gdpr- get organized and implement the right processes · gdpr- get organized and implement the...
TRANSCRIPT
GDPR- Get Organized and
Implement the Right Processes
for Compliance with the GDPR
This page is intentionally left blank.
GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Contents NOTICE 1
ABSTRACT ...................................................................................................................................................... 2
INTRODUCTION ............................................................................................................................................ 3
OBJECTIVES OF THE WHITE PAPER .................................................................................................................................... 5
ORGANIZATION OF THE WHITE PAPER ............................................................................................................................. 5
AUDIENCE FOR THIS WHITE PAPER ................................................................................................................................... 6
MICROSOFT COMMITMENTS TO THE GDPR ........................................................................................... 7
DID YOU SAY 'PERSONAL DATA'? ............................................................................................................. 9
A FEW REMINDERS ABOUT THE GDPR ................................................................................................... 10
SOME STRUCTURING DEFINITIONS ................................................................................................................................ 10
EXTRATERRITORIAL APPLICATION SCOPE ...................................................................................................................... 11
PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA............................................................................... 11
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES ................................................................................................ 12
CERTIFICATION ................................................................................................................................................................ 13
INITIATE AND CONDUCT A GDPR PROGRAM ....................................................................................... 14
RELY ON A MULTICYCLE APPROACH .............................................................................................................................. 14
UNDERSTAND THE ACTIVITIES OF EACH PHASE IN A PDCA MODEL .......................................................................... 15
PLAN THE GDPR PROGRAM ..................................................................................................................... 21
RECRUIT / DESIGNATE A DATA PROTECTION OFFICER ................................................................................................. 21
DEFINE THE ORGANIZATIONAL STRUCTURE FOR CONDUCTING THE GDPR PROGRAM .......................................... 23
ESTIMATE THE SCOPE OF THE GDPR PROGRAM FOR THE PROCESSING OF PERSONAL DATA ................................. 23
DEFINE THE TOOLING AND VARIOUS MODELS, DEFINITIONS, AND SO ON................................................................ 25
DEFINE A FRAMEWORK FOR DATA PROTECTION IMPACT ASSESSMENT ..................................................................... 32
MAP THE PROCESSING OPERATIONS OF PERSONAL DATA .......................................................................................... 38
CONDUCT A PRELIMINARY STUDY OF THE LEVEL OF RISK OF THE PERSONAL DATA PROCESSING OPERATIONS .... 39
MANAGE THE RISKS OF HIGH-RISK PERSONAL DATA PROCESSING OPERATIONS ..................................................... 40
IMPLEMENT THE GDPR PROGRAM ......................................................................................................... 43
CONTROL THE WAY THE PERSONAL DATA IS ACCESSED AND USED ........................................................................... 43
CLASSIFY PERSONAL DATA ............................................................................................................................................. 47
IMPROVE THE SECURITY OF PERSONAL DATA PROCESSING ......................................................................................... 47
IMPLEMENT A PROCESS FOR THE NOTIFICATION OF PERSONAL DATA BREACHES .................................................... 53
IMPROVE INTERNAL AWARENESS AND COLLABORATION ............................................................................................ 55
CHECK THE GDPR PROGRAM ................................................................................................................... 56
MONITOR HIGH-RISK DATA PROCESSING ..................................................................................................................... 56
CHECK THE (PATH TO) COMPLIANCE WITH THE GDPR .............................................................................................. 56
MAINTAIN THE DOCUMENTATION REQUIRED FOR COMPLIANCE WITH THE GDPR ................................................ 59
ACT ON THE GDPR PROGRAM ................................................................................................................. 60
INITIATE A PROCESS TO RATIONALIZE THE PROCESSING OF PERSONAL DATA ........................................................... 60
A QUICK LOOK AT THE CNIL’S RECOMMENDATIONS ......................................................................... 61
CNIL: THE FRENCH DATA PROTECTION AUTHORITY ................................................................................................. 61
CNIL’S GDPR IMPLEMENTATION RECOMMENDATIONS ............................................................................................ 61
SOME RECOMMENDATIONS IN CONCLUSION ..................................................................................... 64
REFERENCES ................................................................................................................................................ 68
USEFUL LINKS IN THE MICROSOFT TRUST CENTER ..................................................................................................... 68
GDPR- Get Organized and Implement the Right Processes for compliance with the GDPR 1
Notice This white paper is a comment on the General Data Protection Regulation (GDPR) as Microsoft interprets
it on the date of publication. We have spent a lot of time reflecting on the objectives of the GDPR and
its meaning. However, the implementation of the GDPR can only be based essentially on established
facts; some of the aspects and interpretations of the GDPR are not yet well established.
Therefore, this document is provided for informational purposes only and should not be relied upon as
constituting any legal opinion or as to how the GDPR may apply to you and your organization. We
encourage you to work with a suitably qualified professional to discuss the GDPR, to verify how it will
specifically apply to your organization, and to determine how best to ensure compliance.
MICROSOFT DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, IN RELATION WITH THE
INFORMATION CONTAINED IN THIS WHITE PAPER. The white paper is provided "AS IS" without warranty
of any kind and is not to be construed as a commitment on the part of Microsoft.
Microsoft cannot guarantee the veracity of the information presented. The information in this white
paper, including but not limited to internet website and URL references, is subject to change at any time
without notice. Furthermore, the opinions expressed in this white paper represent the current vision of
Microsoft France on the issues cited at the date of publication of this white paper and are subject to
change at any time without notice.
All intellectual and industrial property rights (copyrights, patents, trademarks, logos), including
exploitation rights, rights of reproduction, and extraction on any medium, of all or part of the data and
all of the elements appearing in this paper, as well as the rights of representation, rights of modification,
adaptation, or translation, are reserved exclusively to Microsoft France. This includes, in particular,
downloadable documents, graphics, iconographics, photographic, digital, or audiovisual
representations, subject to the pre-existing rights of third parties authorizing the digital reproduction
and/or integration in this paper, by Microsoft France, of their works of any kind.
The partial or complete reproduction of the aforementioned elements and in general the reproduction
of all or part of the work on any electronic medium is formally prohibited without the prior written
consent of Microsoft France.
Publication: November 2017
Version 1.0
© 2017 Microsoft Corporation. All rights reserved
2 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Abstract In the age of digital transformation, data privacy and improved security have become key social and
business issues. The next General Data Protection Regulation (GDPR) defines an important new step in
data privacy and compliance, accompanied by appropriate security measures.
The GDPR imposes many requirements and obligations for organizations not only within the EU, but
around the world. GDPR compliance will require significant investments in data management and data
protection for a large number of organizations and enterprises.
Microsoft customers who are subject to the GDPR, whether processing data in house, in the cloud, or in
hybrid configurations, must ensure that personal data within their systems are properly processed and
protected according to the principles of the GDPR. This means that many customers will have to revise
or modify their data processing procedures, the implementation of these processes, and the security of
these processes as stipulated in the GDPR.
Microsoft has significant experience in managing the principles of data protection and in complying with
complex regulations. We have committed to sharing this experience with customers to help them meet
the objectives and privacy requirements of the GDPR. In this context, this paper discusses how to initiate
and organize a GDPR program to begin or continue the path to compliance with the GDPR.
3
Introduction After more than four years of negotiations, which began when the European Commission presented its
proposals in January 2012, the Council of Europe adopted on April 14, 2016 the General Data Protection
Regulation1 (GDPR), more commonly referred to by its English acronym "GDPR."
The GDPR came into force on May 24 of that year and will be applicable directly in all Member States
after a period of two years on May 25, 2018; less than one year from the date of publication of this white
paper.
In the age of digital transformation, data privacy and improved security have become major concerns.
Since the Directive 95/46 / EC2 of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data, more than 20 years have elapsed.
We have since entered into a new era, the digital era, in which data is now at the center of everything.
The masses of data of all kinds available, the computing power available – with the developments of
processors, especially graphics processing units (GPUs), and the advent of cloud computing
environments (cloud services) – have resulted in very different uses of data today. The data input to
predictive algorithms are central to automated decision making in our daily lives. The disruption is such
that this new digital age is generally called the 4th industrial revolution.
A revision of Directive 95/46/EC was therefore also necessary, with the objective of homogenizing a
mosaic of regulations imposed in the different states of the European Union and of making available a
single supervisory authority rather than 28.3
The GDPR is fundamentally concerned with the issue of protecting the privacy of individuals and
enabling them to exercise their rights in this regard. To this end, the GDPR establishes a set of the most
stringent global requirements imposed on organizations in terms of protection of privacy. These
requirements govern how you must manage and protect the personal data of individuals in the EU while
respecting their individual choices, no matter where the data are processed, stored, or sent.
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 ON THE PROTECTION OF NATURAL
PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA, AND REPEALING DIRECTIVE 95/46/EC
(GENERAL DATA PROTECTION REGULATION): http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
2 DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 24 OCTOBER 1995 ON THE PROTECTION OF INDIVIDUALS WITH
REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA: http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:31995L0046
3 THE NEW EU RULES ON DATA PROTECTION PUT CITIZENS IN CHARGE:
http://www.europarl.europa.eu/pdfs/news/expert/background/20160413BKG22980/20160413BKG22980_en.pdf
Thanks to this general regulation, a high, uniform level of data
protection across the EU will become a reality. It is a victory for the
European Parliament and a fierce European 'yes' to strong
consumer rights and competition in the digital age.
Citizens will be able to decide for themselves which personal
information they wish to share
Jan Philipp Albrecht, in charge of legislation in the European Parliament
4 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Thus, Microsoft and its customers have now set out on the path to achieve the privacy objectives set by
the GDPR. Microsoft believes that privacy is a fundamental right, and we believe that the GDPR
represents an important advance in terms of privacy and protection of related rights. At the same time,
we recognize that the GDPR will impose significant changes on organizations around the world.
In this context, and as Brad Smith, Chairman and Chief Legal Officer of Microsoft Corporation, points
out, "The new Regulation significantly raises the bar on privacy, security, and compliance."
More than ever, it raises a number of questions, all of which of course require a response that meets the
objectives and requirements of the GDPR, including but not limited to:
• Do you know where the personal data of your company resides and who has access to this data?
• Do you control who has access to your personal data and how it is used according to the real-time
risk assessment?
• Can you classify, protect, and enforce policy-driven actions on your data, terminals, between
applications, anywhere, at rest, and in transit?
• Can you automatically detect a data leak or identity theft? Are you able to respond adequately
when an individual's personal data is compromised?
• Do you constantly review and update your data protection policies and practices?
These questions are being asked in a number of organizations, because all those handling the data of
individuals in the EU must comply with the GDPR. For Europe alone, this potentially affects no fewer than
26 million organizations.
Furthermore, the impact of the implementation of the GDPR will be far from neutral, especially now that
the level of fines has taken a decisive step; the amount of sanctions may amount to 20 million Euros or,
in the case of a company, up to 4% of the previous year's total annual worldwide turnover, whichever is
greater.4
Note These are the maximum fines, and they will be modulated according to criteria such as the nature,
gravity, and duration of the infringement, whether the infringement was committed deliberately or negligently,
failure to comply with an injunction or the transfer of data to a third country, and so on.
However, it must be noted that the levels of understanding and preparation of organizations are not
necessarily aligned. Gartner estimated in May 2017 that at best only 50% of organizations will be ready
on May 25, 2018.5
This finding is corroborated by the results of Veritas' Global Databerg Report, which surveyed in 2016 –
the reference period is therefore not quite the same – more than 2,500 IT decision makers in Europe, the
Middle East, Africa, the United States, and the Asia-Pacific region, revealing that 54% have not yet
implemented the necessary measures to comply with the GDPR. The question then arises as to whether
organizations and companies have truly grasped all the associated issues.
4 ARTICLE 83 - GENERAL CONDITIONS FOR IMPOSING ADMINISTRATIVE FINES, see REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL OF 27 APRIL 2016 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE
FREE MOVEMENT OF SUCH DATA, AND REPEALING DIRECTIVE 95/46/EC (GENERAL DATA PROTECTION REGULATION) (http://eur-
lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679)
5 GARTNER SAYS ORGANIZATIONS ARE UNPREPARED FOR THE 2018 EUROPEAN DATA PROTECTION REGULATION:
http://www.gartner.com/newsroom/id/3701117
5
What about French organizations? According to the study by SerdaLAB/Arondor6 dated February 2017,
the situation is similar, as 45% of organizations and companies simply do not know that the GDPR will
come into effect on May 25, 2018; 43% have not yet really evaluated the impact it will have on their
operation; and 38% quietly realize they will not meet the deadline!
Finally, the study titled ORGANIZATIONAL READINESS FOR THE EUROPEAN UNION GENERAL DATA PROTECTION
REGULATION7 carried out by AvePoint at the end of 2016 with 223 multinational companies highlights the
three most important points: the implementation of a personal data management program to meet the
requirements of the GDPR, followed by a review of the contractual issues with the processors, and finally
data security and notification.
This study illustrates, if need be, that one of the central questions for organizations and companies aware
of their responsibility and future obligations (for others, there is still time for a welcome wake-up!) is the
following:
How can we get organized and start as soon as possible to be ready?
Indeed, even if the fear of financial sanctions is likely to give impetus to start on the path to compliance
with the GDPR, it remains difficult for organizations and companies to know how to approach mandatory
compliance with the GDPR in a practical way.
Although there is already a considerable amount of literature synthesizing the principles of the GDPR, it
is clear that few focus on the description of a somewhat detailed approach because it constitutes the
very added value of these consulting firms or solution providers.
Objectives of the white paper
The aim of this white paper is therefore to propose a program framework for drafting a GDPR compliance
roadmap by addressing important issues such as the relationship with data processors, data security,
notification to the supervisory authority, if only to cover the key points of the aforementioned
study.
Although not all organizations are equally affected by the GDPR by the nature of their value
proposition(s) and their activities, it is likely that, in a general way, multiple business processes collect,
use in processing operations, and/or store personal data. Compliance with these personal data
processing operations will no doubt result in multiple projects that need to be carried out. That is why
we wish to use here the term “program,” a program consisting of multiple projects.
Organization of the white paper
In order to meet the objectives set out above, and beyond a reminder of the Microsoft commitments to
the GDPR, this document is organized according to the following sections:
• DID YOU SAY 'PERSONAL DATA'?
• A FEW REMINDERS ABOUT THE GDPR
• INITIATE AND CONDUCT A GDPR PROGRAM
6 DATA PROTECTION: A MAJOR DELAY FOR MANY FRENCH ORGANIZATIONS: http://www.influencia.net/fr/actualites/media-
com,etudes,protection-donnees-gros-retard-pour-beaucoup-organisations-francaises,7364.html
7 ORGANISATIONAL READINESS FOR THE EUROPEAN UNION GENERAL DATA PROTECTION REGULATION:
https://www.huntonprivacyblog.com/wp-
content/uploads/sites/18/2016/11/cipl_avepoint_gdpr_readiness_survey_report_1107_final-c.pdf
6 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
• PLAN THE GDPR PROGRAM
• IMPLEMENT THE GDPR
• CHECK THE GDPR PROGRAM
• ACT ON THE GDPR PROGRAM
• A QUICK LOOK AT THE CNIL’S RECOMMENDATIONS.
We hope that this organization of the paper will be progressive and clear in the different areas it covers.
Audience for this white paper
This document is intended for Chief Security Officers (CSOs), Risk Management Officers, Chief Privacy
Officers (CPOs), Compliance Officers, Chief Data Officers (CDOs), Chief Digital Information Officers
(CDIOs), Data Protection Officers (DPOs), IT professionals, security specialists, and systems architects
interested in understanding the pillars of the GDPR and how to ensure that their organizations' standards
and practices in terms of security and protection of privacy help them to comply with the GDPR.
