Gluu

GDPR Guide being discussed

Blog / Process management | Quality management (QHSE)

Guide to getting your processes ready for GDPR

Søren Pommer
By
Last updated on 13/10/2024

On May 25, 2018, the new EU data regulation (GDPR) will be effective for all companies operating in any EU member state. The impact is already massive. Every company must be ready to capture consent, transfer customer and employee data to third parties and be able to prove that they manage personal data effectively. This GDPR guide will teach you how to get your processes ready for this.

The main impact comes from the fact that the GDPR shifts the burden of proof to the company. What does this mean in practice? Imagine that you’re driving on a country road. All of a sudden, a policeman pulls you over. Now, he asks for you to prove that you didn’t drive faster than you should have during all of last year! This may sound absurd but with the new EU regulation, this is what we all need to do. You need to demonstrate that you follow the rules. It’s not up to the regulatory authorities that to prove that you are in compliance! As a result, this puts the burden of proof on your organisation. Fortunately, this GDPR guide will cover everything you need to know.

Penalties for non-compliance pose significant risks to your organisation

GDPR will have a large impact on organisations that have not described their processes and have not documented how they follow those processes. If they can’t then they risk fines of up to €20 Million or 4% of their annual turn over – whichever is the highest. In addition, regulatory authorities may even forbid violators to manage any personal data. So, this is clearly a risk that you must manage. The question is how? I’ve written this guide to prepare our own activities and thought it would be worth sharing.

This GDPR guide seeks to answer the questions that we had when starting out

This GDPR guide seeks to answer the five questions that I found myself asking when Gluu first started getting ready for this:

  1. What is the scope of this new GDPR regulation?
  2. When is your organisation a data controller and when is it a processor?
  3. What are the main requirements that we must adhere to?
  4. What checks that we meet the requirements?
  5. How do we start?

Table of Contents

Checklists for the six main GDPR requirements
1. Obtain lawful consent from each individual
2. Document all personal data related processes
3. Report on personal data breaches
4. Risk analysis
5. Privacy-by-design
6. Portability

How do you start?
Analyse our current state
Map any missing processes
Analyse and close gaps in relation to GDPR requirements
Prepare control system
Prepare operations

Further reading


Introduction to this GDPR guide

First to some basics.

Try Gluu for free

Sign up for a 30-day trial.
No credit card required.

Depiction of a person distributing information

What does the new EU data regulation cover?

The GDPR covers all personal data. Personal data is information held which covers individuals. Everything from the IP address of a consumer to the address details of an employee. The EU regulatory site states it like this:

“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

So as you can see the scope varies with your business model. In our case, we’re selling an online platform to businesses, so we have no personal data on private individuals. To decide on where to start, we made the following priority list:

  1. Data on our customer’s employees within the Gluu platform.
  2. Sales and marketing data on our customer’s employees (in our CRM system).
  3. Data on our own employees.

These priorities helped us to decide which processes to look at first.

When is your company a “data controller” and when is it a “data processor”?

The regulation differentiates between the parties that are responsible for the data and the ones that are merely storing and/or processing it.

“A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” – EU regulatory site

In our case, we’re our own data controller for our own employees and for sales and marketing data related to specific individuals in our CRM system. In relation to the data on our platform, we’re a data processor and our actions are governed by Data Processor Agreements that we have with customers.

To some, GDPR is just another process compliance challenge

With the scope clear, we needed to understand the work ahead of us. At Gluu we already have to comply with quality and development requirements so in that sense the GDPR is just another compliance area to add to our management system. However, this management system is within our own Gluu platform and it already states how we operate (process hierarchy, diagrams and work instructions and measure that we comply with automatic tasks and change recording).

To a normal management system (that may cover health and safety, quality and security) the GDPR adds the requirement that your organisation must:

  1. Document how it treats personal data,
  2. Ensure that its processes meet the GDPR requirements,
  3. Be able to report and prove that it does as it says.

In other words, you must have all necessary processes in place and be able to prove that you follow them.

So where does this leave your organisation?

Your situationYour task ahead
No documented processes and “process culture” at allStart by making a process hierarchy where you focus on the processes that are likely to involve or impact personal data.
An outdated quality management system with processes described in Word documents.Migrate and validate your processes to a format where you can easily involve all the necessary colleagues in discussing each activity.
A fully operational “process-driven” management system with broad ownership and a good “process culture”.Go through all processes and mark any activities that may impact personal data. Revise your processes and activities in accordance with GDPR. Add any missing processes.

At Gluu we’re genuine “process-nerds” and we, therefore, found ourselves in the last group. However, the task has still been significant.

Checklists for the six main GDPR requirements

From a conference with the Danish law form DAHL and the reading of white papers and checklists of international ones, I made this list of six main requirements facing us:

  1. Obtain lawful consent.
  2. Document all personal data related processes.
  3. Report on personal data breaches.
  4. Ongoing risk analysis.
  5. Privacy-by-design.
  6. Portability.

