The process of documenting and maintaining GDPR compliance is a continous loop of several activities:
This is a short overview of key activities, and a privacy specialist may find herself performing many other privacy and compliance-related tasks not mentioned here: data subject requests, data protection impact assessments, legitimate interest assessments, transfer impact assessments, internal reviews of new systems and manual processes, internal education and advisory, and many others. But let's look at the basics.
Discovery
It starts with discovery. You need to suspect that certain processing is conducted by your company. That may be easy in a small company and very difficult in a larger and distributed corporation. As a privacy specialist, typically external to most of the process owners, you need to suspect that someone may be owning a processing activity inside the company, find that owner, and set up a call.
You may suspect certain activities going on (sales, marketing, HR, payroll), but you may also discover many specific or internal activities. Quite often, you will be discovering a map of activities and data flows that did not exist before.
The IT department is often aware of the majority of automatic processes, even if they do not own or operate them. Manual processes may be more difficult to discover, so you need to be proactive during the interview to finally learn what everyone is doing.
Interviewing
Mostly, GDPR compliance documentation is interview-based: you ask process owners (or whoever is knowledgeable) about the details of each specific process and write the answers down. It is expected (and generally accepted) that computing systems are doing what their owners believe they are doing and that human colleagues are doing what they are supposed to do. You need to take measures if you suspect that this assumption is no longer valid. For example, if people tell inconsistent stories about certain processes, or if you can observe the process yourself.
An interview is typically devoted to a single processing activity (or a few closely related activities). Quite often, you will have two different colleagues: someone who is responsible for the activity and someone else who knows it in every detail. You may want to record their names in the 'Responsible person' and 'Contact person' fields of the records of processing activities in PrivacyDocs.
Process owners are often not able to give you the picture you need. For example, an IT system may be serving many different processes, and people involved in the processes may not be aware of the details of how the data is fed into the system, applicable security measures, retention, information provided to individuals, etc. It is also common that the Legal department is maintaining all contracts, and people owning a process inside a company do not have a copy of it.
Records of Processing Activities
PrivacyDocs Support
Records of processing activities as a controller open by default. You can switch back by pressing the 'Controller processing' button in the top-left corner of the screen:
The goal of the interviews is to fill in the records of processing activities and to pencil in new activities that are discovered during the interviews.
One hour is often not enough for the initial interview, and follow-ups may be needed. (Annual) reviews are usually much shorter, eventually turning into quick email exchanges: 'Has anything changed?'
Sharing the PrivacyDocs screen with the record in question with your colleagues during an interview helps them to understand it better and get involved. You can share the final state of the record after the interview with the stakeholders to confirm and avoid misunderstandings.
PrivacyDocs Support
Share the current state of the record by emailing it (button 'Team'):
. You can also invite your colleagues to view the record directly on PrivacyDocs (button 'Client Settings'):
Contracts
Establishing the legal basis for each activity is a separate task because it is often not readily available during the interviews. The following situations often happen:
- Processing based on contract, such as an employment contract or a sales contract. As a privacy professional, you need to find the contract as it is signed by the data subjects (individuals), collect all varieties of the contracts, and assess them to match what is being agreed on with what is documented in your compliance documentation. These contracts may be managed by other departments, only exist electronically, or be composed of various legal documents. References to the contracts and their texts are then entered into PrivacyDocs in the corresponding fields.
- Processing based on legitimate interest. According to the GDPR, you need to 'establish' a legitimate interest by completing a Legitimate Interest Assessment. A pure belief that the company has the right to conduct a certain processing activity is not sufficient to comply. PrivacyDocs offers a specialized form where you can fill it in. While doing so, you may find out that the company does not really have a 'legitimate' interest in conducting the processing, or that the processing needs to be updated, or the associated risks need to be evaluated and managed.
- Processing based on consent typically requires finding the exact texts that the individuals agree on. These texts are often provided by the sales or marketing systems, are not unified, and are not really managed as contractual agreements. They need to be entered into the appropriate fields in PrivacyDocs.
Update policies
PrivacyDocs Support
Generate policy documents using the 'Policies' button:
When a processing record is updated, you may want to review the policies, notices, and contracts where the data subjects are informed or agree upon the processing. A well-defined policy or notice would be sufficiently comprehensive not to require regular updates. It still makes sense to review them to keep in sync with the rest of data protection documentation.
PrivacyDocs supports the generation of these documents with the 'Policy' buttons on the toolbar. After finishing your annual review round, you may regenerate the policies and compare them with the previous year's versions using compare functions in Microsoft Word or other tools. This way, you will ensure that your policy documents are up-to-date.
Investigate breaches
You may be registering and investigating personal data breaches as they happen. Normally, small low-risk breaches should be happening regularly, and a well-populated register with these breaches is the best sign of your compliance with the breach registration requirements of the GDPR.
A breach would typically highlight a risk that needs to be mitigated or accepted.
Identify and manage risks
Risks may be identified in three places:
- Preliminary risk identification as part of a record of processing activities (field 'Risks')
- Data protection impact assessment (table 'DPIA - Data Protection Impact Assessments')
- Breach assessment during breach registration
Most risks lead to a business decision, ranging from accepting the risks as is to altering the processing activities causing the risk. You need to document these steps as they form part of compliance documentation. The process of responding to a risk may take some time, especially if a proper response requires a material change in the processing.
Document decisions
Documentation about decision-making is part of compliance documentation. Corresponding emails, chat messages, and conversation summaries need to be collected and attached to each risk. They are best stored in a separate folder linked to from PrivacyDocs.
Work on compliance gaps
GDPR compliance is always a work in progress. Something is always not finished: missing documentation bits, risks that require mitigation, etc. These gaps and ongoing company progress in covering them should be reflected in data protection documentation.
We can help you
We can help in conducting the interviews and discovering your map of processing activities as part of PrivacyDocs GDPR consultancy services.