Case Studies

The organisation defines a clear Data Protection strategy that is reflected in policies and procedures and in the roles and responsibilities assigned to the organisation’s processing activities.

Governance Overview
An organisation should ensure that roles and responsibilities are assigned to the organisations processing activities. Many organisations will be required to appoint a Data Protection Officer and will need Data Protection Champions/Teams in place to ensure that compliance requirements are met. It is necessary to ensure that the registration requirements with the applicable Supervisory Authorities are completed.

Fort Privacy provides the following services under the governance category:

• Outsourced Data Protection Officer
• Selection and management of Data Protection Teams.
• Advice on the right governance structure for organisations
• Support services for in-house DPOs
• Supervisory Authority Registrations

Governance related Articles of the GPDR

Article 5, Article 24, Articles 37-39, Article 40;

The ability to demonstrate compliance and account for all data processing activities

Accountability Overview

Demonstration of compliance with Ddata Pprotection legislation is a key compliance requirement. Organisations should be able to account for all data processing activities.

Appropriate measures such as records of processing activities, activity logs, training logs, audits and risk registers should be in place to demonstrate compliance.

Accountability related Articles of the GPDR

Article 5, Article 24-25, Article 28, Article 30, Article 32, Article 35, Articles 40-43; Recitals: 69, 74, 78, 81, 82, 84, 85, ; Oversight of Remedies, liability and penalties. Articles 77-84.

The organisation provides clear statements to data subjects and communicates all required information about its’ processing activities

Transparency Overview

It should be clear and transparent to individuals that personal data concerning them is collected, used, transferred or otherwise processed and to what extent the personal data will be processed. Communications relating to the processing of personal data should be concise, transparent, easily accessible and easy to understand. 

Compliance is achieved in this category through Data Protection Statements, Cookie management activity and other notices. 

Transparency related Articles of the GPDR

Article 5 (a), Article 12, Article 13, Article 14, Article 24, Article 26; Recitals 39, 58, 60, 71, 78, 97, 100;

The organisation discloses personal data outside the organisation only for the purposes identified and has all required transfer mechanisms in place.

Data Transfer Management Overview

Where an organisation transfers personal data to another organisation the transfer should be consistent with the purpose of processing and an appropriate transfer mechanisms should be in place.   These come in the form of Data Processing Agreements, Standard Contractual Clauses and Binding Corporate Rules.

To meet compliance requirements due diligence should be completed on suppliers to ensure that adequate safeguards are in place for the transfer and processing of the personal data.

Data Transfer Management related Articles of the GDPR

Articles 13-15, Articles 28-30, Article 32, Articles 44-50;

The organisation ensures it can identify a reliable lawful basis for each processing activity

Legal Basis Overview

An organisation must ensure that it identifies a reliable lawful basis for each of its processing activities. Data protection legislation sets out a number of legal grounds for processing personal data. Each processing activity must have a sound legal basis. 

Special Category Data requires an additional legal ground to be identified for that processing activity.

Legal Basis related Articles of the GPDR

Article 5 (1) (a), Article 6, Article 7, Article 8, Article 9, Article 10

The organisation documents and implements policies and procedures for reporting and managing personal data breaches.

Data Breach Management Overview

An organisation should document robust policies and procedures for identifying, reporting and managing personal data breaches. Failure to do this can come at a huge cost to an organisation. 

Data Breach Management related Articles of the GPDR

Article 33 and Article34.

The organisation manages the security of personal data and of systems that it uses to process the personal data

Security Overview

Organisations must manage the security of personal data and the systems that it uses to process the personal data. The technical and organisational measures deployed should be appropriate to the processing activities being undertaken by an organisation.

Key to compliance with this category is the implementation of robust policies and procedures that are embedded in practice. Documented Technical and Organisational measures should be in place. This is an invaluable compliance activity that can help you demonstrate to your customers that you are operating in compliance with the GPDR

Security related Articles of the GPDR

Article 32, Article 28

Policies and processes are in place to facilitate and respond to data subjects who invoke their rights

Data Subject Rights Management Overview

Data Protection legislation provides certain rights for individuals whose personal data is collected, used, transferred or otherwise processed. These include

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object to processing
• the rights in relation to automated decision making and profiling

The most commonly used right is the right of access. Robust data subject access requests policies and procedures are crucial for most organisations to meet compliance requirements.

Data Subject Rights related Articles of the GPDR

Articles 12-23;

The organisation manages personal data processing activities to ensure consistency with the principles of purpose limitation, data minimisation, accuracy and storage limitation.

Data Management Overview

Organisations should manage personal data processing activities to ensure consistency with the data protection principles of 

• Purpose Limitation - personal data should only be used for the purpose with which it was collected
• Data Minimisation- only personal data required for the purpose should be processed
• Accuracy- all personal data should be accurate and up to date
• Retention- personal data should only be kept for as long as necessary for the purpose

Many organisations struggle with managing the retention of personal data. The approach to this should be systemic starting with the legal basis for processing.   Compliance activities for Data Management include documenting a record retention schedule for all processing activities and ensuring this is implemented.

Data Management related Articles of the GPDR

Article 5 (1) (b) "Purpose Limitation", Article 5 (1) (c) "Data Minimisation", Article 5 (1) (d) "Accuracy", Article 5 (1) (f) "Storage Limitation"

The organisation provides and implements a framework for data protection change management

Change Management Overview

Organisations should implement a framework for managing changes to  processing activities giving full consideration to data protection. This includes the implementation of Data Protection Impact Assessments (DPIA) to assess the impact a change in process could have. These assessments can serve to underpin the decision to implement the change. 

DPIAs are a legal requirement under the GDPR in many cases and even where they are not strictly necessary they are an invaluable exercise that assesses the processing activity to (i) assess it is a viable processing activity and (ii) to ensure all necessary compliance requirements are in place before the processing proceeds

Change Management Articles of the GPDR

Article 35, Article 25