GDPR FAQs - from DPIA (Article 25) to Data Mapping (Article 30, 32)

Tags: #<Tag:0x00007f0cabc3e998> #<Tag:0x00007f0cabc3e628> #<Tag:0x00007f0cabc3e2b8> #<Tag:0x00007f0cabc3de58> #<Tag:0x00007f0cabc3d890>


How many companies have the capacity to do this?

GDPR has professionalized Data Privacy Management in Europe, and I can see positive impact upon information security practices. If we know where the Personal Data is, this can aid Risk and Vulnerability Management practices in Information Security greatly.

I see many of the security and legal folks in the Privacy Trainings (IAPP, CIPP/E). It’s safe to say that the information security and forensics field is not full of Privacy Professionals. That includes me, of course. Here are the 6 Qs I found helpful to enhance my understanding of GDPR.

For me, privacy and security are really important. We think about it in terms of both: You can’t have privacy without security.
(Larry Page)

Background materials:

FAQ 1: Is storing data processing activity?

Technical staff: “We just store data, and only provide the storage systems. We do not process the data. Is that affected?”

GDPR Article 4(2): “any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means”

Storing Personal Data is in scope of GDPR. Storing costs power, licenses, maintenance time… it’s obviously an operation an entity pursues for a business reason.

Some companies have hoarded a lot of data in Active Directory Shares or Research Databases. That is in scope. Same for SaaS-hosted Inboxes (like GMail, Office 365…). Or ticket systems (JIRA etc.)

FAQ 2: What if an employee revokes her consent?

This question came from Finance.

The individual rights granted to Data Subjects include that a Controller needs to have consent, and inform about the Processors (contractors, 3rd parties with access to PII).
An employee is subject to other laws as well, such as national employment laws, tax laws etc… These laws are understood in conjunction with Privacy Law. That means if an entity is required to keep financial records for tax assessments, this has got priority, and can be made transparent.

A case of an employee, who withdraws her consent, would need to be handled by the DPO, and the Human Resources department. Generally, once that employee understands, that payslip processing is part of the lawful data processing, there is an aspect of consent. Given that the Data Subject continued to work with the expectation to receive a salary in return.

Furthermore I assume that employee would have to convince a court that the data processing, related to the salary being paid as part of the employment contract, created harm which needs to be compensated for.

General answer:

Data privacy law is proportional and understood in conjunction with other laws. My recommendation is, that you revisit the security and data retention policies, and ensure that you define business reasons for the data processing activities related to the procedures.

FAQ 3: What are adequate means to demonstrate privacy governance?

From executive management.

Generally speaking, policies, written procedures and other certificates of compliance, are audit-able. An entity, which is compliant to ISO 27000 can probably demonstrate adequate measures related to Article 32 (information security). Given that the systems which process PII are all in scope.

In ISO 27000 informal processes are compliant. That means it might be relatively easy to archive ISO compliance.

FAQ 3.2: Wait, not every company pursues information security formally, or as a business objective. Can you tell me if that is still legal, because security costs money.

Simple answer: if you have no information security program, that can be demonstrated, don’t process PII. The data belongs to the individuals, not to the company holding the data. Many services can work without storing PII.

Longer answer: litigation in Europe is expensive, and the class-action lawsuit system (like in the US) is not present in all member states of the EU / EEA. Serial investigations are less common. Data Protection Authorities (DPAs) are not well staffed. Civil Rights organizations might focus on exceptional cases, and generally it’s not likely that a business will be investigated.

That being said, a small/medium business is easier to investigate, and large organizations have internal Data Privacy programs. If you are an SMB, you need to do proportionally less. But you are not out of scope.

FAQ 4: What do you recommend to limit the paperwork?

Technical staff member in the Privacy Group.

A Data Privacy Management platform might be useful to crowd-source initial DPIAs. I found it useful to data-mine information security tools to build a more comprehensive data-map.

The golden rule is, that there needs to be some assurance to these tasks, related to the demonstrate-able state of completeness. There may be bottom-less pits, grey areas and other traps, which can cause both paperwork and audit efforts to increase without benefits.

Additional answer:

Personally I can recommend OneTrust (it’s a commercial platform). That really depends on the requirement analysis and your privacy program management. There is no one solution fits all approach, although the law is the same for everyone, and the approaches are generic.

FAQ 5: What are the typical phases?

From a privacy professional at a training.

For GDPR, it’s doubt (internal discussions, about whether it’s real), bargaining (“Is there a shortcut?”), anger (“This is expensive”) and criticism (“Ok, we need to do it, but…”) and finally compliance (“Well, we do it now. Thankzzzz.”).

I doubt that the majority of businesses will adopt Data Privacy procedures until Mai 2018. I sense they don’t have the capability to do that: a Privacy Program is hard to manage, and requires a deep inter-disciplinary and interdepartmental understanding. It’s customer facing, can affect business partners and cooperation aspects between companies, and affects all employees. Just like information security. The key difference is, that it’s more formalized and less technical.

I have not heard of a program, that was un-proportionally well founded or extreme.

FAQ 6: What is most expensive?

From a budget meeting.

Some companies hoard data, which needs to be re-classified, because it may or may not contain PII

Examples may include large Active Directory shares, where the purpose has not always been documented or Data Analysis systems (Hadoop, with aggregated data), which have grown very quickly over the last couple of years. Backup systems can be in scope (with long term retention, possibly non-encrypted), as well as all kinds of databases, Cloud Services, or 3rd party provided information processing systems in general. Like SaaS systems, which can include Office 365, Google Apps or other collaboration tools.

In many cases for these large scale re-indexing E-Discovery projects incremental approaches are more realistic. It might also help to motivate departments to tidy up the data, and to check if it can be deleted before Mai 2018.

For the re-discovery tasks you need to know how to scope the audits. This is something an experienced Forensics professional in the information security team might be able to help with.

FAQ 6.2: What would you change, to make Privacy Programs simpler?

It’s a good measure to explain means to reference sets of Personal Data without sharing it. This can happen via an ID or a Token. PII can also be masked, so that it does not fall into the scope of the regulations. In short: reduce use of PII. Reduce the systems in scope, so that there are less projects which need PII.

Subjects can make certain requests based on their individual rights. You need to prepare for this. One pitfall is, that you need to ensure that you are working with the right person (verify that the identity is correct, and that this person is the signatory).

Background information

I manage a privacy program for a multi-national organization, and take part in trainings and information events. For further information, please navigate to the Contact page.


08.09.2017 - publication
09.09.2017 - minor formatting changes