Records of Processing Activities

Each controller and processor that employs 250 persons or more must maintain a written, including an electronic, record of processing activities (RoPA).  If the controller or processor employs fewer than 250 persons, it must maintain such a RoPA if the processing:

  • Carried out is likely to result in a risk to the rights and freedoms of individuals,
  • Is not occasional, or
  • Includes special categories of data or personal data relating to criminal convictions and offences.

The controller’s RoPA must contain all of the following information:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (DPO);
  • The purposes of the processing;
  • A description of the categories of the individuals and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards;
  • Where possible, the anticipated time limits for erasure of the different categories of data; and
  • Where possible, a general description of the technical and organizational security measures.

The processor’s RoPA carried out of behalf of a controller must contain all of the following information:

  • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting and, where applicable, of the controller’s or the processor’s representative and the DPO;
  • The categories of processing carried out on behalf of each controller;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, where required in the case of transfers pursuant to a derogation, the documentation of suitable safeguards; and
  • Where possible, a general description of the technical and organizational security measures. 

Even if a RoPA isn’t required, it is a good idea to keep one; as the name describes, the RoPA helps both controllers and processors keep track of their processing activities.

This blog is the 33rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  International Transfers

What consultations should occur prior to high-risk processing?

What consultations should occur prior to high-risk processing?

Different types of consultations must occur prior to high-risk processing:

  • Where appropriate, the views of individuals or their representatives on the intended processing must be sought as long as the commercial or public interests and the security of processing operations are protected. 
  • When carrying out a data protection impact assessment (DPIA), the advice of the data protection officer (DPO), if one has been designated, must be sought.
  • The supervisory authority must be consulted prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.  In such a consultation, the supervisory authority must be provided with:
    • Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
    • The purposes and safeguards provided to protect the rights and freedoms of individuals;
    • Where applicable, the contact details of the DPO;
    • The DPIA; and
    • Any other information requested by the supervisory authority.

If the supervisory authority is of the opinion that the intended processing would infringe the GDPR, in particular where the risk has been insufficiently identified or mitigated, the supervisory authority, within eight weeks of receipt of the request for consultation (Time Period), must provide written advice.  Taking into account the complexity of the intended processing, the Time Period may be extended by six weeks (collectively Time Periods), and notification of any such extension and the reasons for the delay must be provided within one month of receipt of the request for consultation.  The Time Periods may be suspended until the supervisory authority has obtained the information it has requested for the purposes of the consultation.   

In addition, Member State law may require consultation, and prior authorization from, the supervisory authority in relation to processing for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.

This blog is the 32nd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Records of Processing Activities

When is a data protection impact assessment required and how is it conducted?

When a type of processing is using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, under the GDPR, the controller, prior to the processing, is required to conduct an assessment of the impact of these processing operations on the protection of personal data.  A data protection impact assessment (DPIA), in particular, is required when the following types of processing are conducted:

  • A systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
  • A systematic monitoring of a publicly accessible area on a large scale.

In addition, each supervisory authority must publish a list of additional kinds of processing operations which require that a DPIA be conducted prior to their taking place. 

The DPIA must contain at least:

  • A systematic description of the anticipated processing operations and the purposes of the processing including, where applicable, the legitimate interest pursued by the controller.  In describing the processing, include:
    • The nature of the processing (e.g., what type of data would be processed? For how long?)
    • The scope of the processing (e.g., how many persons are involved)
    • The context of the processing (e.g., would the processing allow precise conclusions to be drawn about private lives of individuals?)
    • The lawful basis for the processing (e.g., legitimate interests)
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • Necessity
      • Identify any fundamental rights and freedoms limited by the processing
      • Define the objectives of the processing
      • Chose the objective that is effective and least intrusive for the rights at stake
    • Proportionality
      • Assess the importance of the objective and whether the processing meets the objective
      • ‘Fair balance’ evaluation (i.e., compare the constraints and lack of constraints on privacy and data protection)
      • If the processing is not proportionate, identify safeguards (e.g., reduce the scope or the extent of the processing)    
  • An assessment of whether the type of processing is likely to result in a high risk to the rights and freedoms of individuals
  • Determine the Threat Likelihood (from the perspective of the individual) due to:
    • Illegitimate access to personal data
    • Undesired modification of personal data
    • Disappearance of personal data
  • Determine the impact of the threat based on the severity of the harm that each threat – in the context of the processing activity – could have on an individual
  • Determine the Inherent Risk Level: (impact level) x (threat likelihood level)
  • The measures anticipated to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of individuals and other persons concerned
    • If the Inherent Risk Level is Medium or High, then the effectiveness of organizational and technical security measures is assessed to determine Residual Risk.
    • Determine the Residual Risk Level: (inherent risk level) x (measures effectiveness)
    • If the Residual Risk Level is High, then the anticipated processing should not proceed without consulting the supervisory authority; if the Residual Risk Level is Low, then the anticipated processing can proceed.  If the Residual Risk Level is Medium, then a review of the effectiveness of individual measures should be reviewed to determine whether or not the anticipated processing should proceed and whether the supervisory authority need to be consulted.

