An organisation not only has to process personal data according to the General Data Protection Regulation, but it also needs to be able to demonstrate its compliance. This includes implementing data protection by design, keeping a record of processing activities, and in certain circumstances, conducting a data protection impact assessment.
Data protection by design and by default
As a data controller, both when you design a processing operation and at the time of processing, you must implement appropriate measures and safeguards to ensure that data protection principles are complied with. You must also ensure that, by default, only personal data which is necessary for each specific purpose is processed (this applies to the amount of data, the extent of the processing, the storage limitation, and its accessibility).
In other words, an organisation that applies data protection by design and by default is an organisation that considers and embeds data protection and the privacy of individuals in every aspect, and at every stage of its processing operations, in the tools used, or any other business activity.
In order to do so, before setting up any processing operations, your organisation must take into account:
- the nature, context, and scope of the processing operation that is envisaged;
- the risks that may arise from the envisaged processing operations or any other business activities that may have an impact on individuals’ personal data;
- the technical and organisational measures that should be put in place to mitigate the risks identified, and, in doing so, ensure that individuals’ personal data is adequately protected;
- the technical and organisational measures or procedures to be put in place to ensure that processing of personal data (including in particular collection, storage and overall use of individuals’ data) is limited to what is necessary in light of the objectives pursued.
In practice
- A bookshop wants to increase its revenue by selling books online. The bookshop owner wants to set up a standardised form for the ordering process. In first instance, the owner makes all the fields in the form mandatory, including the customer’s date of birth, phone number and home address. However, not all the fields in the form are necessary for the purpose of selling and delivering the books.
For example, when ordering an eBook the customer can download the product directly to their device. As such, these cannot be required fields in the web form to order books. The web shop owner therefore decides to make two web forms: one for ordering books, with a field for the customer’s address and one web form for ordering eBooks without a field for the customer’s address. In doing so, the owner makes sure that only the data necessary for the processing is collected.
- A medical practice employing several doctors collects data about its patients in its organisational information system. The different physicians may need to access patient files, for example when they are covering for another doctor who is absent, to inform their decisions regarding care for and treatment of the patients, and for the documentation of all diagnostic, care and treatment actions taken. By default, access is granted to only those doctors who are assigned to the treatment of the respective patient.
It is useful to keep records of these assessments and measures to be able to demonstrate that you are complying with the principles of data protection by design and by default. An approved certification mechanism may also be used as an element to demonstrate compliance with data protection by design and by default.
Obligation to keep records of data processing
As an organisation, you have a duty to keep a record of your data processing activities. These records should be kept in writing, including in electronic form.
This record gives you an overview of your processing activities. In order to create such a record, you should identify which of your activities require processing of personal data (examples include recruitment, payroll management, training, badge and access management, list of prospective customers, etc.). Each of these processing operations must be described in the record with the following information:
- the purpose of the processing (e.g. customer loyalty);
- the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
- who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
- where applicable, information related to transfers of personal data outside the European Economic Area (EEA);
- where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective);
- where possible, a general description of the security measures.
The record of processing activities falls under the responsibility of your organisation’s manager. This record must be available to the data protection authority of the EEA country where you operate, if requested.
It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop.
How to conduct a data protection impact assessment (DPIA)?
What is a DPIA?
Where a processing is likely to result in a high risk to the rights and freedoms of individuals, the data controller must carry out a Data Protection Impact Assessment (DPIA). A DPIA is a written assessment of a planned processing operation. It helps you to identify the appropriate safeguards to mitigate the risks and to demonstrate compliance.
When to do a DPIA?
While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing a DPIA, it is compulsory to carry out such a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.
Specifically, this is the case when the envisaged processing involves:
- the processing - on a large scale - of sensitive personal data and data related to criminal convictions;
- a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in question or similarly significantly affect individuals;
- systematic monitoring of a publicly accessible area on a large scale.
In most cases, processing operations meeting two of the following criteria should be assessed through a DPIA:
- evaluation or scoring;
- automated decision making with legal or similar significant effect;
- systematic monitoring;
- sensitive data or data of a highly personal nature;
- data processed on a large scale:
- matching or combining datasets;
- data concerning vulnerable data subjects;
- innovative use or applying new technological or organisational solutions;
- When the processing in itself prevents individuals from exercising a right or using a service or a contract.
