Streamlining GDPR Compliance With ROPAs, Data Flow Maps and DPIAs

A GDPR one-stop shop

Few people like spreadsheets. Fewer still like multiple spreadsheets.

Similarly, few people enjoy complex compliance, with documentation scattered in many places, giving you a headache when anything GDPR (General Data Protection Regulation) crops up. That needn’t even be an investigation or audit – a data subject simply exercising their rights might already cause problems.

One way to streamline GDPR compliance is to make your ROPAs (records of processing activities) a focal point.

Another is to look at your ROPAs together with data flow maps and DPIAs (data protection impact assessments).

DPO (data protection officer) and data privacy trainer Andy Snow explains how to simplify and streamline GDPR compliance, using ROPAs as a starting point, which lead into data flow mapping and DPIAs.

This blog also covers how to automate GDPR compliance.

In this interview

Records of processing activities

Data flow mapping

Data protection impact assessment

Bringing ROPAs, data flow maps and DPIAs together

How to automate GDPR compliance

Records of processing activities

Previously, we discussed ROPAs. One practical tip you gave was to first list all processing activities before adding lots of data points.

Another tip was to consider your ROPA a ‘one-stop shop’ – having all your information in one place. Could you elaborate?

ROPAs are a single place for you to understand your processing activities. And not just you – other stakeholders, too.

Suppose that the ICO [Information Commissioner’s Office] audits you. The first thing the regulator will likely ask for are your Article 30 ROPAs. If the ICO then wants to know, say, what lawful basis you’re relying on, they can see it right there, in that ROPA.

Your ROPA should already have a column for lawful basis. Plus, if that lawful basis is legitimate interests, you could then add columns for:

A brief outline of that legitimate interest; and

A hyperlink to your LIA [legitimate interests assessment], proving the validity of that legitimate interest.

On the other hand, if your lawful basis is consent, you could also have a column that hyperlinks to evidence of that consent:

When and how did the data subject give their consent?

What information did you give them at the time?

What withdrawal mechanism do you use?

And so on.

Again, the ROPA should be a document someone can look at and get an immediate overview of:

All your processing activities; and

All the risks associated with them.

What sort of risks are you referring to here? And how can a ROPA give an overview of them?

The risks the GDPR always focuses on – risks to the rights and freedoms of data subjects.

As to how a ROPA provides an overview – you should have columns that indicate:

How you’re processing and securing the personal data, using appropriate technical and organisational measures;

What Article 6 lawful basis you’re relying on and, for special category data, Article 9 exemption;

How you’re meeting the Article 5 data protection principles;

What data subject rights are applicable;

Whether international transfers are taking place, what mechanism you’re relying on to legally transfer personal data to a third country, and how you’re securing those transfers; and

The level of risk of the processing activity, and if the risk is high, that you’ve performed a DPIA, with a link to that assessment.

The GDPR doesn’t require you include all this in your ROPA, but this list does reflect the Regulation’s requirements, and the ROPA provides a convenient means of showing that you’re complying with them.

Collecting this data in your ROPA also gives a simple, clear overview of these data points, which in turn gives you a much clearer picture of your risks.

Data flow mapping

Let’s dig into what you said about “how you’re processing and securing the personal data”. What would that look like in a ROPA?

You’d have a group of columns in your ROPA that look something like this:

You can also add columns for implemented security measures, including information on encryption. For instance, you might have a drop-down menu with items like:

Pseudonymisation

Anonymisation

Encryption

Plaintext

You could also add details on the specific encryption protocol, particularly if your organisation uses more than one.

And you then feed this information into a data flow map?

Correct, but a data flow map also takes things further. It visualises the data flows, so you can easily see:

Which departments are using what data; and

The risks your data might be subject to.

For example, if your data flow map shows you’re storing a lot of personal data in Cloud-based databases, have you implemented appropriate access control?

The nature of the Cloud is that you can access it from anywhere with an Internet connection, so restricting access is vital, particularly if staff work remotely. If your employees are also based internationally, ensure you’re meeting local laws as well as the UK GDPR requirements.

Another thing to pay attention to is configurations – you don’t want to inadvertently make your database publicly available, so did you configure it properly?

So, your data flow maps help organisations secure their personal data?

Yes. Because data flow maps show you where you’re storing, processing and transmitting personal data, you have a clear idea of where your security risks are.

Plus, it clearly shows who’s using the data, telling you to whom to talk to better understand and address those risks. Not to mention that this mapping exercise will highlight data you might be collecting but not using, in which case you should destroy it to:

Meet your GDPR requirements [e.g. the data minimisation principle];

Reduce the risks [the impact of a data breach]; and

Save you money [storage costs].

Want to learn more about how to create a data flow map?