This blog is the 31st in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What consultations should occur prior to high-risk processing?  

Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

As discussed in the previous blog on security assessments, the GDPR requires the controller and the processor to implement appropriate technical and organizational measures.  Examples of organizational measures are policies and procedures, and two of the recommended security policies are: (1) a Data Protection Policy, and (2) a Data Retention and Erasure Policy.

The Data Protection Policy sets forth the organization’s practices by which personal data should be protected and identifies the roles and responsibilities of the organization’s users of the personal data.  In order for the organization to protect and safeguard personal data, procedures should be in place to provide clear guidance regarding the security of personal data, to protect against personal data breaches, and to provide clear guidance regarding the proper disposition of personal data.  Common provisions in such a policy include:

  • Appropriate assessments should be conducted to identify reasonably foreseeable internal and external risks to the security of personal data that could result in a personal data breach, and the sufficiency of technical and organizational security measures in place to control these risks should be assessed.
  • Data users should have access only to specific personal data if access to that personal data is needed to fulfill their job responsibilities.
  • Before data users are allowed access to personal data, they should be trained in the use and attributes of the personal data applicable to their responsibilities and in the procedures applicable to their role and function.
  • Data users are responsible for keeping personal data accurate and up to date.
  • Personal data should be used only for the organization’s business purposes and should not be used for personal purposes.
  • A testing program that includes an assessment of the effectiveness of the procedures regarding the management of personal data should be conducted. 

The Data Retention and Erasure Policy sets forth the manner in which the organization retains its personal data in accordance with the requirements of all applicable laws and disposes of personal data when they are no longer needed.  Personal data retained for longer than is necessary, i.e., essential for the purpose pursued by the business, carries additional risk and cost.  Common provisions in such a policy include:

  • Personal data only should be retained for legitimate business uses and should not be retained for longer than is necessary for their lawful purpose. 
  • Where practicable, personal data generally should be organized and stored according to general categories in a manner that best facilitates the efficient administration of business operations. 
  • Confidential personal data should be labeled and/or stored in a manner to limit access to those organization employees or other individuals with authorization to view such personal data. 
  • A default standard retention period should be determined, but certain types of personal data (e.g., special categories of personal data) should be retained for shorter periods of time. 
  • A retention schedule should be established and maintained. 
  • If personal data are no longer required, they should be destroyed, erased or otherwise made unreadable prior to disposition. 
  • Any disposition of personal data must be suspended in the event of an audit, litigation, or investigation related to the personal data.

This blog is the 30th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  When is a data protection impact assessment required and how is it conducted?

How is security of processing assessed?

The GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.  In order to determine the “appropriate level of security,” an assessment must be done that takes into account:

  • The state of the art,
  • The costs of implementation, and
  • The nature, scope, context and purposes of processing

as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.  Account also must be taken in particular of the risks that are presented by processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

 “Personal data breach” is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”  Thus, in assessing the appropriate level of security, account must be taken in particular of the risks that are presented by a personal data breach. 

After assessing the nature, scope, context and purposes of the processing, the security assessment should assess the risks to the fundamental rights and freedoms of individuals by assessing the threat likelihood – remote, possible or probable – from the perspective of the individual – of three threats types – illegitimate access to personal data, undesired modification of personal data and disappearance of personal data.  Then, for each threat type, the impact in the context of the processing activity should be calculated – what is the severity of the harm that each threat in the context of the processing activity could have on an individual – minimal, significant, severe.    This calculation is: (impact level) x (threat likelihood level) = inherent risk level.  The inherent risk level could be either high, medium or low, and if it is either medium or high, then measures to reduce inherent risk need to be considered.

Inherent risk is when technical and organizational security measures are assessed.  These measures are evaluated as highly effective, somewhat effective and less effective.  The scores from all the categories of security measures are totaled, and the effectiveness of the security measures is calculated as low, medium and high.  This calculation is: (inherent risk level) x (measures effectiveness) = residual risk level.  According to the GDPR, some of the appropriate technical and organizational measures to be evaluated are:

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

A controller’s or processor’s ability to adequately assess security risks is necessary in order for them to be able to conduct data protection impact assessments (DPIA) which are required when processing in particular is using new technologies.  DPIA’s will be discussed in a later blog.

This blog is the 29th is a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SME’s implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Why you should have a Data Protection Policy and a Data Retention and Erasure Policy and what should be in them?

Why you should have a Personal Data Breach Policy and what should be in it?

You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach.  Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs.

Given these reasons for having a Personal Data Breach Policy, an organization should consider having a Personal Data Breach Policy that discusses:

  • How to determine whether a Personal Data Breach has occurred
  • How to preliminarily address the incident
  • How to investigate the incident
  • How to document the incident and what information to include in the documentation for both
    • Internal documentation (e.g. recordkeeping)
    • External documentation (e.g. notifying regulators and/or individuals)
  • The roles of the personnel who should be on the Incident Response Team
    • Internal personnel (e.g. Chief Security Officer)
    • External personnel (e.g. outside counsel)
  • The need to determine any remediation strategy
  • Examples of potential remediation strategies
  • The need to include in third-party contracts the responsibilities of processors in the event of a suspected or identified Personal Data Breach

These topics are examples of subjects that you should consider including in a Personal Data Breach Policy.  There may be additional subjects that it may be appropriate for you to include in such a Policy, and it may, under some circumstances, be appropriate for you to not include some of the above listed topics in your Personal Data Breach Policy.

