreement
A PDA (Privacy Data Agreement) is a good practice to stipulate details with regard to the handling of Personal Data in the relation between Data Controller and Data Processor. Even when there is no intentional processing of privacy-related data:
Corporate binding rules
|Are required for international organisations transferring Personal Data about EU citizens outside of the EU with the international corporate.|
For the above, you can obtain examples from Knowliah.
2. Process/purpose documentation
The cover of a Register of Personal Data processes contains at least the following elements:
- Company name
- Official address
- Legal form and company registration number
- Name security officer or DPO
- E-mail and telephone number of this person
For each of the Domains and processes (mentioned in Domains and processes), the following minimal process description is needed:
Name of the processing operation
Date last changed
Purpose(s) of the processing
Category of Data Subjects (1)
Category of Personal Data (2)
Legal basis of processing (3)
Retention period/Personal Data
Transfer to third countries or international organisations
Data collection based on profiling
Data containing sensitive information
Organisational protection measures (4)
Technical protection measures (5)
How is the Data Subject informed
How are Data Subject Rights delivered
Sources where Personal Data is stored
(1) Is one or more of the items mentioned in Categories of Data Subjects
(2) Is one or more of the items mentioned in Categories of (sensitive) Personal Data
(3) Is one or more of the items mentioned in Lawfulness of Processing
- performance of a contract
- prior to entering into a contract
- legal obligation
- protection of vital interests
- in the public interest
- legitimate interests of the controller
- security policy
- risk analysis with regard to security
- responsible DPO or Security Officer
- physical security (room, closet, …)
- organisational security procedures
- supplier and processor agreement and procedures
- compliance management:
- security incident management
- data breach management
- automated Personal Information Identification
- separation in a protected system (e.g. Knowliah Intelligent Repository):
- with GDPR security rules
- with Usage Register
- (pseudo)anonymization of content
- aggregation and summarization of content
- encryption of content
- compliance management:
- DPO/Security Officer reporting tools
A complete example of Knowliah is available on request.
3. Data breach process
When a data breach occurs, a registration of the data breach and a predefined notification process towards the Data Privacy Authority should contain the following elements:
Report prepared by:
On behalf of:
|1||Summary of the event and circumstances||When, what, who, summary of incident|
|2||Type and amount of Personal Data|
Name of document/e-mail/record
Type of Personal Data disclosed
|Actions taken by recipient when they inadvertently received the information|
|4||Actions taken to retrieve information and respond to the breach|
Has information been retrieved?
Has loss been contained?
Procedures/Instructions in place to minimise risks to data security
|Communication, secure storage, sharing and exchange|
|Breach of procedure/policy by staff member|
Has there been a breach of policy?
Has appropriate management action been taken?
Details of notification to affected Data Subject
Has a complaint been received from Data Subject?
Has the Data Subject been notified?
If not, explain why not
What advice is given to affected Data Subject?
|8||Details of Data Protection training provided||Which training session + date of last training prior to the incident by the staff member breaching security|
|9||Details of security system||Indicate the security measures used and procedures covered in the affected system|
|10||Procedure changes to reduce risks of future data loss|
Likelihood of it happening again
The left column contains topics to cover in the registration.
Want to learn more?
You can find information on the implementation guidelines of the GDPR, like processing principles, security measures, preparations, operations and much more by clicking on the button below.
You can also download our full implementation guide 'A free quick-start guideline for your GDPR implementation' as a PDF document.