7
Microsoft commitments to the GDPR Although the path to GDPR may be difficult, Microsoft is here to help. For example, we underlined our
commitment to the GDPR and how we support our clients in the blog post GET GDPR COMPLIANT WITH THE
MICROSOFT CLOUD8 by Privacy Officer Brendon Lynch9 and the blog post EARNING YOUR TRUST WITH
CONTRACTUAL COMMITMENTS TO THE GENERAL DATA PROTECTION REGULATION10 by Rich Sauer11, Vice President
and Deputy General Counsel of Microsoft. Since September 1st, 2017, this commitment has been
included in our Online Services Terms (OST).12
Note For specific information about the GDPR, Microsoft commitments, and the start of your roadmap,
visit the special GDPR section13 in the Microsoft Trust Center.14
Note As cloud services become more widespread, "compliance" becomes a recurring issue and a
mandatory requirement for Microsoft customers in order to provide them with the level of transparency they
need. The word has different meanings, for example, as a tool for evaluating cloud services or as a means of
describing expectations about the operation of those services. Microsoft is naturally committed to providing
its customers with all the compliance information they need to understand and evaluate compliance issues:
"People will not use a technology they do not trust. And they cannot trust a technology they do not understand. "
- Brad Smith, President of Microsoft
As everyone knows, trust cannot be decreed, it must be merited and maintained. Microsoft has therefore
created a Trust Center for all Microsoft cloud services to help its customers understand the issues involved in
the transparency, security, privacy, and compliance of the proposed cloud services.
The Trust Center thus lists all the norms and standards respected by Microsoft codes of good practice, controls,
and operational processes and provides complementary information and resources. In general, the Trust Center
provides access to compliance documentation and information about how Microsoft manages the data stored
in its cloud services. The Trust Center provides links to dashboards for clients, with up-to-date information on
service availability and the location of data.
8 GET GDPR COMPLIANT WITH THE MICROSOFT CLOUD: https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-
with-the-microsoft-cloud/#4J5lDmd47PkIv6xL.99
9 Brendon Lynch's blog: https://blogs.microsoft.com/on-the-issues/author/brendonlynch/
10 EARNING YOUR TRUST WITH CONTRACTUAL COMMITMENTS TO THE GENERAL DATA PROTECTION REGULATION:
https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-
regulation/#6QbqoGWXCLavGM63.99
11 Rich Sauer's blog: https://blogs.microsoft.com/on-the-issues/author/rsauer/
12 LICENSING TERMS AND DOCUMENTATION: http://go.microsoft.com/?linkid=9840733
13 GDPR section of the Microsoft Trust Center: http://www.microsoft.com/GDPR
14 Microsoft Trust Center: https://www.microsoft.com/fr-fr/trustcenter
8 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Note With regard to Microsoft cloud services, we wish to emphasize that in April 2014, the Article 29
Working Party15 (so-called WP29), named in reference to Article 29 of Directive 95/46 / EC – and representing
the 28 authorities for the protection of personal data in the European Union – following a comprehensive review
of Microsoft contracts for Microsoft Online Services, considered that they met the highest standards set by
European regulations for the protection of personal data.
As a result, Microsoft is the first company to have received such a recognition, which has significant
consequences for public and private organizations in Europe and around the world, regardless of their size,
who seek to be reassured about protecting their data and complying with the legal framework.
15 Article 29 Working Party: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/index_en.htm
9
Did you say 'personal data'? Personal data is defined very broadly in the GDPR. Personal data in scope may include, but is not limited
to, the following data:
• Name
• Identification number (ID)
• Email address
• User ID (UID)
• Messages on social media
• Genetic, physiological, or physical information
• Medical information
• Location
• Bank details
• IP address
• Cookies
This includes the known notions of identifiable personal data, but not only those notions!
"Linked data" is also personal data. This term refers to data relating to a person whose identity is known:
• Data that directly identifies a person, such as a telephone number, a permanent UID
• Direct links to information that identifies the person such as browsing history, location, usage
or error data, or other data stored with a permanent UID
The same is true for "linked data." This is, in practice, data that can be used in a systematic way to create
or recreate a link with identification information:
• Permanent UIDs that are hashes (numbers based on) of linked IDs
• All data stored with a GUID representing a single use or device
What does the GDPR say?
Article 4 - Definitions ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
10 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
A few reminders about the GDPR Based on 173 introductory recitals – a recital may contain additional explanations of an article – and 99
articles distilled over the 10 chapters, 88 pages contain the 160 requirements of the new GDPR. Following
this section, we shall look at the most salient points of the GDPR that help to clarify the proposed GDPR
program as it is articulated in the remainder of this white paper.
Some structuring definitions
Article 416 introduces the different roles and concepts involved in the protection of personal data and in
particular those of the data controller and processor.
It is the responsibility of the controller to implement appropriate technical and organizational measures
to ensure that processing of personal data is consistent with the objectives and requirements of the
GDPR. Furthermore, the controller must be able to demonstrate that is the case at any time. When
processors are employed, the controller must ensure that they provide sufficient guarantees to enable
them to comply and to process personal data according to their instructions, in particular with regard to
transfers outside of the European Union.
The processor must act in an advisory role with respect to the data controllers in order to assist them in
ensuring their data security obligations – for example, through the implementation of pseudonymization
– or when a prior consultation of the supervisory authority is necessary in the case of high-risk
processing. For France, the supervisory authority is the CNIL (National Commission for Information
Technology & Liberties).17 The GDPR requires that processors not established in the European Union
must appoint a representative in the Union.
16Article 4 - DEFINITIONS, see REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such
data, and repealing Directive 95/46/EC (General Data Protection Regulation (http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679)
17 CNIL: https://www.cnil.fr
What does the GDPR say?
Article 4 - Definitions ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. […];
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11
Note The principle of pseudonymization, widely cited in the GDPR, makes it possible to eliminate the
nominative character of data by using pseudonyms. For additional information on the subject, please consult
the standard ISO/IEC CD 2088918 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- PRIVACY ENHANCING DATA DE-
IDENTIFICATION TECHNIQUES (currently in development).
Extraterritorial application scope
Although it is a European regulation, the GDPR is global in scope when dealing with the personal data
of European Union residents. The GDPR applies to data controllers or processors located in the European
Union, even if the processing of personal data is carried out outside the European Union, but also when
the latter are located outside the European Union.
Principles relating to the processing of personal data
Responsibility is the "key word" within the GDPR.
The requirements are placed under the umbrella of increased responsibility both for the enterprise and
its processors. (The term used is shared responsibility).
Article 519 requires the controller to be capable of demonstrating that he complies with the six
principles and explicitly states that they are his responsibility:
1. Observe a requirement for transparency in the processing and use of personal data.
2. Limit the processing of personal data for legitimate and specified purposes.
3. Limit the collection of personal data for the intended purposes.
4. Allow data subjects to correct or request the deletion of their personal data.
5. Limit the storage of personal data to the time required for the intended purpose.
6. Ensure that personal data is protected with appropriate security practices.
18 ISO/IEC CD 20889 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- PRIVACY ENHANCING DATA DE-IDENTIFICATION TECHNIQUES:
https://www.iso.org/standard/69373.html
19 ARTICLE 5 - PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
Responsibility is not just what we do, but it is also what
we do not do, and for which we are responsible.
Molière
12 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
This accountability implies in particular:
• Implementing appropriate organizational and technical measures that ensure and demonstrate
compliance with the GDPR. This may include designating a Data Protection Officer (DPO),
reviewing and adapting security and privacy policies, training staff, internal audits of the
processing, and so on.
• Maintaining appropriate documentation on the processing of personal data.
• Implementing measures that adhere to the principles of "data protection by design" and "data
protection by default." This includes data minimization, pseudonymization, transparency,
implementation and enhancement of security features on an ongoing basis, and so on.
• Conducting an impact analysis of the protection of personal data whenever necessary.
Note The controller must implement appropriate technical and organizational measures at the design
stage to protect personal data while limiting the collection to only the necessary data and using technical
solutions such as minimization or pseudonymization. Access to the data must be strictly controlled. Compliance
with international standards may serve as evidence.
Note The future standard ISO/IEC CD 20889 previously mentioned aims to improve the practice and
transparency of de-identification of the data. The standard makes it possible to classify the known
depersonalization techniques using a standardized terminology: characteristics, underlying technologies,
applicability of each technique to the reduction of the risk of reidentification, or utility of the resulting
depersonalized data are all elements addressed. Its scope therefore falls within the ability to provide clear
descriptions and advice on the objectives and application of depersonalization to improve privacy.
Transfer of personal data to third countries
The transfer of personal data to a third country must ensure that the level of protection of individuals
required by the GDPR is not compromised.
The transfer is authorized without specific agreement to third countries for which the Commission has
found that an adequate level of protection is ensured.
The list of authorized or prohibited third countries has been published by the Commission on its website.
However, the transfer will be permitted if guarantees such as those provided for in the standard
contractual data protection clauses approved by the Commission are provided.
What does the GDPR say?
Article 5 - Principles relating to processing of personal data 1. Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness
and transparency’); b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is
incompatible with those purposes […]; c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (‘data minimisation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed […];
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
13
Certification
Certification vis-à-vis the GDPR is encouraged while remaining a voluntary act. Certification bodies will
be accredited to carry out the assessment leading to the issuance of the certification in question.
Certification is granted for a maximum period of 3 years and may be withdrawn when the requirements
are no longer satisfied. A European data protection seal will be created with the agreement of the
European Data Protection Board, a new European body foreseen by Article 68.20 Please be aware that
there probably will be no universally applicable GDPR certification by May 2018. For example, the
forthcoming ISO/IEC AWI 2755221 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- ENHANCEMENT TO
ISO/IEC 27001 FOR PRIVACY MANAGEMENT -- REQUIREMENTS is only expected in 2019/2020.
As early as May 2018, this Board will be in charge of arbitrating disputes between the authorities and
also developing a European doctrine. Prior to that date, the Article 29 Working Party had the task of
working with enterprises to help them comply with the new GDPR. It will be replaced by the European
Data Protection Board when the GDPR becomes enforceable.
Note The Article 29 Working Party (so-called WP29) shall consist of a representative of the supervisory
authority or authorities designated by each Member State, a representative of the authority or authorities
established for the Community institutions and bodies, and a representative of the Commission. For France,
this role has been devolved to the CNIL.
The WP29 constitutes the grouping of the European national data protection authorities responsible for helping
to develop European standards by adopting recommendations and advising the European Commission on any
project having an impact on the protection of data and the freedoms of persons.22
20 ARTICLE 68 - EUROPEAN DATA PROTECTION BOARD
21 ISO/IEC AWI 27552 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- ENHANCEMENT TO ISO/IEC 27001 FOR PRIVACY MANAGEMENT -
- REQUIREMENTS: https://www.iso.org/standard/71670.html
22 THE G29, A GROUP OF EUROPEAN NATIONAL DATA PROTECTION AUTHORITIES: https://www.cnil.fr/en/le-g29-groupe-des-cnil-
europeennes
What does the GDPR say?
Article 42 - Certification […]
3. The certification shall be voluntary and available via a process that is transparent.
4. A certification [...] does not reduce the responsibility of the controller or the processor for compliance with this Regulation […].
5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
14 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Initiate and conduct a GDPR program Compliance with the GDPR is not an activity to be carried out once, but rather requires the
implementation of an iterative process involving permanent responsibility. Indeed, compliance with the
GDPR must be demonstrable at all times: we refer to this as "dynamic" compliance. The portfolio of the
processing of personal data of the organization or company develops continuously, due to the nature
of digital transformation.
In this sense, the program covers issues such as quality management, operations, security, and so on.
The program is initially aimed at making compliant all the processing of personal data existing within
the organization. But it also has to ensure the compliance of the new processing operations in order to
respect the principles of "data protection by design" and "data protection by default."
Rely on a multicycle approach
In this context, the adoption of a PDCA model (PLAN-DO-CHECK-ACT) is therefore relevant.
Figure 1. PDCA cycle (PLAN-DO-CHECK-ACT)
Also called the “Deming Wheel,” this is a classic model of continuous quality management and
improvement, which has been popularized in particular by the Microsoft Operations Framework
What does the GDPR say?
Article 25 - Data protection by design and by default 1. […], the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing […].
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
15
(MOF) 4.0, the Information Technology Infrastructure Library (ITIL),23 as well as the standard ISO/IEC
20000-1:201124 INFORMATION TECHNOLOGY -- SERVICE MANAGEMENT -- PART 1: SERVICE MANAGEMENT SYSTEM
REQUIREMENTS.
Note Microsoft Operations Framework (MOF) 4.0 is a concise guide that helps organizations improve
service quality while reducing costs, managing risk, and improving compliance. MOF defines the key processes,
activities and responsibilities required to plan, deliver, operate, and manage services throughout their life-
cycles. The MOF guide encompasses all the activities and processes involved in the management of these
services: design, development, operation, maintenance, and their eventual withdrawal. For more information,
visit http://www.microsoft.com/mof.
Note The PDCA cycle is also at the heart of standard ref. ISO/IEC 27005:201125 INFORMATION TECHNOLOGY
- SECURITY TECHNIQUES - INFORMATION SECURITY RISK MANAGEMENT.
A cycle approach can be used to start the analysis by focusing on achievable goals and then quickly
iterating on this basis when the first result turns out to be successful, instead of trying to cover a larger
scope and wait months or years without seeing real results.
In addition to an initial implementation (or proof of concept) corresponding to a PLAN-DO-CHECK-ACT
cycle, this leads to operational implementation with full coverage of the computer systems and a
comprehensive mapping of the personal data in those computer systems.
This model, when applied to GDPR, makes it possible to achieve the following:
• Gradually cover the scope concerned in terms of the processing and storage of personal data
to reach 100% coverage. This progression is dictated by prioritizing the processing of personal
data, following an evaluation of the risks that each processing places on the protection of the
privacy of the data subjects.
• Accurately join in a process to be conducted on an ongoing basis.
In both situations, the model makes it possible to continuously improve the relevance and quality of
appropriate organizational and technical measures. This improvement ensures that the feedback and
experience gained in the implementation and execution of the program are developed and taken into
account.
The PDCA model leads to a number of ongoing activities for GDPR compliance efforts.
First, you need to complete a PDCA cycle before iterating on the basis of the lessons learned during this
phase.
Understand the activities of each phase in a PDCA model
Plan
The first phase consists of setting up the structure that will be in charge of the implementation program
of compliance with the GDPR and its maintenance over time.
23 WHAT IS ITIL BEST PRACTICE?: https://www.axelos.com/best-practice-solutions/itil/what-is-itil
24 ISO/IEC 20000-1:2011 INFORMATION TECHNOLOGY -- SERVICE MANAGEMENT -- PART 1: SERVICE MANAGEMENT SYSTEM REQUIREMENTS:
https://www.iso.org/standard/51986.html
25 ISO/IEC 27005:2011 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- INFORMATION SECURITY RISK MANAGEMENT:
https://www.iso.org/en/standard/56742.html
16 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
In addition, as with any program or project to be carried out, the first steps are also aimed at establishing
objectives, references and materials (appropriate frameworks and models), and the processes necessary
to achieve the results in line with those that are expected.
Thus, governance processes, tools, and models are created during this PLAN phase of the PDCA cycle. It
will be defined by specifying each time the stakeholders are involved and, if necessary, the modalities of
implementation and interaction: a record of processing activities (associated with a model of a
descriptive sheet of processing activities, a lifecycle data model, etc.); a classification of personal data; a
decision framework to perform a Data Protection Impact Assessment (DPIA); and a model of the
notification process to the supervisory authority, management of compliance audits, and so on. Similarly,
the tools on which these processes and deliverables are based are chosen: for example, a collaborative
content management tool to keep the record of processing activities, a recommended graphics tool for
creating data flow diagrams, a workflow management tool to automate the steps of different processes,
and so on.
