GDPR: Documenting your compliance

Accountability and good governance are central to effective and compliant data processing. With the introduction of the EU’s General Data Protection Regulation (GDPR), which enshrines this principle in Article 5, demonstrating your compliance will be essential.

Not only should an organisation aim for full compliance, it should also now be able to evidence full compliance. The GDPR seeks to harmonise data protection law across the EU and, ultimately, provide for improved protection of personal data.

The Data Protection Directive (95/46/EC), which is being repealed by the GDPR, went some way to achieving this aim but the GDPR seeks to enhance protection of the rights and freedoms of data subjects even further, by requiring data controllers to document how they intend to do this.

This not only ensures that organisations actively and positively consider the risks of any data processing they undertake but also allows the regulator to monitor compliance.

How does an organisation demonstrate and document compliance? The GDPR sets out various ways, including:

  • Reviewing and implementing data protection processes
  • Putting into effect internal organisational measures, such as company policies and procedures
  • Where appropriate, appointing a data protection officer to oversee processing within the organisation
  • Undertaking a data protection impact assessment (DPIA), where appropriate.

DPIAs are worth considering further, as they can be a useful tool in a risk manager’s arsenal. The Article 29 Data Protection Working Party (WP29 – an independent European advisory body set up to analyse and provide guidance on the GDPR) – sets out in its recently published draft guidance on DPIAs: “DPIAs are important tools for accountability, as they help controllers not only comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the regulation. In other words, a DPIA is a process for building and demonstrating compliance.”

What is a DPIA?

The idea of such an assessment is not novel; indeed, the Information Commissioner’s Office has long held them to be an effective way of assessing and reducing the risk of breaching data protection laws. DPIAs, in essence, should describe the envisaged processing operations and the purposes of such processing, having taken into account the necessity and proportionality of the processing and the risks to the rights and freedoms of data subjects.

It should also set out what measures have been or will be taken to address any risks that have been identified to ensure full compliance with the GDPR. While there is no prescribed format, the WP29 guidance helpfully provides methodologies that organisations can use and the basic criteria for what it should contain.

When is a DPIA needed?

Article 35 of the GDPR provides that a DPIA is necessary where the processing “is likely to result in a high risk to the rights and freedoms of natural persons”. If this is the case, “the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.

As such, DPIAs are not required in all circumstances. But where it is unclear whether a DPIA is required, the WP29 recommends one should be carried out nonetheless, given that a DPIA is a useful tool to help data controllers comply with data protection law.

We believe it would be good practice for organisations to always have the requirement for a DPIA at the forefront of their minds.

They should consider them prior to all processing activities, not only from May 2018, when the GDPR comes into force, but starting now so that a culture of compliance is adopted from day one.

Ultimately, organisations should consider that the sooner any risks are discounted or identified, the sooner the organisation can implement any necessary changes to its procedures and carry on its business.

This should help limit the financial and reputational damage that could occur for failing to adequately address these risks. As a reminder, an organisation’s failure to comply with certain provisions of the GDPR can be significant: in some cases, fines of up to €10m or 4% of worldwide annual turnover can be imposed.

Contributed by Helen Bourne, partner, Clyde & Co.