Do I need to carry out a DPIA?
Answer the questions through our interactive flowchart to find out!
Is the processing likely to result in high risks?
Do any exceptions apply?
- the processing operation envisaged is very similar to a processing which was the subject of a DPIA;
- the type of processing is in an exemption list that your data protection authority may have adopted;
- the processing operation is authorised under EU or national law.
Do I need to carry out a DPIA?
Yes, you need to carry out the DPIA
Any high risks remaining after the DPIA?
Do I need to carry out a DPIA?
No DPIA needed
Consult your Data Protection Authority
No need to consult your Data Protection Authority
Top DPIA tip
You should get in touch with the data protection authority of the EEA country where your organisation is based to find out whether they have a publically available document listing the conditions for which processing operations will need a DPIA, and which processing operation won’t need a DPIA.
Examples of when a DPIA may be required:
- processing biometric data, for example scanning fingerprints or facial features to identify patients;
- using data of vulnerable individuals for marketing purposes, for example to predict their purchases;
- mobile app tracking individual’s location.
Examples of when a DPIA may not be required
- the processing operation envisaged is very similar to a processing which was the subject of a DPIA;
- the processing is included in the optional list of processing operations (established by your national data protection authority) not subject to a DPIA;
- the processing operation is authorised under EU or national law.
What to include in a DPIA?
Your DPIA should include:
- a description of the planned processing operation and its purpose;
- a necessity and proportionality assessment;
- the risks that the processing operation may entail;
- the measures to address the risks.
Prior consultation during a DPIA
Whenever the data controller cannot find sufficient measures to reduce the risks to an acceptable level (i.e. the residual risks are still high), consultation with the data protection authority is required. In that case, the data controller must provide the following information:
- the respective responsibilities of the controller, joint controllers and processors involved in the processing;
- the purpose of the processing operation and how the processing operation will be conducted;
- the measures envisaged to safeguard individuals’ personal data;
- the contact details of the data protection officer of your organisation, if applicable;
- the DPIA in question.
After a DPIA - Test it, improve it, check it!
Once your DPIA is drafted, you must test it; improve it if necessary; conduct your processing operation; re-assess whether your DPIA matches the processing operation; and control check.
Read more
Codes of Conduct
Depending on where your organisation is located in the EEA, there may be associations or other bodies representing data controllers or processors. These associations and bodies may prepare codes of conduct, including data protection mechanisms, that data controllers and processors may adhere to in order to help ensure that individuals’ personal data is respected according to the GDPR.
More specifically, these codes of conduct put in place are to ensure, for instance:
- that personal data is processed in a fair and transparent way;
- that the purposes for which individuals’ personal data is processed are legitimate;
- how to pseudonymise personal data;
- that transparent information is given to individuals’ whose personal data is processed;
- that consent to the processing of individuals’ data, especially personal data related to children, is appropriately sought;
- that all technical and organisational measures are put in place to ensure the secure processing of individuals’ data;
- that procedures for the notification of personal data breaches are followed;
- that procedures, including safeguards, related to transfers of personal data to non-EEA countries and organisations are followed;
- that procedures related to court proceedings and dispute resolutions are followed.
Top tip
- You should get in touch with the relevant association or body that prepares GDPR Codes of Conduct, as these may help you with your GDPR compliance.
Certification
What is a GDPR certification?
An organisation that obtains a GDPR certification can use this certification to demonstrate compliance of its processing operations with the GDPR.
The EEA data protection authorities may, for example:
- issue GDPR certifications in respect of its own certification scheme;
- issue GDPR certifications itself, in respect of its own certification scheme, but delegate the entire, or part of the assessment process to third parties;
- create its own certification scheme, and entrust specific bodies to issue these certifications;
- encourage the market to develop certification mechanisms;
- assess the certification schemes of certification bodies.
A certification body is tasked with issuing, reviewing, and withdrawing certifications on a basis of a certification mechanism and approved criteria.
Certification bodies must document their assessment of your organisation’s processing operations for which a GDPR certification may be issued.
My organisation has received a GDPR certification, what’s next?
The GDPR certification of a processing operation that your organisation carries out is valid for a maximum of 3 years, but can be renewed or revoked. To keep this certification, your organisation must continuously and consistently put into practice the measures surrounding the data protection operation that was certified.