In addition, tools and methods adapted to the (agile) development of new processing operations must
be integrated into the development processes in order to comply with the principles of "data protection
by design" and "data protection by default" as defined in Article 25 of the GDPR.
Beyond this initialization, the first PLAN phase includes a series of activities characteristic of the
DISCOVER step: Identify the personal data that you have and where it resides.
This approach aims at establishing a comprehensive mapping – at company level – of the processing of
existing personal data as well as stored personal data, with an understanding of the underlying lifecycle
management, data governance, and all relevant security and confidentiality controls in place and
enforced.
Figure 2. Main activities of the PLAN phase of the PDCA cycle
This phase ends for each processing of personal data by a preliminary study in order to decide whether
an impact analysis relating to the protection of personal data (as described in Article 35 of the
Regulation) must be conducted to manage the risks inherent to that processing. An impact assessment
will or will not be conducted based on the findings of this study.
This formal milestone enables the targeting and planning of the activities in the DO phase for this
processing.
Do
When the scope of the cycle has been established, the different frameworks and models to be used
defined, the classification taxonomy for the personal data also defined, and so on, the second DO step
deals with the implementation of the plan and the operation of the defined process.
17
This second DO step consists of conducting a series of three typical categories of activities:
1. MANAGE. Governing how personal data are accessed and used: management of the consent
and rights of data subjects, retention of personal data, supervision of data transfer, and so on.
2. PROTECT. Prevent, detect, and respond to vulnerabilities and personal data breaches:
protection of personal data, detection of breaches, and appropriate response.
3. REPORT. Maintain the required documentation, and handle requests for personal data and
notifications of breaches.
Figure 3. Main activities of the DO phase of the PDCA cycle
Check
The third step, CHECK, mainly consists of studying the actual results of the activities of the previous DO
stage, and comparing them with the expected results – targets or objectives of the PLAN step – in order
to determine the differences.
This step involves revising, evaluating, and validating the various indicators and data reports to ensure
that:
• Existing personal data governance tools and methods effectively address transparency, record-
keeping, and reporting requirements.
• Data protection policies and profiles provide appropriate control to the data subjects and ensure
that the processing is in accordance with the law.
• The security controls that have been implemented are actually enforced to control where
personal data are stored and how they are used.
The preceding points indicate where compliance with the GDPR may be at risk, and involve conducting
the following category of activities: REPORT.
18 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Figure 4. Main activities of the CHECK phase of the PDCA cycle
Particular emphasis should be placed on identifying the discrepancies in the implementation of the plan,
as well as the relevance and completeness of the plan to ensure it is carried out in the best way possible.
Act
The fourth and final step, ACT, provides an opportunity to:
• Request/implement remedial measures on significant differences between actual and planned
results: revision of the underlying methodology to be adopted, redefinition, and so on.
• Analyze differences in personal data elements that require revision in terms of classification,
protection policies/profile divergences, and so on to determine their root causes.
• Determine where to apply the changes that will include improvements throughout the process.
This step streamlines the GDPR compliance effort and creates a phased approach that:
• Includes a clear articulation of the efforts and the application of IT governance on the processing
of the personal data in question and the commitment of the business lines to prioritize risks on
personal data handled and/or stored as well as on the operational processes relating to those
processing operations.
• Extends coverage over time in terms of the processing of personal data managed and controlled
by the GDPR program, and addresses new risks to newly emerging personal data assets.
• Enables continuous improvements by implementing additional guarantees and capacities
toward the same personal data processing operations.
Figure 5. Main activities of the ACT phase of the PDCA cycle
Did you say "agile"?
As we have just seen, the PDCA model leads to a number of activities on an ongoing basis.
19
Figure 6. Main activities to be carried out during a PDCA cycle
The adoption of such a PDCA model in no way prevents an agile approach, for the definition of a "sprint"
involves "drawing" from the different "buckets" of activities PLAN-DO-CHECK-ACT. Following the
example of the Microsoft SDL (Security Development Lifecycle)26 vs. "SDL for Agile27 28 (SDL-Agile)" in an
orthogonal domain, a methodology to which we shall return later in this paper.
Note The SDL (Secure Development Cycle) methodology is a software security assurance process, and
its "Agile" and "Cloud" developments are particularly well-suited to the continuous development of such
services. These good practices ensure the principle of "Security by design" but also those of "Security by
default," "Security during deployment," and communications for all these structuring principles. All of these
structuring principles are referred to as SD3+C.
These principles also apply to the protection of privacy, integrating "Protection of privacy by design" and
"Protection of privacy by default" in accordance with Microsoft Privacy Policies,29 and by extension are referred
to as PD3+C.
26 MICROSOFT SDL (SECURITY DEVELOPMENT LIFECYCLE): http://www.microsoft.com/sdl
27 SDL FOR AGILE: https://www.microsoft.com/en-us/SDL/Discover/sdlagile.aspx
28 SECURITY DEVELOPMENT LIFECYCLE FOR AGILE DEVELOPMENT: https://msdn.microsoft.com/en-
us/library/windows/desktop/ee790621.aspx
29 WE SET AND ADHERE TO STRINGENT PRIVACY STANDARDS: https://www.microsoft.com/en-us/trustcenter/privacy/we-set-and-adhere-
to-stringent-standards
20 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Note Annex A of the ISO/IEC 27034-1:201130 standard includes a case study that demonstrates how SDL
complies with the processes and components of this standard that provides a risk-based model for integrating
security into the software lifecycle. Microsoft SDL meets or exceeds the guidelines published in ISO/IEC 27034-
1.
The blog post MICROSOFT SDL CONFORMS TO ISO/IEC 27034-1:201131 may be consulted for this purpose. With the
agile development now underway and the continuous integration software engineering approach that governs
the delivery of solutions, engineering teams use the SDL Agile Development Methodology (SDL-Agile) to
integrate critical security practices into the agile methodologies used on a daily basis. As its name suggests, the
SDL-Agile approach is true to both SDL and Agile. It allows teams to innovate and respond quickly to customer
needs while providing solutions that are (even) more resilient to attacks.
We detail each of these activities in the remainder of this document.
Figure 7. Consolidated view of the main activities to be carried out during a PDCA cycle and grouping by main
categories
30 ISO/IEC 27034-1:2011 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- APPLICATION SECURITY -- PART 1: Overview and concepts:
https://www.iso.org/en/standard/44378.html
31 MICROSOFT SDL CONFORMS TO ISO/IEC 27034-1:2011: https://blogs.microsoft.com/microsoftsecure/2013/05/14/microsoft-sdl-
conforms-to-isoiec-27034-12011/
21
Plan the GDPR program The PLAN phase of the PDCA cycle consists of a set of activities:
• Control the way the personal data is accessed and used (DPO)
• Define the organizational structure for conducting the GDPR program
• Estimate the scope of the GDPR program for the processing of personal data
• Define the tooling and various models, definitions, and so on
• Define a framework for data protection impact assessment
Microsoft suggests using the conventional approach to risk assessment that involves various stages.
After defining the scope, the assets and threats are identified. Then the existing security measures and
vulnerabilities are assessed before assessing the risks, the probability of occurrence, and the impacts.
Finally, the counter-measures that can be taken to cover the risks, while accepting the residual risks, are
considered.
The conventional approach to risk assessment involves various stages. After defining the scope, the
assets and threats are identified. Then the existing security measures and vulnerabilities are assessed,
before assessing the risks, the probability of occurrence, and the impacts. Finally, the counter-measures
that can be taken to cover the risks, while accepting the residual risks, are considered.
Map the processing operations of personal data:
• Conduct a preliminary study of the level of risk of the personal data processing operations
• Manage the risks of high-risk personal data processing operations
These activities are described individually in the following sections.
Recruit / designate a Data Protection Officer
This activity is to be carried out during the initial iteration of the PDCA cycle.
The appointment of a "Data Protection Officer (DPO) will be mandatory in 2018 in certain situations.
22 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
In all cases, the designation of at least one person for an organization – either within that organization
or an external entity – who is responsible for ensuring compliance with the GDPR is strongly
recommended.
The role of Data Protection Officer as defined in the GDPR is central: "The purpose of this role is to
bridge the gap between technology and legal services as well as human resources and public relations."
32
The DPO acts as a "transmission belt" in relation, on the one hand, with the business teams in charge of
processing personal data, and on the other hand with the Chief Information Office (CIO), Chief Security
Officer (CSO), the legal department and the Chief Data Officer, if the latter role exists in the organization
or the company. The Data Protection Officer must have real independence and will be the point of
contact with the supervisory authority.
In other words, the DPO acts as a conductor to ensure compliance with the GDPR. As a referent of the
program, the DPO assumes an advisory role, coordinates the various actions to be carried out, and
ensures the monitoring of the smooth running of the program.
32 IS IT TIME FOR DATA PROTECTION OFFICERS?: http://www.techradar.com/news/world-of-tech/management/is-it-time-for-data-
protection-officers-1322335
What does the GDPR say?
Article 37 - Designation of the data protection officer The controller and the processor shall designate a data protection officer in any case where:
a) the processing is carried out by a public authority or body […]
b) the core activities [...] consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities [...] consist of processing on a large scale of special categories of data […] and personal data relating to criminal convictions and offences […].
Article 38 - Position of the data protection officer …
Article 39 - Tasks of the data protection officer The data protection officer shall have at least the following tasks:
a) to inform and advise [...] of their obligations pursuant to [...] data protection provisions;
b) to monitor compliance with this Regulation [...], including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment [...];
d) to cooperate with the supervisory authority [...];
e) to act as the contact point for the supervisory authority [...];
23
Note Aware of the fact that the GDPR has many areas of uncertainty that are liable to interpretation,
the WP29 has published so-called "guidelines" clarifying and illustrating with concrete examples the
implementation and operational deployment of the GDPR. Within the corpus of guidelines already available,
the DATA PROTECTION OFFICER33 guidelines help clarify the shadow areas relating to the designation, the roles and
responsibilities of the DPO, and the skills required, in particular for the definition of a business role description
sheet.
Originally published in December 2016, the revision of this guide was adopted and made available at the
beginning of April 2017, adding interesting details: there can be only one DPO for the entire organization; the
DPO will be responsible for all the processing of personal data - one cannot "carve up" the processing
operations among several officers, but can manage a team to help accomplish the work; the DPO must reside
if possible in the European Union and identify cases of conflict of interest.
At the date of publication of this white paper, a number of guidelines are still being defined. More particularly,
four guidelines have been adopted: GUIDELINES ON DATA PROTECTION OFFICERS ('DPOS'),33 GUIDELINES ON THE RIGHT TO
"DATA PORTABILITY,"34 GUIDELINES FOR IDENTIFYING A CONTROLLER OR PROCESSOR’S LEAD SUPERVISORY AUTHORITY,35 and
GUIDELINES ON DATA PROTECTION IMPACT ASSESSMENT (DPIA).36 Two other guidelines are available for comments but
not yet adopted: GUIDELINES ON PERSONAL DATA BREACH NOTIFICATION37 and GUIDELINES ON AUTOMATED INDIVIDUAL
DECISION-MAKING AND PROFILING.38
The DPO, as defined by the GDPR, represents a certain evolution of the role of, for example, the “CNIL
registered data protection officer” (CIL) in France and the “Datenschutzbeauftragter” (DSB) in Germany.
The deliverables for the implementation of this activity are:
• Description of the associated business role
• Allocation of the necessary financial envelope
Define the organizational structure for conducting the GDPR
program
This activity is to be carried out during the initial iteration of the PDCA cycle.
Implementing compliance with the GDPR requires real awareness at the highest level of the organization
not only to free the necessary budgets but also be able to involve the right stakeholders and the
executives themselves in the process. Given the possible amount of financial penalties, the GDPR is a
subject for an organization's steering committee.
In practice, this activity is designed to build the "team" behind the DPO. It involves paying particular
attention to integrating the various stakeholders necessary for the governance of the GDPR program
and ensuring that all the necessary internal relays within the organization are taken into account.
33 GUIDELINES ON DATA PROTECTION OFFICERS ('DPOS'), WP243REV.01: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
34 GUIDELINES ON THE RIGHT TO "DATA PORTABILITY", WP242REV.01: http://ec.europa.eu/newsroom/document.cfm?doc_id=44099
35 Guidelines for identifying a controller or processor’s lead supervisory authority, wp244rev.01:
http://ec.europa.eu/newsroom/document.cfm?doc_id=44102
36 GUIDELINES ON DATA PROTECTION IMPACT ASSESSMENT (DPIA) AND DETERMINING WHETHER PROCESSING IS "LIKELY TO RESULT IN A HIGH RISK"
FOR THE PURPOSES OF REGULATION 2016/679, WP248REV.01: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
37 GUIDELINES ON PERSONAL DATA BREACH NOTIFICATION UNDER REGULATION 2016/679, WP250:
http://ec.europa.eu/newsroom/document.cfm?doc_id=47741
38 GUIDELINES ON AUTOMATED INDIVIDUAL DECISION-MAKING AND PROFILING FOR THE PURPOSES OF REGULATION 2016/679, WP251:
http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47963
24 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
It is also necessary to specify the governance model of the GDPR program, that is, the procedures for
interaction according to the different roles, for example between the DPO and the CSO. The supervisory
authority with which the company is likely to interact in the future must be clearly identified, for example
the CNIL for France.
The definition of a steering committee for the GDPR program must also be established. This steering
committee within the framework of the program:
• Ensures the management of the activities and associated actions that are carried out
• Takes the necessary decisions and arbitrations for which it has been delegated by the
management committee
• Lists, clarifies, and summarizes the decision support elements required for the steering
committee, and so on
Finally, it is necessary at this stage to evaluate the budget necessary for the conduct of the GDPR
program.
The deliverables for the implementation of this activity are:
• Governance document for the GDPR program. This document includes the description of the
stakeholders, their interactions and their role in each of the processes (for example, e.g. Data
Protection Officer, Processing or Application Manager, CSO, CIO, and so on)
• Allocation of the necessary financial envelope
Estimate the scope of the GDPR program for the processing
of personal data
This activity is to be carried out during the initial iteration of the PDCA cycle.
Not all organizations are equally affected by the GDPR. An initial inventory of the personal data
processing operations in place is necessary at this stage, with the need to be able to exchange with all
the business lines, branches, divisions, departments, entities, and so on of the organization in order to
prepare an initial list of their personal data processing operations in place.
Data processing operations (services, applications, and associated repositories) that can be quickly
identified as not processing personal data will be discarded. On the other hand, those that integrate
personal data must be included in the list of target operations to be processed in the following activities.
In practice, and in order to carry out the following activities in the planning stage, the information fed
back must enable a rapid analysis and prioritization of the effort.
To do so, particular attention should be given to the following:
• The purpose(s) of the processing operation carried out (that is, the objectives), its importance
and relevance for the business line, and any transfers to third parties
• The nature of the personal data stored or handled
• The services, applications, and data repositories known to host or which are liable to host and/or
process personal data
• Exposure in the security sense of the processing and its ramifications
This is a first step in documenting processing operations. This documentation is truly constituted and
consolidated in the mapping activity; see section MAP THE PROCESSING OPERATIONS OF PERSONAL data.
These processing operations constitute the processing portfolio in terms of scope to ensure compliance
with the GDPR.
25
The services, applications, and repositories of data naturally need to be crossed with the known and
managed IT assets, because the notion of "Shadow IT" is present in many organizations. According to a
study of Help Net Security, 10 times more applications in the cloud are used compared with the
estimates realized by IT departments.