Each requirement is explained further below. I have also shared our own internal checklists that were made from recommendations found on the EU GDPR site and various law firms recommended there.

1. Obtain lawful consent from each individual

You may no longer be able to use a long “terms and conditions” document where each individual ticks a box to confirm that he or she has read it. The EU GDPR site states it like this:

“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

With this in mind and input from lawyers we created this checklist:

2. Document all personal data related processes

“If your data treatment could impact the security of personal data – and this is collected systematically – then you need to document all data treatment activities.” I read this as the need to ensure proper documentation of many processes within Marketing, Product Management, HRM and IT Operations.

Try Gluu for free

Sign up for a 30-day trial.
No credit card required.

Depiction of a person distributing information

This is the checklist that we created – split into our responsibilities as Data Controller and Data Manager:

Data controller responsibilities:

Data Processors responsibilities:

3. Report on personal data breaches

The Data Controller must ensure that the right technical and organisational tools and processes are in place to ensure that personal data is handled in accordance with the regulation. This includes safeguarding and protecting personal data.

Importantly, the data responsible party must be able to provide proof that data is treated in accordance with the regulation.

For Gluu this means that when we act as Data Processors on behalf of our customers, then we must ensure that they can meet this requirement fully and with ease – for any data stored on the Gluu platform.

Specifically, this is important when it comes to information security. Article 33 covers the requirement that all security breaches that affect the security of personal data must be documented.

Documentation shall include:

Report to the regulatory authority within 72 hours after the breach is known to the data responsible.

Again, we followed a checklist:

Try Gluu for free

Sign up for a 30-day trial.
No credit card required.

Depiction of a person distributing information

Risk analysis

Ongoing risk assessment is important to comply with GDPR.

It is of utmost importance that you complete a risk analysis when considering implementing new technologies that could impact the security of personal data. An example of risk assessment of new technology is screening and “what-if” questions.

This is the checklist:

Privacy-by-design

Data controllers ensure that your systems and processes are designed with privacy in mind. Therefore, GDPR requirements are built into these.

This is the checklist for process design:

Portability

Article 20 states that the registered individual has a right to receive the data that he/she has given to the data responsible. Give this information in a structured and common, machine-readable format, for easy data transfer to other organisations.

This is the checklist for portability:

How do you start?

Now you have outlined all of your requirements and listed their checkpoints. The next step in our GDPR guide is to look at how and where you start.

With our above checklists as the starting points we identified the following main tasks:

1: Analyse our current state

Before we started, we analysed our maturity in relation to personal data and processes. This helped to clarify where to focus and gave us a starting point for the work. We used the Danish government tool “Privacy Compass” to do this gap analysis.

2: Map any missing processes

We identified and mapping the remaining data privacy-related processes. This mapping included the affected data flows and IT systems.

3: Analyse and close gaps in relation to GDPR requirements

Fill in a data form per activity (in each process) that involves personal data. This step allowed us to identify gaps in our requirements and to close this.

4: Prepare control system

We prepared a GDPR control system in Gluu for our user’s personal data. To do this, we set up recurring tasks to ensure that we follow-up correctly. In addition, we document the follow-ups for simple and easy reporting. 

5: Prepare operations

Finally, we ran some tests to ensure that we could report properly. For instance, if there was a data breach could we then show exactly which activities that involved personal data and were affected by this?


References:

The ISO 29134 standard
The ISO 27001 standard

Frequently Asked Questions

What are the penalties for non-compliance with GDPR, and how rigorously are they enforced?

The penalties for non-compliance with GDPR can be quite severe. Businesses that violate its terms can face fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher. The enforcement of these penalties is carried out by the data protection authorities within each EU country, who are diligent in ensuring that businesses are in compliance with the regulation. In fact, since the introduction of GDPR, there have been numerous high-profile cases of non-compliance leading to significant fines. Therefore, compliance should be taken seriously.

How does GDPR apply to businesses outside of the European Union, specifically those who might indirectly deal with EU residents’ data?

Even though GDPR originated as an EU regulation, it holds global significance. Any business that processes personal data of EU residents must comply with GDPR, regardless of its location. Any business located outside the European Union must adhere to GDPR if it collects, stores, or transacts with personal data that belongs to EU residents. If a business engages in large-scale data processing, it must also appoint a representative within the EU. This representation guarantees that data protection authorities and individuals can communicate their concerns or requests directly.

What practical steps can a business take to make their data processing activities transparent to their customers, in accordance with GDPR?

To enhance transparency with their customers in line with GDPR, businesses can adopt various practical measures. First, they can revise their privacy policies to make the language more understandable. Second, businesses should incorporate data protection considerations in all phases of their projects. Offering customers the ability to access, modify, or download their data is another important step. Also, customers should be promptly notified about any data breaches. Lastly, appointing a Data Protection Officer can help to provide a clear communication channel for customers who have queries or concerns about data processing activities.

You might also like ...