GDPR Compliance Framework Overview (EU & Global Companies)
GDPR Compliance Framework Overview for EU Controllers and Processors
The actual GDPR compliance framework of articles and recitals is long, verbose, and inundated with various legal verbiage, enough to warrant multiple readings for having a satisfactory understanding of its true intent. Yet hidden within its framework are the following seven pillars that every controller and processor need to be aware of:
- Rights of the Data Subject
- Technical and Organizational Measures
- Additional Legal, Administrative, and Operational GDPR Requirements/li>
GDPR Compliance Framework and “Principles”
The GDPR puts forth a common set of principles which serve as the true fabric for the overall intent of the regulation. Words such as “lawfully, fairly, adequate, accurate, consent”, and more, are used heavily throughout the GDPR as the EU seeks to implement far-reach data privacy protection measures. Specifically, Articles 5, 6, 7 – and others – highlight the following principles within the GDPR:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)
- Kept in a form which permits identification of data subjects for no longer than is necessary.
- Processed in a manner that ensures appropriate security of the personal data.
- Ensuring that consent has been given for processing of data.
GDPR Compliance Framework and “Accountability”
What makes the GDPR compliance framework different from many past or present rulings and compliance edicts is the “accountability” principle. Specifically, Article 5(2) of the GDPR states the following: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”. Thus, being responsible and demonstrating compliance means undertaking various initiatives for meeting all the stated requirements of the GDPR. Therefore, it’s about spending time and assessing each of the articles within the GDPR and putting in place the necessary practices (i.e., internal controls) and documentation (i.e., policies and procedures). This can be challenging, no question about it, which is why controllers and processors should begin with a GDPR readiness & gap assessment for gaining a clear understanding of the road ahead and what compliance really means.
Starting off on the wrong foot with the GDPR compliance framework can be problematic indeed, and many controllers and processors unfortunately do, as the overall depth of the regulation seems overwhelming. A helpful tool for assessing compliance is FLANK’s GDPR Checklist, an incredibly in-depth, comprehensive, yet easy-to-use checklist that’s available for instant download at flank.org. Both controllers and processors will benefit from a prescriptive GDPR checklist that allows you to document your current processes in relation to the actual GDPR Articles.
GDPR Compliance Framework and “Rights of the Data Subject”
The rights of data subjects are on heavy display within the GDPR (the entire Chapter 3 is dedicated to “Rights of the Data Subject”), with a number of Articles stating such rights and actions that can be taken by data subjects themselves. This means that controllers and processors need to be highly aware of these rights, build into their operations the ability for data subjects to exercise on such rights, and then execute on them. Failing to adhere to a data subjects’ rights and acting on them is just one of several examples of non-compliance that can result in substantial fines. The following is a list of rights that controllers and processors need to be aware of:
- Right of access, specifically, the purposes of processing of personal data and the related categories of data, for who such data will be disclosed to, the right to log complaints, and more [Article 15(1)].
- The right of rectification of inaccurate data [Article 16].
- The right to erasure/right to be forgotten, for which controllers are obligated to erase personal data without undue delay [Article 17].
- The right to restriction of processing of data if certain conditions apply, such as if the accuracy of the personal data is contested, processing is unlawful, and the data is no longer needed for processing. [Article 18(1)].
- The right to portability, specifically, the ability to receive personal data in a structured format for which data subjects can satisfactorily transfer such data from one controller to another [Article 20(1)].
- The right to object to processing of personal data based on stated provisions within the GDPR [Article 21].
- Many of these data subjects’ rights require the development of prescriptive policies and procedures, along with various forms and templates to use when executing a data subjects’ rights. FLANK provides a wide-array of industry
GDPR Compliance Framework and “Obligations”
Because controllers and processors have to implement policies, procedures and processes that abide to the strict principles put forth within the GDPR, they ultimately have a long list of obligations to meet. Simply stated, the real onus for complying with the GDPR falls on these very controllers and processors, not data subjects. It’s a heavy burden indeed, one made even heavier with the potential for huge fines due to non-compliance, and it’s one of just many reasons why organizations need to source a competent firm with proven expertise in the field of security, governance and compliance, and that’s FLANK.
One of the more notable obligations for controllers is to demonstrate that the data subject has consented to processing of his or her personal data. Additionally, the data subject shall have the right to withdraw his or her consent at any time, with the withdrawal of such consent not affecting the lawfulness of processing based on consent before its withdrawal. Furthermore, prior to giving consent, a data subject is to be informed thereof, with the process of withdraw being as to give consent, per Article 7(3). In the case of a child that is below the age of 16 years, processing is only lawful if consent is given or authorized by the holder of parental responsibility over such a child. Lastly, Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Many obligations indeed must be met by controllers and processors as described within the GDPR compliance framework.
As to the specific “Obligations” put forth within the GDPR, they can be found throughout Article’s 24 to 31, which consist of the following:
- Implement appropriate technical and organizational measures for the GDPR.
- Adherence to the approved codes of conduct within the GDPR.