Note The organization must control all the assets concerned by the GDPR including the "Shadow IT"
dimension and the "unidentified" applications in this context.
In fact, there is simply no way to gain visibility into these applications (and therefore processing) for which the
organization has no capacity to ensure that the necessary controls are in place. As underlined by the article
WHY YOU NEED CASB FOR GDPR COMPLIANCE,39 solutions of the Cloud Access Security Broker (CASB) type help to
bring these applications to light.
Such solutions also generally allow the identification of personal data in transit and at rest for a wide range of
applications in the cloud. This also includes cloud storage solutions such as OneDrive, Google Drive, Dropbox,
and so on).
It is then possible to envisage (i) controlling, with appropriate measures, the flow of personal data and any data
transfers that this entails, and (ii) assessing the risks to which the processors that have now been identified are
exposed.
All of the above elements thus collected must be used to assess whether the GDPR applies to the
organization and, if so, to what extent. A rapid analysis to measure the level of criticality for the
organization must be carried out and, at its conclusion, this analysis indicates whether or not the
organization is affected by the GDPR and to what degree.
As discussed above, the scope and magnitude of a GDPR program will differ from one organization to
another.
Note The GDPR Assessment40 can be used to carry out a self-assessment of your organization on its
overall level of maturity in relation to the main requirements of the GDPR. This questionnaire tool is free of
charge, available online, and provides a benchmark according to the main activity categories discussed above,
(DISCOVER, MANAGE, PROTECT, REPORT) and specifies, where appropriate, Microsoft solutions that may help
meet these requirements.
This first level of risk assessment seeks to prioritize the most at-risk processing operations in the PDCA
cycles of the GDPR program. Given the date of May 25, 2018, for the implementation of compliance with
the GDPR, Microsoft recommends that the processing of personal data should be sequenced by
prioritizing those operations that have been considered as more critical, although ultimately every
processing operation will have to comply with the GDPR.
The fact is that preparing this first inventory as exhaustively as possible – the GDPR requiring 100%
coverage of personal data processing – can prove to be a time-consuming activity.
Note According to the study ORGANIZATIONAL READINESS FOR THE EUROPEAN UNION GENERAL DATA PROTECTION
REGULATION mentioned in the introduction of this white paper, the inventory of processing operations (and their
mapping) is the major effort required for most companies. Although 27% claim to have an up-to-date inventory
including personal data, 25% claim to have an up-to-date inventory but without the data set, and the rest –
almost half of all companies – indicate a minimal or even nonexistent inventory.
Some organizations may have several thousand processing operations performed through a wide variety
of services and applications, and it is necessary to identify for each one whether personal data are at
stake or not. Furthermore, some processing operations carried out via legacy applications that are still
39 WHY YOU NEED A CASB FOR GDPR COMPLIANCE: https://blog.cloudsecurityalliance.org/2017/04/04/need-casb-gdpr-compliance/
40 GDPR Assessment: https://www.gdprbenchmark.com/
26 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
in use, often developed externally, and may no longer have a designated owner: it is very likely that the
organization has lost control of such operations, which will make this first analysis all the more difficult,
and the more complete mapping will have to follow (see section MAP THE PROCESSING OPERATIONS OF
PERSONAL DATA).
The deliverables for the implementation of this activity are:
• First consolidating and prioritizing a list (criticality) of the processing operations concerned, if
possible, for the main purpose. Each process must be matched with the types of personal data
being processed, as well as the services, applications (internal vs. cloud vs. hybrid) and data
repositories concerned.
• Estimating the impact of the GDPR and the effort required to achieve compliance with the GDPR.
Define the tooling and various models, definitions, and so on
This activity is to be carried out during the initial iteration of the PDCA cycle.
This activity includes a set of sub-activities:
• Define / review the classification taxonomy for personal data
• Define policies for the management and use of personal data
• Define a record of processing activities;
• Define / review / update the different templates with respect to the consent and new rights of
the
• Define a process model for the notification of a personal data breaches
These sub-activities are described in the following sections.
Define / review the classification taxonomy for personal data
The GDPR requires organizations to secure personal data according to their sensitivity. As discussed in
section DID YOU SAY 'PERSONAL DATA'?, there are different types of personal data: data concerning minors,
health data, biometric data, and so on.
This same data has specific sensitivities, as described in Article 9.41
41 ARTICLE 9 - PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
What does the GDPR say?
Article 9 - Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union affiliation, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
[see (10) conditions stated ...]
27
Note The conduct of this activity can be guided by the considerations outlined in the white papers
PROTECT AND CONTROL YOUR KEY INFORMATION ASSETS THROUGH INFORMATION CLASSIFICATION - CLASSIFY, LABEL, PROTECT, AND
AUDIT (CLPA) YOUR KEY INFORMATION ASSETS42 and DATA CLASSIFICATION FOR CLOUD READINESS.43
Note We also recommend that for the definition of an appropriate taxonomy, Annex B.1 of the standard
ISO/IEC 1994444 INFORMATION TECHNOLOGY -- CLOUD COMPUTING -- CLOUD SERVICES AND DEVICES: DATA FLOW, DATA
CATEGORIES AND DATA USE.
The deliverable at the end of this activity is a classification document for personal data in relation to the
GDPR. In a more holistic approach, this involves writing or updating a classification document for all of
the organization's assets.
Define policies for the management and use of personal data
As its title suggests, this activity involves laying the groundwork for a data governance plan. It is a
question of developing (the bases of) the security standards that describe the management, access,
transfer, and deletion of personal data within the company.
This activity involves personal data in the following three states:
• At rest. Data stored on any storage medium, including archiving and retention data.
• During processing. All data that is not in a rest state – that is, is on a given single node in a
network, for example, or in memory, in the processor cache or disk cache, and so on.
• In transit. All the data transferred between at least two nodes.
This activity also covers the following operations: Store vs. Recover vs. Retain vs. Archive vs. Withdraw.
It is also necessary to develop security standards that govern the retention of data, typically according
to its types and sensitivities.
The outputs of this activity are as follows:
• Personal data governance plan
• Information security policy (or revision)
• Personal data privacy policy (and associated profiles, if applicable)
Define a record of processing activities
The GDPR requires the identification and mapping of the processing of personal data:
Who is responsible? What data (category/sensitivity)? For what purposes? Where (services, applications,
repositories, storage vs. transfer)? Until when (retention)? How (security measure)?
All of this information requires the maintenance of a record of processing operations for the associated
activities. The record must be kept up to date with the roll-out of the GDPR program and provided on
request to the supervisory authority (the CNIL for France). It serves as a reference in the event of an
audit.
42 PROTECT AND CONTROL YOUR KEY INFORMATION ASSETS THROUGH INFORMATION CLASSIFICATION - CLASSIFY, LABEL, PROTECT, AND AUDIT
(CLPA) YOUR KEY INFORMATION ASSETS : https://aka.ms/classify
43 DATA CLASSIFICATION FOR CLOUD READINESS: https:// aka.ms/data-classification-cloud
44 ISO/IEC FDIS 19944 INFORMATION TECHNOLOGY -- CLOUD COMPUTING -- CLOUD SERVICES AND DEVICES: DATA FLOW, DATA CATEGORIES AND
DATA USE: https://www.iso.org/standard/66674.html
28 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
This activity entails defining, for the record, a tool suitable for the organization and its practices, which
can range from a simple Excel file to a more advanced collaborative tool such as a SharePoint library.
Note A draft GDPR Activity Hub45 has been made available in Open Source by Microsoft on the GitHub
community forge to help organizations progress on their path toward compliance with the GDPR. The objective
of this draft is to provide organizations with a basis for keeping track of all core activities, associated tasks,
essential events, requests received, and so on for compliance with GDPR requirements. Based on SharePoint
technologies, the draft can serve as a foundation for the record of processing activities.
Tooling of this type can also involve the instantiation of a data catalog, for example with Azure Data
Catalog,46 in order to obtain more value and streamline the organization's data assets on the path toward
compliance with the GDPR.
Over and above tooling, it is necessary to:
• Define a template for the processing of personal data
• Define a supplementary lifecycle template for personal data
• Define the procedures for using the
These sub-activities are outlined in the following sections.
Define a template for the processing of personal data
Beyond these procedures for the implementation of a record of processing activities, it is also necessary
to define a processing sheet template for its description in accordance with Article 30.47 The template is
intended for the record entries. The data sheets are supplemented when mapping the processing of
personal data (see section MAP THE PROCESSING OPERATIONS OF PERSONAL data) and used in the preliminary
study to identify and prioritize actions to comply with the GDPR (see section CONDUCT A PRELIMINARY STUDY
OF THE LEVEL OF RISK OF THE PERSONAL DATA PROCESSING operations).
45 GDPR Activity Hub : https://github.com/SharePoint/sp-dev-gdpr-activity-hub
46 Azure Data Catalog: https://azure.microsoft.com/services/data-catalog/
47 ARTICLE 30 - REGISTER OF PROCESSING OPERATIONS
What does the GDPR say?
Article 30 - Records of processing activities Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: a) the name and contact details of the controller and, where applicable, the joint controller, the controller's
representative and the data protection officer; b) the purposes of the processing; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the personal data have been or will be disclosed including recipients
in third countries or international organisations; e) where applicable, transfers of personal data to a third country or an international organisation [...]; f) where possible, the envisaged time limits for erasure of the different categories of data; g) where possible, a general description of the technical and organisational security measures […].
29
Define a supplementary lifecycle template for personal data
As an annex to the previous descriptive sheet, a supplementary description of the lifecycle of personal
data needs to be defined. This template will depend on the nature and possibilities of the register.
The description of the lifecycle of personal data is necessary in particular for the planning and
implementation of the data subjects' ability to exercise their rights - the right of access, rectification,
deletion, and so on.
This supplementary lifecycle template for personal data is intended to describe the processing steps,
services, applications, and data repositories to visualize the data flows of the associated processing as
well as any transfers.
Note Most modeling approaches are business process-oriented or fairly general, such as the UML48
(Unified Modeling Language). Others, more focused on IS, such as OBASHI,49 can be used to describe an
application architecture of the hardware layer up to the application layer but remain poorly adapted - the
description is too precise and requires a considerable effort - without finally concentrating on the essential
issues, that is, the lifecycle and flows in the processing of the personal data in question.
The standard ISO/IEC 1994450 CLOUD SERVICES AND DEVICES: DATA FLOW, DATA CATEGORIES AND DATA USE is a
most interesting reference framework for data taxonomy.
Define the procedures for using the record
Finally, the definition of how to use the record over time, and in particular the processes of inserting,
updating, and deleting a personal data processing operation, must also be addressed in this activity.
The outputs of this complete activity are as follows:
• Implementation of the record of processing activities through the selected tooling
• Processing sheet template, accompanied by a supplementary lifecycle template of the personal
data involved in the processing and a description of the associated flows
Define / review / update the different templates with respect to the
consent and new rights of the data subjects
Personal data must be processed in a transparent manner in the sense that the data subject must be
informed of the purpose of the processing – uses for anything other than for the specific processing
described are not permitted – and that only the data necessary for that purpose will be collected. The
consent of the person must be clearly and explicitly requested and obtained prior to the collection of
the data, and can be withdrawn at any time. Special conditions also apply for minors who require
parental authority.
Note The GDPR permits member states to set the age at which minors require parental authority for
consent as low as 13 years. So this requirement may vary from one member state to the next.
Furthermore, the rights of the data subject are extended, starting with the consent that the person must
provide in full knowledge of the facts: transparency is imposed on the purpose of the processing, the
48 UML : https://en.wikipedia.org/wiki/Unified_Modeling_Language
49 OBASHI: https://en.wikipedia.org/wiki/OBASHI
50 ISO/IEC 19944 CLOUD SERVICES AND DEVICES: DATA FLOW, DATA CATEGORIES AND DATA USE: https://www.iso.org/standard/66674.html
30 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
personal data collected, any data transfers to third parties and/or outside the European Union, the
retention period of personal data, and the right to submit a complaint. The person then has the ability
to exercise their rights concerning the access, rectification, limitation of processing, erasure, and
portability. In addition, the concept of profiling is introduced to indicate that the data subject must be
informed of the said profiling and may refuse it except where this is necessary for the performance of
the contract.
This activity concerns both the new processing of personal data envisaged and the compliance of the
processing operations already in place, and focuses on the definition of the "canvas" processes and
procedures in terms of the modalities for exercising the rights of the persons concerned, which include:
• The withdrawal of consent, the right of access, the right of rectification, the right to erase (right
to be forgotten), the right to portability, and so on
-or-
• Taking particular cases into account, for example Article 851 for the consent of minors mentioned
above
It is also necessary to define the associated "type" forms as well as the various associated information
statements.
51 Article 8 - Conditions applicable to child's consent in relation to information society services
What does the GDPR say?
Section 1 - Transparency and modalities Article 8 - Conditions applicable to child's consent in relation to information society services Article 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
Section 2 - Information and access to personal data Article 13 - Information to be provided where personal data are collected from the data subject Article 14 - Information to be provided where personal data are collected from the data subject Article 15 - Right of access by the data subject
Section 3 - Rectification and erasure Article 16 - Right to rectification Article 17 - Right to erasure (‘right to be forgotten’) Article 18 - Right to restriction of processing Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20 - Right to data portability
Section 4 - Right to object and automated individual decision-making Article 21 - Right to object Article 22 - Automated individual decision-making, including profiling
31
Note Aware of the fact that the GDPR has many areas of uncertainty that are liable to interpretation,
the Article 29 Working Party has committed itself to working on so-called "guidelines" clarifying and illustrating
with concrete examples the implementation and operational deployment of the GDPR. Within the corpus of
guidelines already available - a number of guidelines are still being defined at the date of publication of this
white paper - the PORTABILITY52 guidelines clarify the expectations concerning the right to portability, a new right
described in Article 20 which requires that it be possible for data to be transmitted from one processing system
to another.
The outputs of this activity are as follows:
• "Canvas" processes/procedures
• “Standard" forms and information
Define a process model for the notification of a personal data breach
This activity takes place during the initial iteration of the PDCA cycle.
The goal at this stage is to define a process model and the associated organization to take account of
any possible notifications of personal data breaches.
The controller must notify the supervisory authority of any personal data breach as quickly as possible,
and, where feasible, not later than 72 hours after becoming aware of the incident. The data subject(s)
must be informed of the data breach in the event of a high risk. Moreover, the processor must notify the
controller “without undue delay” after becoming aware of the data breach.
52 GUIDELINES ON THE RIGHT TO DATA PORTABILITY: https://www.cnil.fr/sites/default/files/atoms/files/ld_portabilite_eng.pdf
What does the GDPR say?
Article 4 - Definitions ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Article 33 - Notification of a personal data breach to the supervisory authority 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority [...], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification [...] shall at least: a) describe the nature of the personal data breach including where possible, the categories and approximate
number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) describe the likely consequences of the personal data breach; d) describe the measures taken or proposed to be taken by the controller to address the personal data breach,
including, where appropriate, measures to mitigate its possible adverse effects.
Article 34 - Communication of a personal data breach to the data subject When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
32 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Where one exists, it is advisable to use the same crisis management model offering a very short response
time, in line with the deadlines imposed by the GDPR.
For companies that already have this type of process that is imposed by other regulatory requirements
(Military Programming Law (LPM),53 “eIDAS” regulation,54 European NIS Directive,55 HDS approval of the
Health ASIP, and so on), a more global approach is strongly recommended to incorporate the GDPR
notification process within the established broader framework.
