Starting a new processing activity involves a number of actions, which you should complete to satisfy yourself that personal data and other information is treated with due respect and safeguards.
Before we dive into the details, let's take a moment to acknowledge the importance of carrying out these actions or at least considering them before the processing begins. However, it's worth noting that you can always revisit these steps at a later date to ensure that your initial assumptions are still valid and that the processing remains lawful and secure.
Project Initiation
During the project initiation stage we'll be proposing a new processing activity that involves the procurement of a product. If your activity doesn't require procurement, you can skip certain steps.
During this stage, it's crucial to define the aim of the project and develop a strategy to achieve it. Make sure to document every step of your research, as it will serve as a valuable reference point and help you revisit your decisions in the future. Plus, having well-documented research will come in handy during inspections.
Vendor Search
If you plan to involve at least one third-party vendor in the processing of your new activity, finding the right one is essential. Don't be swayed by vendors who claim to be fully GDPR compliant without substantiating their claims with evidence of good governance.
There are, unfortunately, vendors who give nothing but a blanket response along the lines of “we are fully GDPR compliant”. It is hard to imagine how any vendor could confidently say they are 100% compliant; therefore, quite to the contrary, such a statement, if not substantiated with evidence of good governance, often just means that the vendor does not fully understand their obligations.
Look for vendors who are willing to disclose their information security and data protection controls. GDPRiS customers can search and evaluate vendors easily using our supplier product directory.
Data Protection Impact Assessment (DPIA)
When it comes to any processing activity, it's safe to assume that there are risks to the “rights and freedoms of the data subjects” as well as wider information security risks. That's why conducting a Data Protection Impact Assessment (DPIA) should become second nature in your organisation, read our blog on What is a DPIA and why is it important
The DPIA process will help you identify and mitigate risks (e.g. choose a vendor that does allow SSO, point the CCTV camera at a less intrusive angle etc), ensuring that you make informed decisions. Additionally, it might reveal shortcomings of a certain vendor, and steer your decision to use somebody else.
DPIAs are often divided into a preliminary section called “screening questions”, which help determine inherent general risks in the processing (e.g. special category data, large scale processing, international transfers). If such risks are identified, then a second section "the DPIA questionnaire" will reveal specific risks, to help you consider possible mitigations.
Review the contract carefully
Ask to see the contract that you will be entering into with the vendor. There are certain requirements that a Data Processing Agreement has to meet, so that it clearly sets out the scope of the data processing, gives a clear processing instruction and attributes responsibilities under data protection law to all parties.
Due diligence
Before entrusting your valuable (and sensitive!) data to a third party, it's crucial to perform due diligence and assure yourself that the chance of a breach caused by that organisation is minimal.
Our advice is to study the vendor's portrayal in their sales collateral and security certifications, and seek feedback from public specialist forums. You can also request the vendor to respond to a security Request for Information (RFI) to gauge their willingness to prioritise security. If they are reluctant, do they have something to hide?
The good news is many vendors now have pre-built RFIs or security whitepapers, which they will send out to you first, in an attempt to avoid having to respond to your RFI. That is fair, as long as their collateral covers the questions you are keen to have answered. Remember, protecting your data is of utmost importance.
Transfer Impact Assessment (TIA)
If you need to export data outside of the EEA, the UK, or the few countries with adequacy decisions, you need to consider the associated risks. Currently, the US and India do not have adequacy decisions, making data transfers to these countries challenging. As of October 2023 there is the EU-US Data Privacy Framework as well as the UK-US Data Bridge, which facilitate exports of personal data to the US - with some constraints. Read more in our blog What's the score with international data transfers.
Undertaking a Transfer Impact Assessment (TIA or alternatively Transfer Risk Assessment: TRA) can help you assess and mitigate risks associated with data transfers. Ensure that your contract incorporates the EU's Standard Contract Clauses (SCCs) and the ICO's Data Transfer Addendum to comply with legal requirements; because you will almost certainly be processing EU citizens’ data!
But be warned: several rulings by European courts have outlawed data transfers particularly to the US. While the ICO have been quiet on the matter, there is certainly a risk that a UK court would come to the same conclusions as European ones.
Lawful Basis and Records of Processing Activity (RoPA)
Your Records of Processing Activity (RoPA) is a central record where you store and review any information about your processing activities. Maintaining your RoPA database is a requirement under the GDPR. It serves multiple purposes to help you:
- Find where you keep copies of data, in case you need to erase or rectify records
- Pull information together for your privacy notices
- Provide evidence for audits and inspections
- Assess ingress or egress impacts of data breaches in connected systems
- Review impact resulting from legal changes (e.g. UK’s Data Protection and Digital Information Bill which is to replace the DPA 2018)
Your RoPA will force you to ask yourself questions such as: who is controller? Who is processor? What is the lawful basis? How do I justify the choice of lawful basis? Who are the data subjects? What information am I processing? How is the data being transferred? How and where is data being stored?
Maintaining structured RoPA records is, in our view, the best way to gain a comprehensive overview of your data protection governance, which is why GDPRiS offers a RoPA tool with pre-built templates specifically designed for the UK's EdTech industry, saving schools valuable time.
Sign-off
Once you've gathered all the relevant information and addressed any remaining risks to your organisation and your data subjects, it's time to seek sign-off from senior management and a recommendation from your Data Protection Officer (DPO). Their input and approval are crucial for the successful implementation of any processing activity.
Remember: the DPO has no operational responsibility in your organisation. They can therefore neither force the use of any given method, nor rule it out. They can and must however review the compliance aspects and are required to say, if they find any flaws.
Privacy notice
In many cases, when implementing a new processing activity, it will be necessary to update your privacy notice, or write dedicated one. With the data captured in your RoPA record for this product(s), this should be an easy task.
If you have chosen Consent (GDPR Art 6(1)a) as the lawful basis, then you need to ensure that the consent individuals are giving meets the requirements (freely given, specific, informed, unambiguous, revocable).
You also need to ensure that you have an appropriate way to document and manage consent records.
Change management and implementation
Change Management has many facets. One of the important ones is that any change is documented, with regard to the expectations and tested for those expected outcomes.
Particularly, this could mean that you have stipulated that Single Sign-on (SSO) with your Office suite be enabled, such that no access remains open after staff leave the organisation. Or you may have mandated limitations as to the data that gets transferred, or modules enabled, firewall ports opened, etc. These expectations would be set out in your change management, so that the implementers are clear about what they need to do.
Production and business as usual
Finally, it is time to start using the new system and drive the process. Because of your careful planning, there should be no fallout, no data subjects complaining, no data breaches and no uninformed staff (ever the optimist).
So, as you move forward, remember to refer back to our flow chart to guide you through the process. And always keep in mind that these steps can be revisited to ensure your assumptions remain valid and that the processing remains lawful and secure.
Of course, we are all human, and we live in a dangerous and complicated cyber-world. Incidents will happen. When they do, it is important to run a tidy incident response effort.