This blog is the 28th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  How is security of processing assessed?

What needs to be in a GDPR personal data breach notification?

If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach.   If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if possible:

  • The categories and approximate number of individuals concerned, and
  • The categories and approximate number of personal data records concerned.

The communication to the individuals and the notification to the supervisory authority also should contain:

  • The name and contact details of your data protection officer or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, if appropriate, measures to mitigate its possible adverse effects.

If all this information cannot be provided to the supervisory authority at once, it may be provided as soon as it becomes available.

If the controller does not provide a personal data breach communication to individuals, the supervisory authority, if it decides none of the conditions excusing the providing of a communication have been met, may require the controller to provide a communication, after having considered the likelihood of the personal data breach resulting in a high risk to the rights and freedoms of individuals.

This blog is the 27th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Why you should have a Personal Data Breach Policy and what should be in it?

What is a data breach under the GDPR and what do you do when one happens?

Under the GDPR, the term “personal data breach” means a breach of security that leads to the:

  • Accidental or unlawful destruction or loss of,
  • Accidental or unlawful alteration of, or
  • Unauthorized disclosure of, or access to,

personal data that have been transmitted, stored or processed in some other way. 

After becoming aware of a personal data breach, you without undue delay must notify:

  • The supervisory authority, if you are the controller, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals
    • The notification must be given if feasible within 72 hours after you became aware of the personal data breach
    • Where notification is not made within 72 hours, the notification must set forth the reasons for the delay

This notification is unnecessary if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

  • The controller, if you are the processor, without undue delay.

When the personal data breach is likely to result is a high risk to the rights and freedoms of individuals, the controller must communicate with the individual without undue delay.  This communication is unnecessary if any of the following conditions are met:

  • Appropriate technical and organization protection measures have been implemented by the controller, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption)
  • Subsequent measures have been taken by the controller that make high risks to the rights and freedoms of individuals no longer likely to materialize
  • Disproportionate effort is involved.  In this case, a public, or similar equally effective, communication should be given to individuals

The controller must keep a record of any personal data breaches.  This record should contain:

  • The facts relating to the personal data breach,
  • Its effects, and t
  • The remedial action taken.

This blog is the 25th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in a personal data breach notification?

What needs to be in the agreement between the controller and the processor?

Processing by a processor must be governed by an agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and obligations and rights of the controller.  That agreement must provide, in particular, that the processor:

  • Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country;
  • Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as varying likelihood and severity for the rights and freedoms of individuals;
  • Does not engage a sub-processor without prior specific or general written authorization of the controller, and in the case of a general written authorization does not add or replace a sub-processor without informing the controller so the controller has the opportunity to object to the addition or replacement;  
  • Applies the same data protection obligations as set out in the agreement between the controller and the processor to the relationship between the processor and the sub-processor with respect to processing on behalf of the controller;
  • Remains fully liable to the controller for the performance of the sub-processor’s obligations;
  • Taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the controller’s obligation to respond to requests for exercising individual rights;
  • Taking into account the nature of the processing and the information available to the processor, assists the controller in ensuring compliance with the obligations to:
    • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
    • In the case of a personal data breach, notify the supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals;
    • Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, communicate the personal data breach to the individuals without undue delay;
    • Where a type of processing uses new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in high risk to the rights and freedoms of individuals, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (DPIA); and
    • Consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.
  • At the choice of the controller, delete or return all personal data to the controller after the end of providing services relating to processing; and
  • Make available to the controller all information necessary to demonstrate compliance with the foregoing obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 

If the processor engages a sub-processor with respect to processing on behalf of the controller, the exact same provisions in the agreement between the controller and the processor must be in the agreement between the processor and the sub-processor.

This blog is the 24th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What is a data breach under the GDPR and what do you do when one happens?

What kind of agreements do you need if you are a processor or use a subprocessor?

Whenever you as a controller use a processor to process personal data for you, you need to make sure that the processor will provide appropriate technical and organizational security measures that protect the rights of individuals.  In order to do that, you must have a written agreement between you and the processor.

If you are a processor who processes personal data for a controller or if you process personal data for a processor (i.e. a sub-processor), then you must have a written agreement between you and the controller or between you and the sub-processor.  An agreement between a processor and a sub-processor must contain the same data protection provisions as the agreement between the controller and the processor.   If the sub-processor fails to fulfill its obligations under the agreement with the processor, the processor remains fully liable to the controller for the performance of the sub-processor’s obligations.

A processor cannot engage or replace a sub-processor without the authorization of the contractor.  If a processor determines the purposes and means of processing of personal data, then it is no longer a processor and is considered a controller with respect to that processing

This blog is the 23rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in the agreement between the controller and the processor?