Note According to the STUDY OF THE ORGANIZATIONAL READINESS FOR THE EUROPEAN UNION GENERAL DATA
PROTECTION REGULATION mentioned in the introduction of this white paper, 75% of the companies questioned
stated that they already have a notification procedure in place due to other legislations.
The canonical model to be considered has six steps to be structured according to the organization and
its practices.
Figure 8. Illustration of a personal data breach notification process framework
53 LAW N° 2013-1168, OF 18 DECEMBER 2013 PERTAINING TO MILITARY PROGRAMMING FOR 2014 À 2019 AND CONTAINING VARIOUS
PROVISIONS CONCERNING DEFENSE AND NATIONAL SECURITY:
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000028338825
54 REGULATION (EU) N° 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 23 JULY 2014 ON ELECTRONIC
IDENTIFICATION AND TRUST SERVICES FOR ELECTRONIC TRANSACTIONS IN THE INTERNAL MARKET AND REPEALING DIRECTIVE 1999/93/EC:
http://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:32014R0910
55 DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 6 JULY 2016 CONCERNING MEASURES FOR A
HIGH COMMON LEVEL OF SECURITY OF NETWORK AND INFORMATION SYSTEMS ACROSS THE UNION: http://eur-lex.europa.eu/legal-
content/FR/TXT/HTML/?uri=CELEX:32016L1148
33
Important The notion of personal data breach is broader than simple information leaks. The destruction, the
loss of integrity, and so on of personal data must be taken into consideration.
Available models or teleservices should be considered and incorporated in the definition of this process.
As the supervisory authority, the CNIL will provide a teleservice for notifications on the site cnil.fr when
the European Regulation comes into effect. In the meantime, a PDF form56 is available.
The deliverables for the implementation of this activity are the process and the framework procedure(s)
for the notification of personal data breaches.
Define a framework for data protection impact assessment
Although the Directive 95/46/EC that precedes the GDPR imposed a declaration of the processing of
personal data to the supervisory authority, this obligation is considered57 to be inefficient and must be
replaced by a mechanism that specifically targets processing activities likely to result in a high risk to the
rights and freedom of individuals.
The direct consequence is that:
1. Processing that is likely to incur high risks to the rights and freedom of individuals must be
identified. This typically falls within the scope of a preliminary study.
2. An analysis based on the risks and focused on personal data must be conducted for these
processing activities and protection must be set up to mitigate the identified risks. The GDPR
calls this a Data Protection Impact Analysis, or DPIA.
Note According to the study of the ORGANIZATIONAL READINESS FOR THE EUROPEAN UNION GENERAL DATA
PROTECTION REGULATION mentioned in the introduction of this white paper, one half of the companies questioned
claim to conduct impact assessments of the most critical processing activities, but without any formal processes
or particular tools.
These impact assessments must only be conducted when the processing is likely to result in a high risk
to the rights and freedoms of individuals. Therefore, they are not obligatory.
The criteria of this analysis (see below) are detailed as a systematic and in-depth assessment of the
personal aspects of the individuals, the large-scale processing of data, and the large-scale surveillance
of a zone accessible to the public.
The results of the data protection assessment are used to make decisions on the additional technical
and organizational measures to be taken. If the residual risks are deemed to be too high, an organization
may decide not to undertake the new processing, even if the corresponding project has to be abandoned
or existing processing suspended pending the analysis of its compliance.
The goal of this activity is to define the procedures leading up to such analyses and to define their
execution.
Structure the framework for data protection impact assessment
Article 3558 defines the conditions and the minimum results expected of the analysis.
56 Form for the notification of personal data breaches:
https://www.cnil.fr/sites/default/files/typo/document/CNIL_Formulaire_Notification_de_Violations.pdf
57 Recital (89)
58 ARTICLE 35 - DATA PROTECTION IMPACT ASSESSMENT
34 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Although these terms remain quite general, the criteria are more precisely defined in the recitals (91) and (92).
The following criteria are to be taken into consideration:
• Large-scale processing operations intended to process very large quantities of personal data
likely to incur a high risk59
• Processing activities to take decisions concerning specific individuals further to a systematic and
in-depth assessment of the personal aspects relating to individuals on the basis of the profiling
of this data
• The processing of particular categories of personal data, biometric data or data pertaining to
criminal offences or associated security measures
• The large-scale monitoring of public accessible areas, where the data prevents these
individuals from exercising a right or benefiting from a service or a contract
• When several data controllers plan to create an application or processing environment
common to an entire professional sector or segment, or for a widely used cross-cutting activity60
Two exceptions are stipulated “if the processing concerns the personal data of patients or customers by
an individual doctor, another healthcare professional, or a lawyer.”
Conduct a preliminary study
In view of what is stated, we recommend the inclusion of a preliminary study that results in a justified
and formal decision on whether to conduct an impact assessment of data protection for the processing
in question. The preliminary study must identify, firstly, the risks inherent in the processing, and secondly,
– as far as this is possible and beforehand – the actions to be taken to make the processing compliant
with the GDPR.
On the basis of this analysis, this preliminary study must lead to a formal decision on the need for closer
analysis of the processing and of the privacy risks to which the data subjects are exposed. The goal is to
define a decision tree leading to this output status. The elements to be taken into consideration are,
obviously, the details of the processing and the personal data lifecycles, the criteria and any associated
59 Recital (91)
60 Recital (92)
What does the GDPR say?
Article 35 - Data protection impact assessment Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
[…]
The assessment shall contain at least: a) a systematic description of the envisaged processing operations and the purposes of the processing,
including, where applicable, the legitimate interest pursued by the controller; b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; c) an assessment of the risks to the rights and freedoms of data subjects […]; d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms
to ensure the protection of personal data and to demonstrate compliance with this Regulation [...].
35
weighting, and the phase(s) of the approval of the proposed decision leading to a formal decision on
further action.
Figure 9. Example of a decision tree leading to a decision on an impact assessment of data protection
If the preceding decision tree leads to the conclusion that an impact assessment is necessary, a
(framework of) a complete impact assessment must be structured to meet the requirements expressed
in the GDPR.
Conduct a data protection impact assessment
The impact assessment is an opportunity to conduct i) an in-depth legal study of the processing in
question and ii) an in-depth analysis of the identified risks, resulting in the definition of the
corresponding plans for risk mitigation, assessment of residual risks, weightings, prioritization, and
iterations.
In addition to the necessary approvals and conclusions of the DPO, the residual risks must be identified,
assessed, and accepted.
The conclusions of the impact assessment study must be documented in an impact assessment report,
along the same lines as the preliminary study. This report is subject to approval by the steering
committee of the GDPR program and must be entered in the record of processing activities for the
processing in question for traceability purposes, as part of the global documentation to be kept for
compliance with the GDPR.
The following figure summarizes the outlines of the framework of a data protection impact assessment.
36 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Figure 10. Example of a framework for data protection impact assessments
The various boxes in this figure remain to be specified in terms of methods, best practices, tools, and so
on and included in this framework.
Note Because the GDPR contains numerous areas of unclarity open to interpretation, the Article 29
Working Party has published so-called “guidelines” that clarify and illustrate the implementation and the
operational deployment of the GDPR using concrete examples. Among the guidelines that are already available
– a number of guidelines were still being defined at the time of publication of this white paper – the IMPACT
ASSESSMENT (EN)61 guidelines shed some light on the framework to be established.
Note The CNIL proposes a body of documents about the impact assessment: PIA-1, THE METHOD: HOW
TO CONDUCT AN ASSESSMENT OF IMPACTS ON PRIVACY62, PIA-2, TOOLS: MODELS AND KNOWLEDGE BASES OF THE ASSESSMENT OF
IMPACTS ON PRIVACY63, and PIA-3, BEST PRACTICES: MEASURES TO ADDRESS RISKS TO MY FREEDOMS AND PRIVACY64.
The legal study will be based on a questionnaire (that the data controller will have to prepare)
summarizing the regulatory requirements. By way of example, the following table lists the requirements
of Articles 5 and 7 in the form of questions.
61 GUIDELINES ON DATA PROTECTION IMPACT ASSESSMENT (DPIA) AND DETERMINING WHETHER PROCESSING IS “LIKELY TO RESULT IN A HIGH RISK”
FOR THE PURPOSES OF REGULATION 2016/679, WP 248 REV.01: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
62 PIA-1, THE METHOD: HOW TO CONDUCT AN ASSESSMENT OF IMPACTS ON PRIVACY:
https://www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-1-Methode.pdf
63 PIA-2, TOOLS: MODELS AND KNOWLEDGE BASES OF THE ASSESSMENT OF IMPACTS ON PRIVACY:
https://www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-2-Outillage.pdf
64 PIA-3, Best Practices: Measures to address risks to my freedoms and privacy:
https://www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-3-BonnesPratiques.pdf
37
Index Question Answer Status
Processing of personal data (Art 5)
1 Is only the data required by the
processing collected? (Art 5.1 b)
Answer: Accepted
To be reviewed
Rejected
2 Is the data used for any purposes other
than those of the processing? (Art 5.1 b)
Answer:
3 Does a data update mechanism exist
that guarantees the possibility to rectify
or erase inaccurate data (Art 5.1 d)?
Answer:
4 Is the data allowing the data subjects to
be identified destroyed after the
processing? (Art 5.1 e)
Answer:
Conditions of consent (Art 7)
5 Is it possible to demonstrate that the
individual has consented to the
processing of their personal data? (Art
7.1 )
Answer:
6 Is the consent described clearly in
comprehensible and distinguishable
language, if included with other
subjects? (Art 7.2 )
Answer:
7 Can the data subject withdraw their
consent at any time? (Art 7.3 )
Answer:
8 Is the execution of the contract subject
to consent to the processing of
personal data that is not necessary for
this processing? (Art 7.4 )
Answer:
The second part of the data protection impact assessment consists of conducting a risk assessment
focusing on the protection of personal data. The GDPR does not impose or recommend a risk
assessment method, but the approach to the assessment of security risks is a conventional one that is
well known to security officers.
Note For the “risk assessment” and other components, the following norms and standards in the field
are obviously applicable: ISO/IEC 27005:201165 INFORMATION SECURITY RISK MANAGEMENT, ISO 31000:200966 RISK
MANAGEMENT – PRINCIPLES AND GUIDELINES, and IEC 31010:200967 RISK MANAGEMENT - RISK ASSESSMENT TECHNIQUES.
65 ISO/IEC 27005:2011 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- INFORMATION SECURITY RISK MANAGEMENT:
https://www.iso.org/en/standard/56742.html
66 ISO 31000:2009 RISK MANAGEMENT -- PRINCIPLES AND GUIDELINES: https://www.iso.org/standard/43170.html
67 IEC 31010:2009 RISK MANAGEMENT -- RISK ASSESSMENT TECHNIQUES: https://www.iso.org/standard/51073.html
38 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
The conventional approach to risk assessment involves various stages. After defining the scope, the
assets and threats are identified. Then the existing security measures and vulnerabilities are assessed,
before assessing the risks, the probability of occurrence, and the impacts. Finally, the counter-measures
that can be taken to cover the risks, while accepting the residual risks, are considered.
Map the processing operations of personal data
This activity is made up of two sub-activities:
1. Update the list of processing operations of personal data
2. Produce the documentation of processing operations of personal data
These sub-activities are described in this order in the following sections.
Update the list of processing operations of personal data
This activity consists of making sure that the organization has up-to-date records of processing
activities, in which all the organization’s personal data processing operations are duly identified and
listed in a relevant and suitable way.
The GDPR imposes “dynamic compliance.” Therefore, with the GDPR, it is necessary to keep up to date
the elements describing the processing in order to respond to audits imposed by the supervisory
authority at any time.
This activity is typically part of the multi-cycle dimension and the proposed iterative approach. In
particular, at each cycle, it makes sure that the lifecycle of the personal data and the corresponding
diagram of data flows are regularly updated (that is, upon each cycle at least) in order to take into
consideration changes to the processing and its components (service, application, data repository).
It is also an opportunity to consider and integrate new processing operations of personal data.
Finally, a review should be conducted to re-evaluate the prioritization of the list of processing operations
in the record, which constitute the real deliverable for the implementation of this activity.
Produce the documentation of processing operations of personal
data
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority (see preceding
section). For example, the highest-priority processing operations of personal data are considered in the
current iteration of the PDCA cycle.
In this activity, the previously established description template is completed for each processing
considered in this iteration of the PDCA cycle. It is necessary to go beyond the initial information
collected in the estimate of the scope of the GDPR program and its critical analysis (see section ESTIMATE
THE SCOPE OF THE GDPR PROGRAM FOR THE PROCESSING OF PERSONAL DATA).
Amongst others, the following must also be established:
• The main purpose of the processing
• Whether the processing concerns the personal data of minors
• The manner in which consent is requested, obtained, and recorded
• The level of control (that is, the possible use of processors)
• The technical and organizational security measures to protect the personal data
39
This activity is conducted by the data controller – and, where applicable, the persons in charge of the
services, applications, and repositories identified in this context – in relation with the DPO, who inputs
knowledge of the GDPR. Each processing entry in the record is signed by the same DPO for approval.
The Chief Security Officer may also be called on to approve the described security measures.
It is advisable to include a description of the data lifecycle based on the previously defined template in
the appendix.
The description of the lifecycle of the personal data is necessary in order to plan and implement the
capacity to exercise the data subject’s rights to access, rectify, erase, and so on.
Furthermore, this description of the complete lifecycle of the data also makes sure that the personal
data is not used for any secondary purposes, which is a prerequisite to being able to “prove compliance.”
The transfer of the data to third parties must also be taken into account in the rest of the program and
the associated activities. The data controller must specify to whom the data is transferred and for which
processing operations. One example is the use of the cloud, where the Cloud Service Provider (CSP) must
be included as a processor in the scope of processing of the data and the associated control.
Important Not only the data that is transferred and stored in digital format is taken into consideration. The
GDPR also covers other physical formats, such as photocopies, scans, and mail or transporter correspondence.
Where necessary, the description must also include transfers of data outside the European Union (EU).
Although transfers inside the EU are authorized between all the Member States, transfers outside the EU
remain subject to the conditions described in Chapter V of the GDPR.
The diagrams resulting from the application of the model must show the categories of personal data
according to sensitivity – Article 9 defines a series of sensitive data (race, religion, ethnic origin, and so
on). It must then undergo a particular examination to make sure that the controls they describe are
adapted to the level of risk of the data categories. This is the purpose of the following activities, like the
preliminary study (see next section) or the modeling of threats, for example (see section INCORPORATE A
GUIDED APPROACH).
The output deliverable of this activity consists of the update of the record of processing activities with
the processing entry and the lifecycle of the personal data duly completed for each personal data
processing in this iteration of the PDCA cycle.
Conduct a preliminary study of the level of risk of the personal
data processing operations
This activity is to be completed for every processing activity of personal data identified in the program.
In practical terms, it is based on the list of processing activities classified by priority. The highest-priority
processing activities are considered in the current iteration of the PDCA cycle.
The goal consists of conducting a preliminary study in order to prioritize the actions to be taken
regarding the risks in the DO phase of the PDCA cycle. This study follows the sequence and the structure
established with the framework of the data protection impact assessment (see section DEFINE A
FRAMEWORK FOR DATA PROTECTION IMPACT ASSESSMENT), and aims to identify the following:
1. The risks related to the processing
2. The different actions to be taken to achieve compliance with the objectives and the requirements
of the GDPR
For each processing considered, attention should be paid to the processing itself and to the personal
data it covers, and therefore includes the following actions:
40 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
• Identify the legal basis of the processing in terms of contracts, legal obligations, legitimate
interests, consent, and so on.
• Check that only the data strictly necessary for the considered processing is collected and used,
and is not kept for any longer than necessary.