- Enforce a “data protection by design and by default” principle whereby appropriate technical and organizational measures are in place for meeting the GDPR requirements, while protecting the rights of individuals (i.e., data subjects).
- Determining relevant roles and responsibilities for two or more controllers involved in processing, which are known as joint controllers.
- Using only processors that adhere to the GDPR requirements, thus, those that provide sufficient guarantees in implementing appropriate technical and organizational measures.
- Maintain adequate records of processing. Specifically, records must contain all of the following information listed in Article 30(1) - https://gdpr-info.eu/art-30-gdpr/.
- Cooperate at all times with the supervisory authority.
GDPR Compliance Framework and “Technical and Organizational Measures”
The GDPR often states how controllers (and also processors) are to “implement appropriate technical and organizational measures”. In fact, it’s a phrase used throughout many of the published GDPR “Articles”. There’s been a healthy debate as to what such a phrase actually means, resulting in scores of white papers and webinars published, along with more than a fair share of late-night office discussions being held. The GDPR does provide guidance on such security measures – such as pseudonymisation, encryption, and more – but falls short of endorsing or requiring a specific framework, tool, or process. With that said, the key considerations regarding “implement appropriate technical and organizational measures” should consist of the following:
It’s about Information Security
Regulatory compliance in today’s world always includes a healthy application of information security, it’s just the new world we all live in. While some compliance frameworks are prescriptive in their InfoSec requirements, others – such as the GDPR – leave open a certain window for interpretation. Because of this, it’s ultimately up to controllers and processors to acknowledge the following in terms of GDPR: (1). Information security is critically important. (2) Some type of framework will need to be put in place. (3). Whatever the framework is, it must include information security policies and procedures for documenting the actual controls and related processes.
It’s about Implementing a Proven Framework
For EU controllers and processors, the GDPR compliance framework would benefit from the adoption of the ISO 27001/27002 framework, and for some obvious reasons. First and foremost, because ISO is a European derived standard and the GDPR is a European derived legislative mandate, there’s a healthy commonality for these two pieces fitting together. EU businesses know ISO 27001/27002 quite well, thus the adoption of an Information Security Management System (ISMS) no doubt helps in meeting many of the requirements to “implement appropriate technical and organizational measures”.
NIST SP 800
Haven’t adopted the ISO 27001/27002 framework and have another framework in mind, or rather, stand-alone InfoSec domain best practices? Not a problem. Many businesses around the globe – especially in North America – have shown strong interest in adopting the NIST SP 800 information security framework – in particular, NIST SP 800-53 and NIST SP 800-171. Much like ISO 27001/27002, the NIST SP 800 framework is well-recognized, highly respected, and includes an incredibly extensive and comprehensive list of security requirements.
In fact, for the thousands of federal contractors seeking to do business with federal agencies in the United States, the NIST SP 800 publications are the basis for which compliance is built upon. If you’re an EU controller or processor and have adopted the NIST SP 800 framework, then you’ll no doubt have a mature set of controls in place for helping meet the GDPR requirements to “implement appropriate technical and organizational measures”. FLANK offers a comprehensive, world-class set of NIST SP 800 documents and toolkits for EU controllers and processors seeking to enhance their information security documentation library.
NO ISO, NO NIST? No Problem!
But what if you haven’t adopted ISO 27001/27002, NIST SP 800, or any other framework – again – not a problem. What many EU controllers and processors have done – and are doing – for meeting the requirements to “implement appropriate technical and organizational measures” is simply building stand-alone InfoSec policies, procedures, and processes. When we say “stand-alone”, we’re talking about core information security domains that all organizations should have in place; access control, data backup, incident response, change management, configuration management, and more. FLANK also offers comprehensive information security policy templates and toolkits outside of the ISO 27001/27002 and NIST SP 800 frameworks – documentation that’s been expertly researched and written by world-class compliance and cybersecurity professionals.
It’s about Information Security Controls
Documentation is only as good as the controls that an organization has in place. This means that controllers and processors will need to put in place InfoSec best practices for whichever framework you choose. For example, you may very well have a comprehensive access control policy in place, but are the actual controls – the processes and procedures for assigning and de-provisioning users – operating as described in the policy document?
GDPR Compliance Framework and “Documentation”
As just discussed in the previous section, documentation is incredibly important for GDPR compliance framework. As with any of today’s growing compliance mandates, documentation in the forms of policies, procedures, and other material plays an essential role for the GDPR. Remember that the accountability principle speaks volumes about documentation, after all, what better way to prove compliance than having well-written, high-quality policies and procedures in place? What makes the documentation aspect of the GDPR challenging is that the regulation itself is far-and-wide in terms of coverage of controls, which in turn requires a vast number of policies and procedures to be in place. Think H.R., operations, privacy, information security, incident response – the list can seem daunting indeed.
In fact, as we’ve canvassed the European Union, North America, and Asia in recent years helping organizations in understanding the GDRP requirements, time and time again the topic of “documentation” comes up. Why? Because controllers and processors are finding it to be the single most challenging and time-consuming aspect of complying with the GDPR. Interesting find, indeed, and it’s for two reasons why the notion of documentation is so challenging.
