CNIL published this week a useful guide for all organisations thinking to start getting ready for GDPR compliance, but asking themselves "where to start?". The French DPA created a dedicated page for the new "toolkit", while detailing each of the six proposed steps towards compliance by also referring to available templates (such as a template for the Register of processing operations and a template for data breach notifications - both in FR).
According to the French DPA, "the new 'accountability' logic under the GDPR must be translated into a change of organisational culture and should put in motion internal and external competences".
The six steps proposed are:
- Appointing a "pilot"/"orchestra conductor" [n. - metaphors used in the toolkit], famously known as "DPO", even if the controller is not under the obligation to do so. Having a DPO will make things easier.
- Mapping all processing activities (the proposed step goes far beyond data mapping, as it refers to processing operations themselves, not only to the data being processed, it also refers to cataloging the purposes of the processing operations and identifying all sub-contractors relevant for the processing operations);
- Prioritising the compliance actions to be taken, using as starting point the Register and structuring the actions on the basis of the risks the processing operations pose to the rights and freedoms of individuals whose data are processed. Such actions could be, for instance, making sure that they process only the personal data necessary to achieve the purposes envisaged or revising/updating the Notice given to individuals whose data are processed (Articles 12, 13 and 14 of the Regulation);
- Managing the risks, which meansconducting DPIAs for all processing operations envisaged that may potentially result in a high risk for the rights of individuals. CNIL mentions that the DPIA should be done before collecting personal data and before putting in place the processing operation and that it should contain a description of the processing operation and its purposes; an assessment of the necessity and the proportionality of the proposed processing operation; an estimation of the risks posed to the rights and freedoms of the data subjects and the measures proposed to address these risks in order to ensure compliance with the GDPR.
- Organising internal procedures that ensure continuous data protection compliance, taking into account all possible scenarios that could intervene in the lifecycle of a processing operation. The procedures could refer to handling complaints, ensuring data protection by design, preparing for possible data breaches and creating a training program for employees.
- Finally, and quite importantly, Documenting compliance. "The actions taken and documents drafted for each step should be reviewed and updated periodically in order to ensure continuous data protection", according to the CNIL. The French DPA provides a list with documents that should be part of the "GDPR compliance file", such as the Register of processing operations and the contracts with processors.
While this guidance is certainly helpful, it should be taken into account that the only EU-wide official guidance is the one adopted by the Article 29 Working Party. For the moment, the Working Party published three Guidelines for the application of the GDPR - on the role of the DPO, on the right to data portability and on identifying the lead supervisory authority. The Group is expected to adopt during the next plenary guidance for Data Protection Impact Assessments.