• Consider the nature of the personal data and the type of processing that impose an impact
assessment on the basis of the previously defined framework.
• Consider any data transfers and the possible need to control them.
• Check the contractual clauses if processors are used.
It is also important to check that the means of exercising the rights of the data subjects exist by taking,
amongst others, the following actions:
• Check the presence of prior and explicit consent, and its logging thereof for future audits.
• Measure the degree of alignment of the new rights with the framework process models, the
standard forms, and the information provided (see section DEFINE / REVIEW / UPDATE THE DIFFERENT
TEMPLATES WITH RESPECT TO THE CONSENT AND NEW RIGHTS OF THE ).
Similarly, the technical and organizational security measures must be reviewed to measure the suitability
of:
• All the technical security controls in place for the protection of personal data
• Observed organizational measures
Based on the preceding input, and depending on the nature of the identified risks, it should be possible
to decide whether a Data Protection Impact Assessment (DPIA) is necessary. At this point, the goal is to
apply the decision tree of the personal data protection impact assessment framework:
• If the decision is taken NOT to continue with DPIA, the arguments substantiating and justifying
this decision are documented and recorded for use in the event of an audit by the supervisory
authority.
• If the decision is taken to proceed with a DPIA, the deliverable of this preliminary study and the
processing record from the preceding step will constitute the input of the impact assessment.
This activity is described in the next section.
As the preceding lines suggest, the output deliverable of this activity is a formal and substantiated
decision on the need, or not, for a Data Protection Impact Assessment. This decision is approved by the
DPO and the steering committee of the GDPR program.
Manage the risks of high-risk personal data processing
operations
This activity is to be completed for every processing operation of personal data identified in the GDPR
program that is deemed to constitute a high risk to the rights and freedoms of the data subjects, in view
of the data that is collected and used, and the type of processing (potentially, the highest-priority
personal data processing operations are only considered for the current iteration of the PDCA cycle).
As addressed by the activity to define an ad hoc framework (see section DEFINE A FRAMEWORK FOR DATA
PROTECTION IMPACT ASSESSMENT), a Data Protection Impact Assessment must be conducted “Where a type
of processing, in particular using new technologies, and taking into account the nature, scope, context
41
and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural
persons.” 68
The decision to proceed with an impact assessment is based on the formal decision taken in the activity
preceding the preliminary study if it reveals one or more high risks. It will be based on the analysis of
the description of the processing in question, the lifecycle of the corresponding personal data, the map
of the data flows obtained in the activities, and possibly the preceding cycles.
The goal is to apply the process established with the personal data protection impact assessment
framework. Consequently, there are typically two dimensions to the data protection impact assessment:
• An advanced study of the legal basis that takes account of the regulatory demands expressed
in the various articles of the GDPR.
• A risk analysis focusing on the protection of personal data, accompanied by:
o A risk mitigation plan describing the technical and organizational security measures in
order to address the identified risks and to meet the objectives and the requirements
of the GDPR
o An assessment of the residual risks
The GDPR does not impose or recommend a risk assessment method, but the approach to the
assessment of security risks is a conventional one that is well known to security officers. In the activity
to define the framework, we mentioned a few guides that can enlighten the organization with regard to
the right approach to be adopted in view of its practices.
As already mentioned, the final result of this analysis proposes a concise view of the mitigation measures
to be taken in order to cover the risks identified as being the most critical and the residual risks.
At this point, three options are open:
• To consider that the residual risks are acceptable and to continue the processing with the
implementation of the selected mitigation measures
• To consider that the risk is unacceptable, despite the proposed mitigation measures, and to stop
the processing
• To refer to the supervisory authority for its opinion before implementing the processing
Consequently, recital (84)69 of the GDPR stipulates that “where a data-protection impact assessment
indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate
measures in terms of available technology and costs of implementation, a consultation of the supervisory
authority should take place prior to the processing.”
This decision is the responsibility of the DPO, and by direct extension, of the steering committee that
makes the necessary decisions and arbitrations, as delegated by the management committee of the
organization.
Note In the preceding options, it may be necessary to make the distinction between the implementation
of a new processing and of an existing processing to be brought up to compliance.
For each high-risk processing considered in this iteration of the PDCA cycle, the output deliverable of
this activity is an impact assessment report approved by the GDPR program steering committee, with
the acceptance of the risk mitigation plan AND of the duly identified residual risks. This report is
68 ARTICLE 35 - DATA PROTECTION IMPACT ASSESSMENT, PARAGRAPH 1
69 The same idea can be found in Recital (94) of the GDPR.
42 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
accompanied by an obligation to periodically monitor and review in the Check phase of the PDCA cycle,
(see section MONITOR HIGH-RISK DATA PROCESSING).
43
Implement the GDPR program The DO phase of the PDCA cycle is made up of a number of activities:
• Control the way the personal data is accessed and used
• Classify personal data
• Improve the security of personal data processing
• Implement a process for the notification of personal data breaches
• Improve internal awareness and collaboration
These activities are described one by one in the following sections.
Control the way the personal data is accessed and used
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority. The highest-
priority processing operations are considered in the current iteration of the PDCA cycle.
This activity is made up of a number of sub-activities:
• Implement the policies and define the roles and responsibilities in the control and use of the
personal data
• Identify and manage processors
• Incorporate / review the management of consent and of new rights for the data subjects
These activities are described in the following sections.
Implement the policies and define the roles and responsibilities in the
control and use of the personal data
This activity consists of specifying the data governance plan, in other words developing the security
standards that determine how the personal data is managed, accessed, transferred, and erased:
• At rest, in use, and in transit
• Store Recover, Retain, Archive, Withdraw
And the standards applying to data retention (according to type and sensitivity).
The output deliverables of this activity include:
• Processing procedure(s) compliant with the requirements of the GDPR
• Personal data retention policy
• Personal data retention calendar
• Procedure for the erasure of stored personal data
Identify and manage processors
This activity consists of making sure that the processors are aware of their obligations and responsibilities
related to the GDPR.
44 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Because the roles and responsibilities of controllers and processors are changing (see section SOME
STRUCTURING DEFINITIONS) by the date when the GDPR is implemented, the processors must be compliant
with the GDPR if their customers are to be compliant themselves.
This is true for all the Cloud Service Providers (CSPs) on which more and more organizations and
companies are relying. The IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and/or SaaS
(Software as a Service) type services that are used are all part of the information system and, potentially,
take part in the processing of personal data.
Note The notion of shared responsibility found in the GDPR is also present in the sharing of
responsibilities that results from the deployment model (IaaS vs. PaaS vs. SaaS) of the service(s) participating in
the processing of personal data. Refer to the white paper SHARED RESPONSIBILITY FOR CLOUD COMPUTING70 for more
information.
The largest providers of cloud services have no alternative to agreeing to become compliant.
Note Microsoft committed to compliance to the GDPR at a very early stage,71 72 both for ourselves and
our customers, in order to achieve complete compliance by May 2018, inasmuch as i) a certain number of points
must still be clarified, in particular by the Article 29 Working Party, pending the guidelines, as mentioned earlier,
and ii) Microsoft will finalize a rationalized and standardized default approach for all its customers.
Note It should be noted that in the Online Services Terms (OST),73 Microsoft strictly respects the
applicable regulations. In this regard, and as stated previously, since September 1, 2017 the Online Services
Terms have included Microsoft’s commitment to compliance with the GDPR.
The goal is to identify and review – on the basis of the processing entry – all the processors’ contracts,
and to demand that the latter take account of the obligations and responsibilities of the GDPR that are
incumbent on processors.
Doing so assumes that the contractual clauses applying to the protection and security of personal data
are present and correct.
Note Microsoft is the first major provider of cloud services that adopted the international code of best
practices for the protection of personal data in the cloud, known as ISO/IEC 27018:2014.74 Refer to the article
ISO/IEC 27018 CODE OF PRACTICE FOR PROTECTING PERSONAL DATA IN THE CLOUD75 in the Microsoft Trust Center for
more information.
70 SHARED RESPONSIBILITY FOR CLOUD COMPUTING: https://aka.ms/sharedresponsibility
71 GET GDPR COMPLIANT WITH THE MICROSOFT CLOUD: https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-
with-the-microsoft-cloud/#iZGet150clyXZ5CI.99
72 EARNING YOUR TRUST WITH CONTRACTUAL COMMITMENTS TO THE GENERAL DATA PROTECTION REGULATION:
https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-
regulation/#V8LbkmkbCDryjhd1.99
73 Licensing Terms and Documentation: http://go.microsoft.com/?linkid=9840733
74 ISO/IEC 27018:2014 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- CODE OF PRACTICE FOR PROTECTION OF PERSONALLY
IDENTIFIABLE INFORMATION (PII) IN PUBLIC CLOUDS ACTING AS PII PROCESSORS: https://www.iso.org/standard/61498.html
75 ISO/IEC 27018 CODE OF PRACTICE FOR PROTECTING PERSONAL DATA IN THE CLOUD: https://www.microsoft.com/en-
us/TrustCenter/Compliance/ISO-IEC-27018
45
Note To enable our customers to make sure that Microsoft cloud services are managed properly and
offer the necessary guarantees, the services are checked at least once a year against several global data
protection standards, including several ISO/IEC standards, the CSA (Cloud Security Alliance) STAR Register,
HIPAA, and HITECH. These reports can be found at
https://servicetrust.microsoft.com/Documents/ComplianceReports.
Transfers outside the European Union, for example through standard contractual clauses, also need to
be controlled.
Note Among the body of guidelines already available from the Article 29 Working Party, the guidelines
on the LEAD SUPERVISORY AUTHORITY (EN)76 shed light on the determination of the competent authority in the event
of cross-border processing.
You are advised to draw up a record of data processors (and associated risks), along the same lines as
the record of all the processing activities of personal data in the organization, even if the GDPR does not
specifically address this dimension.
It will be an opportunity to define the corresponding management methods in the record:
• Add, update, and erase a processor
• Add, update, and erase a contract for a given processor
Finally, this activity must also define a process to establish the level of security of all new third parties
that come into contact with personal data in a processing.
The output deliverables of this activity are:
• Contract management procedures
• Records of processors (and associated risks) including contracts with third parties
• (Control of) Transfers of personal data outside the European Union
Incorporate / review the management of consent and of new rights
for the data subjects
In accordance with the results of the preliminary study, this activity consists of checking the presence of
explicit consent when collecting personal data for processing, with a mention of the information in
accordance with the requirements keeping of the GDPR with regard to the purpose, duration of
retention, and so on.
If applicable in the context, the particular conditions specific to minors must also be addressed.
76 GUIDELINES ON THE LEAD SUPERVISORY AUTHORITY, WP244REV.01: http://ec.europa.eu/newsroom/document.cfm?doc_id=44102
What does the GDPR say?
Article 7 - Conditions for consent Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Article 8 - Conditions applicable to child's consent in relation to information society services
46 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
If necessary, this activity also consists of adapting the processes/procedures to enable the data subjects
to exercise their rights pertaining to the protection of privacy. In other words, it consists of offering them
the possibility to access, rectify, or erase their personal data.
Therefore, in accordance with the results of the preliminary study, it consists of integrating or reviewing
the support of the following rights:
• Extended rights related to access, rectification, or erasure of erroneous data
• Rights to erase data (also called the right to be forgotten)
• Rights to restrict the processing of data:
• Prevention of direct marketing - records of consent
• Prevention of automated decision-taking and profiling
• Right to data portability
Note Because the GDPR contains numerous areas open to interpretation, the Article 29 Working Party
has agreed to work on so-called “guidelines” that clarify and illustrate the implementation and the operational
deployment of the GDPR using concrete examples. Among the guidelines that are already available – other
guidelines were still being defined at the time of publication of this white paper – the guidelines of PORTABILITY
(EN)77 shed light on the expectations pertaining to the right to portability, a new right described in Article 20
that demands the ability to transmit data from one processing system to another.
Note The standard ISO/IEC 1994178 INFORMATION TECHNOLOGY -- CLOUD COMPUTING -- INTEROPERABILITY AND
PORTABILITY aims to pragmatically examine and clearly communicate on data portability in a cloud computing
context. In particular, it establishes a common understanding of portability by defining the terms and concepts
associated with the cloud by providing an overview of the types of portability and by exploring the differences
and the problems related to portability in the cloud. In this way, it allows portability to be assessed in specific
cloud services scenarios.
Important The exercise of the preceding rights applies to production data, backed up data, and archived
data.
In this context, the classification of personal data facilitates the identification of the data concerned (see
next section).
The output deliverables of this activity include, for each processing considered:
• Information statement(s) (for the processing) that meet the requirements of the GDPR
• Procedure(s) for explicit consent or its recording
• Procedure(s) and form to request the withdrawal of consent
• Procedure(s) and form to request access for the data subjects
• Procedure(s) and form to request the rectification or erasure of erroneous data
• Procedure(s) and form to request the erasure of data (under certain conditions)
• Procedure(s) and form to request the restriction of the processing of data
• Procedure(s) and form to request the portability of data
77 GUIDELINES ON THE RIGHT TO DATA PORTABILITY: https://www.cnil.fr/sites/default/files/atoms/files/ld_portabilite_eng.pdf
78 ISO/IEC FDIS 19941 INFORMATION TECHNOLOGY -- CLOUD COMPUTING -- INTEROPERABILITY AND PORTABILITY:
https://www.iso.org/standard/66639.html
47
To which the technical implementation is clearly added as part of the said processing of personal data.
Classify personal data
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority. The highest-
priority processing operations are considered in the current iteration of the PDCA cycle.
The goal is to organize and label the personal data by applying the taxonomy in place (see section
DEFINE / REVIEW THE CLASSIFICATION TAXONOMY FOR PERSONAL DATA) in order to:
• Identify more easily the personal data concerned by the exercise of the rights of the data subject
(see preceding section)
• Impose the necessary security checks in accordance with the policy and to execute the
appropriate processing operations (see next section)
The personal data can be structured, semi-structured, or unstructured.
Relational databases are a typical example of structured data. Similarly, XML files with specified XML
schemas, JSON files, and so on are common examples of semi-structured data, and e-mails or text files
are common examples of unstructured data. Microsoft Office and PDF documents can fall into the latter
two categories, depending on their document format.
Depending on the nature of the data making up the elements of personal information, the effort
required to classify the data as personal data is not the same in terms of scale. In this respect,
classifying unstructured data is not an easy task and could present some challenges.
Elsewhere, this activity can be an opportunity to review the information classification policy and the
corresponding procedures, if necessary.
The deliverables for the implementation of this activity include, for each processing considered:
• The information classification policy, or a review thereof
• Information classification procedure(s)
Improve the security of personal data processing
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority. The highest-
priority processing operations are considered in the current iteration of the PDCA cycle.
48 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Did you say information security management system?
The GDPR demands numerous controls and measures to protect privacy. Many of them
are also required by the standards ISO/IEC 27001:201379 and ISO/IEC 27002:201380 as well
as other standards in the ISO 270xx series, such as ISO/IEC 27018:2014.81
Consequently, organizations or companies with an information security management system (ISMS),
within the meaning of ISO 27000, are likely to already meet many of the GDPR requirements. However,
certain adjustments may have to be made.
When aligning the processing of personal data to comply with the GDPR, other organizations or
companies may opt for an information security management system as part of a global framework in
order to manage personal data as one component of a broader risk management.
If the whole question of compliance and the corresponding calendar are considered, the adoption of a
holistic approach appears to be necessary to secure the digital environment, to help to build trust, and
to enable the digital transformation of the organization.