First and foremost, the scope can be so daunting in terms of the volume of policies, procedures, and other related materials needed. Remember, it’s not just about InfoSec policies – far from that – the GDPR crosses over into other organizational departments. Second, we’ve found that the vast majority of controllers and processors seeking to become GDPR compliant fall short on the actual documentation they have in place. While many of the processes are in place with adequate controls, it’s the documentation describing such processes that’s missing, and that’s the challenge.
World-Class GDPR Policy Templates & Toolkits for Download
FLANK offers a wide-range of world-class GDPR policy templates and toolkits for helping controllers and processors develop all necessary materials quickly, comprehensively, and cost-effectively. A small sample of our professionally developed GDPR policies, templates, and toolkits consists of the following:
- ISO 27001/27002 All-in-One Toolkit
- GDPR Compliance All-in-One Toolkit
- Data Protection Impact Assessment (DPIA) Program Template
- Data Processing Policies and Procedures
- Incident Response Programs
EU controllers and processors – and any other business around the world required to become GDPR compliant – can now save hundreds of hours and tens of thousands of dollars on costly policy creation with our industry leading policy templates and toolkits. Don’t consume yourself and your business with GDPR policy creation, just visit flank.org today and instantly download the very best GDPR policy templates and toolkits found anywhere in the world. Yes, our documentation really is that good!
Additional Legal, Administrative, and Operational GDPR Requirements
The GDPR also contains the following numerous articles:
- Codes of Conduct
- GDPR Certification
- Transfers of Data
- Independent Supervisory Authorities
- Cooperation and Consistency
- Remedies, Liabilities, and Penalties, Provisions, and Acts
Take the Next Steps Toward GDPR Compliance Now!
Taking the next step with GDPR compliance for EU businesses means choosing from any one of the following services and solutions:
GDPR Readiness & Gap Assessments
Want to know exactly where you stand in terms of scope for the GDPR. How about identifying critical control gaps and the initiatives needed for correcting such deficiencies? Those are just a few of the noted items FLANK covers when performing a GDPR readiness & gap assessment on EU controllers and processors. By using our world-class GDPR checklists, documents, and other supporting materials, we’ll get to the bottom of your compliance needs quickly, identifying essential points you need to know for becoming fully complaint with the GDPR.
A quick and efficient tool for helping EU controllers and processors in assessing their current control posture against the baseline GDPR compliance requirements is using a high-quality, professionally developed checklist. We have one – our GDPR checklist – and it’s available for instant download today at flank.org. We also offer world-class GDPR policy templates and toolkits for those much-needed policies and procedures that so many controllers and processors are lacking.
GDPR Data Protection Impact Assessment (DPIA) program
A large number of EU controllers and processors will need to perform a GDPR Data Protection Impact Assessment (DPIA), and FLANK offers a world-class DPIA program template for instant download. Our DPIA template contains all the required information for completing such an initiative quickly and comprehensively. There’s no need to spend endless hours authoring your own DPIA template, use ours!
GDPR Documentation & Toolkits
Start with a GDPR Readiness & Gap Assessment
New to the GDPR compliance framework and need help? Then hit the ground running with FLANK’s GDPR readiness & gap assessment services. We’ll dig deep into your controls, identify gaps and corrective action necessary, along with a putting in place a proven roadmap for compliance success. With FLANK, we’ll help you cross the GDPR finish line.
Download GDPR Checklist
We’ve been told by hundreds of companies that the single-best tool needed for the GDPR compliance framework is a well-written, highly comprehensive checklist, and that’s exactly what FLANK offers for instant download. Because of the depth of the GDPR, it’s hard to imagine any EU controller or processor having a clear understanding of the requirements – and the gaps that exist – without such a checklist.
Do You Need to Perform a DPIA for GDPR? Find Out Now.
Not every EU controller or processor needs to perform a Data Protection Impact Assessment (DPIA). Find out now if you need to perform one by downloading FLANK’s simple three-page Data Protection Impact Pre-Assessment (DPIPA) Determination Matrix template.
Download Data Protection Impact Assessment (DPIA) Template
Need to perform a Data Protection Impact Assessment (DPIA) and in search of a high-quality template, then download FLANK’s GDPR DPIA template today. Our GDPR DPIA template is incredibly easy-to-use and implement, comprehensive, and can be utilized for any type of business, regardless of industry. It’s just another example of how FLANK is leading the way by providing world-class GDPR documentation.
Download GDPR Policy Templates & Toolkit Today
FLANK offers a wide-range of GDPR policy templates and toolkits for helping controllers and processors all throughout the EU – and globe – in becoming compliant with the General Data Protection Regulation. Massive documentation requirements for the GDPR are forcing controllers and processors to spend thousands of dollars on policy writing services – but FLANK has a better solution – use our GDPR policy templates and toolkits.
Why FLANK for GDPR Compliance?