Our free green paper gives detailed information on what to include, mapping techniques, workflow inputs and outputs, and a step by step on how to map your data:

Page 5 from Data Flow Mapping Under the GDPR

Data protection impact assessment

You previously suggested using ROPAs in conjunction with tools like DPIAs, and that creating detailed ROPAs will help conduct DPIAs and risk assessments further down the line. Could you elaborate?

I see all three – ROPAs, data flow maps and DPIAs – as tools to help you understand your processing activities.

When it comes to Article 30, I don’t look at the ROPAs in isolation. Rather, the three activities together enable you to demonstrate accountability and compliance with Article 30.

But the focus of each tool is different, of course. For instance, DPIAs revolve around risk – the idea is that you only need to conduct a DPIA if the processing presents a high risk to the rights and freedoms of data subjects.* Which you then look to treat, to reduce that risk to an acceptable level.

*It’s also worth checking Article 35(3) of the GDPR for specific examples that constitute high-risk processing, as well as the list of examples on the ICO website and the Article 29 Working Party guidelines (endorsed by the EDPB).

How can organisations track their risks?

Specific to risks relevant to the GDPR, again, you can create a group of columns in your ROPA to track key data points. This might look something like this:

Depending on your needs, you may want to use slightly different columns, but I recommend tracking your risks in your ROPAs, as this takes advantage of the fact you’ve listed out all your processing activities. In effect, those records are your asset register – a key element to an asset-based risk assessment.

You can further simplify things by using colour-coding for your risks, indicating which do and don’t require further action. You can also use Excel formulas to automate certain columns, or even use dedicated software to fully automate the process.

Need guidance on how to conduct a DPIA?

Check out our free PDF download, which explains DPIAs in much more detail, including when and how to conduct one.

Our free guide includes this DPIA flowchart on page 5.

Bringing together ROPAs, data flow mapping and DPIAs

Let’s wrap things up. Where do organisations begin with GDPR compliance?

With their ROPAs. If you don’t have a clear overview of your processing activities, it becomes virtually impossible to meet your other legal requirements.

It’s akin to implementing cyber security without a risk assessment – if you don’t know what your threats and vulnerabilities are, you can’t implement cyber defences effectively.

Compiling your ROPAs tells you what personal data you’re processing, along with how, why, when and by whom. Just those basics make for a decent start to compliance.

In time, you can add columns – data points not listed in Article 30 but that are mentioned elsewhere in the GDPR. Or else reflect good practice, like data flow maps. That includes information about DPIAs, as well as information about lawful basis, applicable data subject rights, and so on.

Take GDPR compliance one step at a time, using your ROPAs as your base.

About Andrew Snow

Andrew ‘Andy’ Snow is a GDPR DPO with extensive public- and private-sector experience in regulatory compliance, privacy compliance framework development, and other areas relating to data protection.

He’s also an enthusiastic data privacy and cyber security trainer, consistently receiving high praise from course attendees – in particular, for his engaging delivery style and plethora of real-life examples.

Previously, we’ve interviewed him about GDPR ROPAs, GDPR Article 28 contracts and the UK–US ‘data bridge’ (Data Privacy Framework).

Automate GDPR Article 30 compliance

Are you ready to revolutionise your approach to privacy compliance?

Look no further than CyberComply – a powerful multi-framework platform designed to automate compliance activities.

No matter size or sector, CyberComply empowers you to meet and exceed your compliance obligations:

Map your data flows like an expert.

Automate GDPR Article 30 ROPA creation.

Efficiently and consistently manage DPIAs and DSARs (data subject access requests).

Manage data breaches quickly, visibly and effectively. Limit the potential damage by accelerating your incident response.

Get full access to our GDPR Documentation Toolkit, containing more than 50 customisable, GDPR- and DPA 2018-compliant templates, saving you time and money.

Centralise your compliance activities to significantly reduce human error and save on implementation costs – leverage automated tools and streamlined processes today.

Don’t take our word for it

Here’s what our customers say:

Nikolaus:

Cyber Comply is an easy and reliable platform to use to fulfil the compliance objectives.

Data Mapping can be connected with the related Data Protection Impact Assessment on one platform.

With increasing demand of Data Security we are happy to have this tool.

Felipe:

CyberComply was sourced for being a one stop all in one product we needed for our compliance and data security needs.

It’s easy to use nature backed up with a sterling set of consultants who maintain it and align to current security frameworks, has made our journey much easier to transition.

It’s also removed our need and reliance on spreadsheets, whilst presenting one single source of truth for all our risks and data protection needs.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.

The post Streamlining GDPR Compliance With ROPAs, Data Flow Maps and DPIAs appeared first on IT Governance UK Blog.

Leave a Reply