Figure 11. Some regulations and directives to be taken into consideration today or in the short term
A certain similarity with the so-called “Assume breach” posture
The key requirements of the GDPR regarding the security of personal data are based on two pillars, in
addition to the analysis and assessment of risks:
1. Prevention and protection
79 ISO/IEC 27001:2013 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- INFORMATION SECURITY MANAGEMENT SYSTEMS --
REQUIREMENTS:
https://www.iso.org/standard/54534.html
80 ISO/IEC 27002:2013 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS:
https://www.iso.org/standard/54533.html
81 ISO/IEC 27018:2014 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- CODE OF PRACTICE FOR PROTECTION OF PERSONALLY
IDENTIFIABLE INFORMATION (PII) IN PUBLIC CLOUDS ACTING AS PII PROCESSORS: https://www.iso.org/standard/61498.html
49
2. Surveillance and detection
Figure 12. The three pillars of the “Assume breach” posture
The adoption of a “Assume breach” security posture represents a major change that consists of
assuming that digital defenses will at some point be vulnerable for a given processing.
The acceptance of this posture is not a form of submission: it simply means that you have taken the first
step toward mitigating the risks.
So what is plan B? What is the plan to detect intrusions in terms of personal data breaches? How to react
to this type of incident?
This posture entails shifting from a simple Protect and Recover model to a new strategy and a more
global posture that today includes at least the three aspects mentioned previously:
1. Protect. Suitable security measures must be taken to protect every end-point of the processing,
from the points of capture to the datacenter(s). This is the natural register of an information
security management system, as addressed in the preceding section.
2. Detect. This aspect entails moving toward a more behavioral model, in which breaches are
detected by observing behavior (of the vector of attack in the case of intrusion) using targeted
signals, behavior monitoring, and machine learning. For example, the timely detection of an
attack in progress can prevent the exfiltration of personal data and, therefore, a breach as per
the GDPR.
3. Respond. This aspect presupposes the dynamic application of security controls in response to
detection in order to fill the gap between the discovery and the reactive action. This entails a
radical change in the manner of reacting.
Note The risk-driven NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY82 has five
functions: Identify, Protect, Detect, Respond, and Recover.
Define security measures in line with policies
This activity consists of setting up the technical and organizational measures defined as being necessary
to achieve compliance of the processing of personal data with the GDPR.
82 NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
50 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Where necessary, the existing technical and organizational security measures are strengthened based
on the results of the preliminary study. Similarly, the technical counter-measures defined in the data
protection impact assessment for high-risk processing are implemented in accordance with the defined
risk mitigation plan.
In this way, the security controls in terms of technical and organizational measures to be taken apply to
data at rest, data in use, and data in transit, based on the documentation of the processing in question
and the Confidentiality Integrity Availability (CIA) triptych.
With regard to the controls, we have already addressed data pseudonymization and deidentification. For
reference, the ISO/IEC 20889:201783 standard describes the techniques used to erase or mask the
identifying elements of personal data so that it is no longer accessible or no longer subjected to the
GDPR requirements.
At this point, it also seems important to emphasize that certain controls, and encryption in particular,
can affect the processes to be implemented. For example, in the event of theft of encrypted personal
data, if the encryption key is not compromised, then there is no need to notify the data subjects.
Other controls are self-evident in terms of practices, such as data minimization (see Article 5.).
Define the security controls to be implemented
The organization’s assets in terms of personal data are protected based on their classification and the
mitigation plan resulting from the data protection impact assessment for high-risk processing.
In other words, they cannot be protected appropriately in an initial approach unless the personal data
is correctly classified. The classification of personal data assets requires minimal security checks that
must be applied when handling, storing, processing, and/or transferring the assets in question (see
section CLASSIFY PERSONAL DATA).
In practice, each protection profile in the data protection plan that is associated with a specific
classification level or label contains a set of rules defining the minimal requirements in terms of security
83 ISO/IEC 20889:2017 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- PRIVACY ENHANCING DATA DE-IDENTIFICATION TECHNIQUES:
https://www.iso.org/en/standard/69373.html
What does the GDPR say?
Article 32 - Security of processing Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a
physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.
Article 34 - Communication of a personal data breach to the data subject The communication to the data subject [...] shall not be required if any of the following conditions are met: a) the controller has implemented appropriate technical and organisational protection measures, and those
measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
51
checks in order to protect the confidentiality, integrity, and availability (CIA) of the personal data assets,
as discussed previously.
For example, regarding confidentiality, encryption is one of the means that can be used to protect data
confidentiality as mentioned in the Article (32) security of processing.
It is important to remember that in view of the three possible states of the data (see section DEFINE
POLICIES FOR THE MANAGEMENT AND USE OF PERSONAL DATA):
• Data at rest. Data needs to be protected by strong encryption (where “strong encryption"’
means encryption requiring unfeasible calculation times in the event of a brute force attack)
AND the encryption key i) is not present on the medium itself, ii) is not present on the node
associated to the medium, and iii) is sufficiently long and random to be functionally immunized
against dictionary attacks.
• Data in use. Data is considered as protected if, i) memory access is strictly controlled (the
process that accessed the data while not on the storage medium, and read the data in the
memory, is the only process with access to the memory, and no other process can access data
in memory, or intercept data as it passes through the inputs/outputs), and ii) regardless of the
way in which the process ends (normal shutdown, forced shutdown, or switching off the
computer), the data cannot be recovered from a location other than the original state at rest,
and with a new authorization.
• Data in transit. Data is considered as secured if, i) the two hosts can protect the data in the two
preceding states, and ii) the communication between the hosts is identified, authenticated,
authorized, and private, meaning that no third-party host can listen to the communication
between the two hosts.
Moreover, the location of the personal data may require implementing particular security controls.
Consequently, for each classification level/label specific to the personal data, and then for each location
permitted by the security and/or data protection policy, a corresponding protection profile is potentially
established by the organization, according to its practices.
The security controls to be applied to the personal data assets are obtained by deduction, based on the
protection profiles. For example, if an application in a targeted processing activity processes data
classified as personal and sensitive, the corresponding protection policy must require that the data is
encrypted when at rest, can only be accessed by a restricted group of persons, is stored internally, and
that the corresponding models are included in the data loss prevention (DLP) system, if there is one, to
detect and prevent any leaks.
In parallel, already deployed or new technical solutions must be chosen to implement the controls
assigned to the protection of personal data assets. It should be noted that the controls can also
correspond or refer to manual or automated processes.
The security controls to be considered within the framework of the GDPR fall within the following
subjects, among others:
• Encryption – confidentiality of data at rest
• Encryption – confidentiality of data in transit/in use
• Identity management – authentication of internal users
• Identity management – authentication of external users, in particular in B2B (Business-to-
Business) type collaborations
• Access control (conditional) – access authorization(s) and (contextual) permissions
• Security of services and applications
52 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
• Network security
• Security of storage
• Protection of the physical data center
• Backup, archives and retention
• Disposal of non-electronic media (such as paper)
• Disposal of electronic media (hard drives, USB keys, DVD-ROMs, and so on)
Important The preceding list covers two notions: protection and access control.
Note The NIST (National Institute of Standards and Technology) provides a complete catalog of security
and privacy controls in the document Special Publication 800-53 Rev. 4.84 The SANS institute provides a list85 of
critical controls that is a subset of the above-mentioned catalog.
Incorporate a guided approach
The definition of the appropriate security measures according to the policies in place entails taking the
full measure of the situation for the processing in question and identifying the threats to which it is
exposed, with positions of the attacker and the defender being asymmetrical by definition.
It is essential to understand the threats to which the data processing, the data flows, the storage, and so
on are exposed. For example, the threat modeling in the Microsoft SDL (Security Development Lifecycle)86
methodology enables to understand the threats to personal data in a processing (and the associated
flows) through its lifecycle by adopting the STRIDE approach:
S Spoofing of user identity
T Tampering
R Repudiation
I Information disclosure
D Denial of service
E Elevation of privilege
84 NIST SPECIAL PUBLICATION 800-53 REVISION 4 SECURITY AND PRIVACY CONTROLS FOR FEDERAL INFORMATION SYSTEMS AND ORGANIZATIONS:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
85 CRITICAL CONTROLS FOR EFFECTIVE CYBER DEFENSE: http://www.sans.org/critical-security-controls/
86 Microsoft SDL (Security Development Lifecycle): http://www.microsoft.com/sdl
Know your enemy and know yourself, find naught in
fear for 100 battles. If you do not know your enemies
but do know yourself, you will win one and lose one. If
you do not know your enemies nor yourself, you will be
imperiled in every single battle.
Sun Tzu, The Art of War
53
This approach can be used to transform the modeling of threats, from a process overseen by an expert
into a process that any software architect can adopt. In order to mitigate threats, this approach attempts
to determine the risks and to take action on those that are unacceptable using heuristics such as critical,
high, moderate, and low. Next, according to STRIDE, the mitigation techniques (or none at all), and then
the corresponding technology that is applicable in the context of the processing, its services,
applications, and/or data repository, are selected.
Any elements that are not covered are then determined.
Note The Microsoft Threat Modeling Tool 2016,87 which can be downloaded for free, can be used in this
context.
After the effective implementation of the security controls, and regardless of the approach selected to
judge of the merits and the pertinence of the measure, the risks that are covered by the mitigation plan
and the residual risks under these conditions must be systematically reassessed.
The deliverable for the implementation of this activity is the effective expression of the technical and
organizational measures in the processing operations, in accordance with the preliminary study and,
where appropriate, with the risk mitigation plan resulting from the data protection impact assessment.
Implement a process for the notification of personal data
breaches
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority. The highest-
priority processing operations are considered in the current iteration of the PDCA cycle.
The goal consists of the concrete implementation of the conditions for the execution of the process
defined to provide notification of personal data breaches (see section DEFINE A PROCESS MODEL FOR THE
NOTIFICATION OF A PERSONAL DATA BREACH).
Note The international standard ISO/IEC 27035-1 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES --
INFORMATION SECURITY INCIDENT MANAGEMENT -- PART 1: PRINCIPLES OF INCIDENT MANAGEMENT88 (and the following parts)
may be considered in this context.
87 Microsoft Threat Modeling Tool 2016: http://www.microsoft.com/en-us/download/details.aspx?id=49168
88 ISO/IEC 27035-1 INFORMATION TECHNOLOGY -- SECURITY TECHNIQUES -- INFORMATION SECURITY INCIDENT MANAGEMENT -- PART 1:
PRINCIPLES OF INCIDENT MANAGEMENT: https://www.iso.org/standard/60803.html
54 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Figure 13. Reminder of a personal data breach notification process framework
The first step of this proposed framework of the notification process starts with the detection or
reporting of the personal data breach.
To enable breaches to be reported, the corresponding process and procedures must provide the
availability of an internal reporting system, if one does not already exist, that can be used by the
organization’s employees. For example, if a device hosting personal data belonging to an organization’s
employee is lost by or stolen, it must be possible for the employee to report the incident quickly and
easily. This also requires an appropriate information plan (see section IMPROVE INTERNAL AWARENESS AND
COLLABORATION).
The second step consists of investigating the breach itself once it has been made known. The goal is to
determine the nature, the various ramifications, and so on, of the incident. This is probably the longest
and most complex step, for which an internal team of specialists or an external company must be called
in, depending on the nature of the breach. This team must be operational rapidly in the event of a crisis.
Therefore, the process must allow fir identifying the persons and the means for mobilizing them.
After the scenario leading to the data breach has been clearly identified and understood, the third step
concentrates on identifying and implementing corrective or mitigating measures. For example:
• If an integrity issue is identified on a database, the corrective measure may consist in applying
a backup, given that all the latest changes may have been lost.
• If the attacker used a security vulnerability to extract personal data, the necessary security
patches must be applied.
The fourth step consists of assessing the impacts of the breach in view of the type and sensitivity of the
personal data in question, the number of data subjects, and the resulting effects.
At this stage, the necessary elements are available for the fifth step, which consists of compiling a
notification report and informing the supervisory authority.
55
Moreover, and in accordance with Article 34,89 the severity of the impact of the data breach must be
determined and the breach must be reported to the direct data subjects, depending on the result. This
is the purpose of the sixth step.
The deliverables for the implementation of this activity include, for each processing considered:
• Security incident management process/procedure
• Notification process of the personal data breaches
• Corresponding breach notification procedures
Improve internal awareness and collaboration
This activity aims to develop internal awareness-raising and training plans, so that all the participants in
this “dynamic” drive for compliance with the GDPR can take onboard the principles and concepts of the
GDPR as well as the processes, procedures, tools, and models concerning them, to differing degrees, in
accordance with their levels of involvement and responsibility.
Therefore, through the definition of the plans, the goal is:
• To make employees aware of the importance of privacy protection
• To favor the escalation of information for the identification and mapping of personal data
processing
• To train once a year the personnel involved at least in the organization's “everyday” security
standards that determine how personal data is managed, accessed, transferred. and erased
The deliverables for the implementation of this activity are the various internal awareness-raising and
training plans, the corresponding content, and their scheduling and delivery to the target audiences
inside the organization.
89 ARTICLE 34 - COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT
56 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Check the GDPR program The CHECK phase of the PDCA cycle is made up of a number of activities:
• Monitor high-risk data processing
• Check the (path to) compliance with the GDPR
• Maintain the documentation required for compliance with the GDPR
These activities are described one by one in the following sections.
Monitor high-risk data processing
This activity is imperative for all the data processing operations that undergo a Data Protection Impact
Assessment (see section MANAGE THE RISKS OF HIGH-RISK PERSONAL DATA PROCESSING OPERATIONS).
The goal is to implement iterative controls to make sure that the record of processing activities is
accurate. Any changes to the processing or the collected and processed data must result in a re-
examination.
For other processing operations that did not undergo a Data Protection Impact Assessment (see section
CONDUCT A PRELIMINARY STUDY OF THE LEVEL OF RISK OF THE PERSONAL DATA PROCESSING operations), any
significant changes to the processing or the collected and processed data must be reexamined to
dertermine whether an impact assessment is necessary.
It must be possible to place the record of processing activities at the supervisory authority’s disposal at
any time, including during an audit procedure.
Check the (path to) compliance with the GDPR
This activity is to be completed for every processing operation of personal data identified in the program.
In practical terms, it is based on the list of processing operations classified by priority. The highest-
priority processing operations are considered in the current iteration of the PDCA cycle.
This activity is made up of a number of sub-activities:
• Check the relevance of the processing mapping
• Check the incorporation of the new rights
• Check the effectiveness of the technical and organizational security measures in place
• Check the operational level of the process for the notification of breach of personal data
breaches
These activities are described in the following sections.
What does the GDPR say?
Article 30 - Records of processing activities 4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
Article 58 - Powers Each supervisory authority shall have all of the following investigative powers: (B) to carry out investigations in the form of data protection audits;
57
Check the relevance of the processing mapping
This activity consists of regular internal data audits to identify:
• The personal data actually in the organization’s possession
• How this personal data is actually used and, where appropriate, transferred
• The anteriority of this data
• Who accesses the data
This activity is based on the processing activities listed and present in the record of processing activities,
and beyond for “dark data” (for example, “Shadow IT”). Any “new” processing operations that are
discovered are to be included in the GDPR program, a fact that assumes to update the record of
processing activities accordingly.
Depending on gaps that are observed, a deadline is defined to address the main risks that pertain to the
protection of personal data. To this end, a risk analysis is conducted on the basis of the observed gaps.
The preliminary study can be used as a model (see section CONDUCT A PRELIMINARY STUDY OF THE LEVEL OF
RISK OF THE PERSONAL DATA PROCESSING operations).
The corrective actions are checked in a subsequent iteration of the PDCA cycle, according to the deadline
allowed for resolution.
Check the incorporation of the new rights
This activity consists of making sure that the claims and requests made by data subjects regarding the
exercise of their new rights are effective. In other words, it is necessary to check that the rights in question
can be exercised by the data subjects.
This activity entails checking that:
• The procedures and forms to request rights are readily accessible by the users
• All the request processes are operational, such as:
• All requests are taken into consideration and processed in reasonable time
• The rights are effectively applied (rectification, erasure, and so on)
Important The processes can be manual or automated.
What does the GDPR say?
Section 2 - Information and access to personal data Article 15 - Right of access by the data subject Section 3 - Rectification and erasure Article 16 - Right to rectification Article 17 - Right to erasure (‘right to be forgotten’) Article 18 - Right to restriction of processing Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20 - Right to data portability
Section 4 - Right to object and automated individual decision-making Article 21 - Right to object Article 22 - Automated individual decision-making, including profiling
58 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Check the effectiveness of the technical and organizational security
measures in place
This activity consists of checking the effectiveness of the technical and organizational security measures
in place in accordance with Article 3290 pertaining to the security of the processing of personal data.
These checks apply to both the controller and the processor.
Check the operational level of the process for the notification of
breach of personal data
This activity consists of assessing the notification process in place and its response.
To check that the notification process implemented in the DO phase is operational (see section
IMPLEMENT A PROCESS FOR THE NOTIFICATION OF PERSONAL DATA), a simulation exercise must be planned to
make sure that all the participants can be summoned in time to meet the 72-hour deadline and, if this
deadline is missed, that they can give the reasons why.
As stated previously, the DPO is the “cornerstone” of the process and is in charge of notifications to the
supervisory authority.
90 ARTICLE 32 - SECURITY OF PROCESSING
What does the GDPR say?
Article 32 - Security of processing [...] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
[…]
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
What does the GDPR say?
Article 33 - Notification of a personal data breach to the supervisory authority In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority [...], unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Article 34 - Communication of a personal data breach to the data subject When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
59
Maintain the documentation required for compliance with
the GDPR
This activity consists of managing the various aspects of the expected “body of documentation” in order
for the controller to demonstrate compliance with the objectives and requirements of the GDPR.
In view of the points raised earlier in this white paper, there are at least four of these aspects:
1. Processing of personal data. This aspect is embodied essentially by the record of processing
activities, which document the processing record, the lifecycle of the personal data, and the map
of the associated flows, duly completed and up to date, for every processing operation on
personal data in the organization.
Where appropriate and applicable, the following are specified and documented:
• The reports of all data protection impact assessments that have been conducted
• The control of transfers of personal data outside the European Union, for example through
standard contractual clauses
2. Processors. This aspect is documented mainly by the record of processors (risks), which contain
the contracts with the processors.
Proof of consent given by the data subjects must also be documented, if collected at this level.
3. Information and rights of the data subjects. This aspect comprises the following elements:
• The procedures/processes implemented for the exercise of the data subjects’ new rights, as
mentioned previously
• The information statements (for the processing) that meet the requirements of the GDPR
• The “standard” forms (requests for access, correction, and so on)
• The proof of consent given by the data subjects
4. Internal procedures/processes in the event of personal data breach. This aspect includes
the procedure and the form for the notification of breaches (or the corresponding teleservice
and procedure for use).
In addition to what has already been pointed out in terms of tools, these aspects assume that the
capacity is available to ensure that the processing of personal data is monitored and recorded in
documents or logs for data collection, use, transfer, and so on.
In particular, this involves providing reporting capacities for:
• Audit logs
• Notifications
• Consent of the data subjects
• Exercise of the new rights by the data subjects
• Report on governance
• Compliance reviews
60 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Act on the GDPR program The ACT phase of the PDCA cycle “drives” continual improvement. This phase determines the context of
the execution of the following iterations of the cycle.
In particular, it includes an activity to gradually move toward the target principles of “data protection
from the design phase” and “data protection by default.”
Initiate a process to rationalize the processing of personal
data
This activity aims to approve a roadmap that facilitates the incorporation of the new rights granted to
data subjects.
One of its aspects is the management and consolidation of personal data repositories. For example, an
architecture that centralizes personal data will facilitate the implementation of data collection, requests
for and the recording of explicit consent, and the exercise of the rights of data subjects.
This initiative consists of aiming for the scheduled and gradual disappearance of the various existing
personal data repositories and their replacement with a unique reference framework, wherever possible.
This goal entails the de facto migration of the corresponding processing applications to this reference
repository. This move will do away with the legacy application silos in the organization and provide for
greater agility.
61
A quick look at the CNIL’s
recommendations
CNIL: The French Data Protection Authority
The CNIL91 is the French Data Protection Authority and de facto the supervisory authority in the sense of
the GDPR for France.
Since February 2014, the CNIL’s Chairwoman has presided as Chair over the Article 29 Working Party,
the working party that assembles once every two months representatives from the 28 European and
independent data protection authorities.
This body’s objectives are:
• To contribute to the establishment of European norms by adopting recommendations
• To render opinions on the level of protection guaranteed by countries outside the EU
• To advise the European Commission on all projects having an impact on data protection rights
and liberties
The CNIL, as a representative at the International Conference of Data Protection and Privacy
Commissioners, participates regularly in collaboration with other international actors such as the
Organization for Economic Co-operation and Development (OECD), the Council of Europe, and the
Asian-Pacific Economic Cooperation (APEC).
CNIL’s GDPR implementation recommendations
The CNIL has published a short six-step methodology92 that concisely describes a few implementation
principles93 94 (as translated into English hereafter for the sake of this paper).
91 CNIL web site (English): https://www.cnil.fr/en/cnils-missions
92 CNIL PUBLISHES SIX STEP METHODOLOGY AND TOOLS TO PREPARE FOR GDPR: https://www.huntonprivacyblog.com/2017/03/17/cnil-
publishes-six-step-methodology-tools-prepare-gdpr/
93 PREPARING FOR THE EUROPEAN REGULATION: http://www.cnil.fr/se-preparer-au-reglement-europeen
94 THE EUROPEAN REGULATION: PREPARING IN SIX STEPS: https://www.cnil.fr/sites/default/files/atoms/files/pdf_6_etapes_interactifv2.pdf
62 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Figure 14. The steps of the compliance process proposed by the CNIL (translation from the information available
in French)
The tentative multi-cycle and structured approach that we have tried to propose and elaborate in this
white paper corresponds quite naturally to the six steps of this process, thanks to the different phases
of the PDCA cycle, as the following figures show.
63
Figure 15. Mapping between the phases and activities of the program and steps 1 to 3 of the compliance process
proposed by the CNIL
Figure 16. Mapping between the phases and activities of the program and steps 4 to 6 of the compliance process
proposed by the CNIL
64 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
Some recommendations in conclusion We would like to conclude with a quotation from Bertholt Brecht:
Brecht proposes a good aphorism about evolution and its driving forces.
At a time when the cloud is “rewiring” the world and redefining the practices and business models of
businesses engaged in the digital transformation, the new European GDPR regulation – in addition to
its numerous demands and consequences for organizations that process personal data – is also an
opportunity for these same organizations to build new foundations – if they have not already done so –
for the protection of privacy and security, foundations that are holistic, innovative, and durable.
As we stated in the introduction to this white paper, Microsoft is by your side to help you on the road
to GDPR compliance:
• Microsoft cloud services, such as Microsoft Azure,95 Microsoft Dynamics 365,96 and Microsoft
Office 365,97 facilitate the processes that you must implement to achieve GDPR compliance,
thanks to smart technology, innovation, and collaboration.
Note Microsoft Azure is an expanding collection of integrated IaaS and PaaS-type cloud services –
processing, storage, networks, databases, analytical advances, mobile, web, APIs, and so on – that enable
organizations to go faster and to make savings in the implementation of their processing activities. Azure is a
development environment (for DevOps, for example), a hosting service, and a service execution, as well as a
management environment to host, scale, and manage applications and processing activities on-premises and
via the Internet.
Note Microsoft Dynamics 365 is the next generation of smart business applications that enable
organizations of all sizes to grow, change, and transform themselves in order to meet all the needs of their
customers and to seize new opportunities. It combines existing Microsoft cloud services, in terms of software
for customer relationship management (CRM) and enterprise resource planning (ERP), in a single service, with
new specific applications that help to manage the specific functions of an enterprise (marketing, customer
knowledge, sales, finance, customer services, operations, automation of project services, and so on).
Note Microsoft Office 365 is designed to respond to the needs of business organizations in terms of
user productivity, reliability, and security. Office 365 includes the familiar Microsoft Office suite, with cloud-
based versions of the latest generation of Microsoft collaboration and communication services that use the
internet to help users to be more productive, almost anywhere and on any device.
95 Microsoft Azure: https://azure.microsoft.com
96 Microsoft Dynamics 365: https://dynamics.microsoft.com
97 Microsoft Office 365: https://products.office.com
Because things are the way they are, things will not
stay the way they are
Bertholt Brecht
65
• With its local solutions and cloud services, Microsoft helps you to locate and catalog the
personal data in your systems’ processing operations, to build a more secure hybrid
environment, and to simplify the management and monitoring of personal data.
• Microsoft is investing in additional functionalities and capacities to help organizations to meet
their GDPR requirements.
• Finally, we share our own experts’ best practices in the protection of privacy.
Just like with many other norms, standards, and regulations, compliance with the GDPR is not a
temporary state but a continuous process. This is one major difference with the switch to the year 2000,
which is often used as a point of reference to illustrate the scale of the task.
Figure 17. Year 2000 deadline versus GDPR
GDPR and the year 2000 switch are comparable but not identical.
66 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
To use the four main categories of activities highlighted on the multi-cycle approach described in this
white paper, PLAN, DO, CHECK and ACT, we can distinguish two phases:
Figure 18. PDCA phases positioning around GDPR “D-Day”
By making progress with a “hyper-scale” cloud service provider like Microsoft, and using cloud services
such as Azure, Dynamics 365, and Office 365, you can benefit from an “economy of compliance.”
Microsoft cloud services enable you to reduce programming efforts and the administrative burdens
required to achieve GDPR compliance.
Note For more information, read the blog post ACCELERATE YOUR GDPR COMPLIANCE WITH THE MICROSOFT
CLOUD98 by Julia White, Microsoft Corporate Vice-President of the Cloud Platform.
As part of this “economy of compliance,” the announced Compliance Manager tool from Microsoft will
help you manage your compliance across Microsoft cloud services with the following capabilities:
• Real-time risk assessment. An intelligent score shows your compliance posture against
evolving data protection regulations (for example, GDPR, ISO, NIST)
• Actionable insights. Rich insights and recommended actions to improve your data protection
capabilities
• Simplified compliance. Streamline your workflow with the built-in control management and
audit-ready reporting tools
Compliance Manager is a cross–Microsoft Cloud services solution designed to help organizations meet
complex compliance obligations like the GDPR. It performs a real-time risk assessment that reflects your
compliance posture against data protection regulations when using Microsoft Cloud services, along with
recommended actions and step-by-step guidance.
Compliance Manager contains a dashboard that provides a summary of your data protection and
compliance stature and recommendations to improve data protection and compliance. This is a
98 ACCELERATE YOUR GDPR COMPLIANCE WITH THE MICROSOFT CLOUD: https://blogs.microsoft.com/blog/2017/05/24/accelerate-gdpr-
compliance-microsoft-cloud/
67
recommendation, it is up to you to evaluate its effectiveness in your regulatory environment prior to
implementation.
Figure 19. Example of a dashboard of the Compliance Manager
Important note Recommendations from Compliance Manager should not be interpreted as a legal
guidance or a a guarantee of compliance.
Note For more information, learn more from the Tech Community blog.99
Note You can sign up for the Compliance Manager trial that started in November 2017 by visiting
https://aka.ms/compliancemanager .
99 MANAGE YOUR COMPLIANCE FROM ONE PLACE – ANNOUNCING COMPLIANCE MANAGER PREVIEW PROGRAM: https://aka.ms/compliance-
manager-blog
68 GDPR- Get Organized and Implement the Right Processes GDPR Compliance Process
References
Useful links in the Microsoft Trust Center
• About Microsoft services and products on microsoft.com/GDPR:
• Microsoft Azure
• Microsoft Dynamics 365
• Microsoft Enterprise Mobility + Security (EM+S)
• Microsoft Office and Office 365
• Microsoft SQL Server and Azure SQL Database (database as a service)
• Windows 10 and Windows Server 2016
• e-books and white papers:
• AN OVERVIEW OF THE GENERAL DATA PROTECTION REGULATION100
• ACCELERATE YOUR GDPR COMPLIANCE WITH THE MICROSOFT CLOUD101
• BEGINNING YOUR GENERAL DATA PROTECTION REGULATION (GDPR) JOURNEY102
• DISCOVER HOW TO START YOUR JOURNEY TOWARD GDPR COMPLIANCE WHILE USING MICROSOFT
DYNAMICS 365 APPLICATIONS103
• HOW MICROSOFT AZURE CAN HELP ORGANIZATIONS BECOME COMPLIANT WITH THE GDPR104
• SUPPORTING YOUR EU GDPR COMPLIANCE JOURNEY WITH ENTERPRISE MOBILITY + SECURITY105
• ACCELERATE YOUR GDPR COMPLIANCE JOURNEY WITH MICROSOFT 365106
• GUIDE TO ENHANCING PRIVACY AND ADDRESSING GDPR REQUIREMENTS WITH THE MICROSOFT SQL
PLATFORM107
• ACCELERATE GDPR WITH WINDOWS 10108
100 AN OVERVIEW OF THE GENERAL DATA PROTECTION REGULATION: https://aka.ms/GDPROverview
101 ACCELERATE YOUR GDPR COMPLIANCE WITH THE MICROSOFT CLOUD: https://aka.ms/gdprebook
102 BEGINNING YOUR GENERAL DATA PROTECTION REGULATION (GDPR) JOURNEY: https://aka.ms/gdprwhitepaper
103 DISCOVER HOW TO START YOUR JOURNEY TOWARD GDPR COMPLIANCE WHILE USING MICROSOFT DYNAMICS 365 APPLICATIONS:
https://info.microsoft.com/GDPRAssessmentResponses-Registration.html
104 AN OVERVIEW OF THE GENERAL DATA PROTECTION REGULATION: https://aka.ms/GDPROverview:
105 SUPPORTING YOUR EU GDPR COMPLIANCE JOURNEY WITH MICROSOFT EMS: https://aka.ms/emsgdprwhitepaper
106 ACCELERATE YOUR GDPR COMPLIANCE JOURNEY WITH MICROSOFT 365: https://resources.office.com/ww-landing-M365EGDPR-
accelerate-your-GDPR-compliance-whitepaper.html?LCID=EN-US
107 GUIDE TO ENHANCING PRIVACY AND ADDRESSING EU GDPR REQUIREMENTS WITH THE MICROSOFT SQL PLATFORM:
http://aka.ms/gdprsqlwhitepaper
108 ACCELERATE GDPR WITH WINDOWS 10: https://aka.ms/WindowsGDPRwhitepaper
69
Copyright © 2017 Microsoft. All rights reserved.
Microsoft France
39 Quai du Président Roosevelt
92130 Issy-Les-Moulineaux
The reproduction in part or in full of this document, and of the associated trademarks and logos, without
the written permission of Microsoft France, is forbidden under French and international law applicable to
intellectual property.
MICROSOFT EXCLUDES ANY EXPRESS, IMPLICIT OR LEGAL GUARANTEE RELATING TO THE INFORMATION
IN THIS DOCUMENT.
Microsoft, Azure, Office 365, Dynamics 365 and other names of products and services are, or may be,
registered trademarks and/or commercial brands in the United States and/or in other countries.