Key data privacy implementation components

Preparing your data privacy product for implementation

Data privacy is a compliance requirement and it is a product used to sell your trustworthiness to customers and consumers.

  • Data protection is a customer confidence builder
  • Effective data protection sets you apart from competitors
  • Demonstrate respect for personal data
  • Data protection can be a free, value-added product that benefits your organisation
  • Approach it with a positive attitude, and you will succeed

Think of data protection as a customer experience enhancing product

  • Data privacy and protection are customer confidence builders.
  • Effective data protection is something that sets you apart from competitors.
  • You demonstrate respect for personal data; something very positive.
  • Data privacy and protection create a value-added product that can only benefit your organisation.
  • Approach it with a positive attitude, and you will succeed.

Key data privacy implementation components

Organisation

Company

GDPR Privacy Notice company
The name of the organisation registered with the Supervisory Authority.

“All our owned and managed businesses and support areas fall under data privacy control.”

Address

GDPR Privacy Notice company address
The address, telephone and central email of the company registered with the Supervisory Authority

“We are registered and regulated by the [name of the Supervisory Authority].”

Data Protection Officer

GDPR Privacy Notice Data Protection Officer
The address, phone and central email of the organisation’s Data Protection Officer

“We have a Data Protection Officer who is responsible for compliance and giving help and advice.”

Components
  • Data Protection Policy
  • Personal Data Risk Appetite
  • Personal Data Governance
  • Change management process to maintain the Data Protection Policy
  • Change management process to maintain the Personal Data Risk Appetite and Governance
  • Personal data operating model
  • Organisation chart
  • Resources
  • Standards
  • Procedures
  • Training
Components
  • Registration with the Supervisory Authority
Components
  • Written justification for having or not having a DPO
  • If a DPO is justified, select, train, empower one
  • Responsible for Subject Access Requests
  • Responsible for data breach handling and notification
  • Responsible for the ICO relationship
  • Responsible for risk assessment and quality assurance (DPIAs)
  • Develops and implements the Data Protection Policy
  • Provides information and guidance on the processing of all personal data
  • Produces “best practice” guidance material for staff
  • Organises the delivery of staff training
  • Monitors compliance with the GDPR across the organisation
  • Reports directly to the Executive Board

Collection

Data use

GDPR Privacy Notice data use

How data is used and if it is used in automated decision making

“We maintain documentation about what personal data is needed and how it is used.”

Legal bases

GDPR Privacy Notice legal basis

The legal bases you use for lawful processing

“We must ensure that the way we process data is documented and lawful.”

Recipients

GDPR Privacy Notice personal data categories

Entity categories that will access or receive the personal data

“We maintain agreements with external entities to which we send/disclose personal data.”

Components
  • An inventory of personal data use and processing
  • A mechanism for maintaining the inventory
  • Digital and physical security measures
  • Digital and physical access permission measures
  • Data breach monitoring
  • Data breach response plan
  • Change management process to maintain the data breach response plan
  • Internal instructions to refer any material or suspected data breach to the DPO
  • Internal instructions to immediately refer all desired process changes to the DPO
  • Metrics gathering process to collate and send breach data to the DPO
  • An information security policy
  • Change management process to maintain the information security policy
  • Change management process to maintain security and access
  • Change management process to maintain business continuity
  • Change management process to maintain and embed quality into processing (DPIA results)
  • A recovery process to restore personal data to its pre-incident state promptly
  • Change management process to support data privacy texts in product and service contracts
  • Change management process to maintain data security and integrity for joiners and leavers
Components
  • An inventory of personal data use and processing
  • The selected legal basis for justifying each process
  • Contracts for all third parties from which personal data is received stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain the legal bases
  • Change management process to maintain the contracts and contract inventory
Components
  • An inventory of personal data use and processing
  • The categories of people participating in each process
  • Contracts for all third parties that access or receive personal data stating roles, responsibilities, accountability and liability
  • An inventory of these contracts showing parties, roles, responsibilities, accountability and liability
  • Change management process to maintain participant categories
  • Change management process to oversee participant categories that are processors
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received

Storage

Transfers

GDPR Privacy Notice company data transfers

The third countries where data will be stored, processed and transferred

“We have mechanisms in place that ensure personal data transfer and disclosure around the world is fully compliant.”

Retention

GDPR Privacy Notice data retention

How long the personal data will be retained

“We must always make sure that we don’t retain data for longer than is required.”

Provision

GDPR Privacy Notice data collection

What happens if personal data isn’t provided

“We inform individuals about why we need their personal data and what we do with it.”

Components
  • An inventory of personal data use and processing
  • The third countries participating in each process
  • Contracts for all third parties in these countries stating roles, responsibilities, accountability and liability
  • An inventory of contracts showing parties, roles, responsibilities, accountability, liability and the chosen legal transfer control mechanism
  • A justification of the selected transfer control mechanism or derogation used as a legal basis for each data transfer
  • The selected transfer control mechanism or derogation we use as a legal basis for each data transfer
  • Change management process to maintain participant countries
  • Change management process to maintain the contracts and contract inventory
  • Change management process to maintain a list of who received personal data and what they received
Components
  • A retention and deletion policy
  • A retention and deletion schedule
  • Change management process to maintain the retention and deletion policy
  • Processes to ensure and verify that data is stored for no longer than is necessary
  • Processes to delete or destroy data when its retention period expires
Components
  • A statement justifying processes that cannot be performed without personal data
  • A statement explaining the consequences of not supplying personal data

Rights

Consent

GDPR Privacy Notice consent

The right to transparency and freely give and withdraw consent

“We are transparent and let individuals freely opt-in and out of non-essential processes, e.g. getting newsletters.”

Rights support

GDPR Privacy Notice personal data rights

The right to access, change, delete, restrict, object, or request a copy of personal data

“We must respect the individual’s personal data rights at all times.”

Complaints

GDPR Privacy Notice complaints

The right to complain to a Supervisory Authority

“We understand that failure to respect an individual’s personal data rights, may incur a formal complaint to a Supervisory Authority.”

Components
  • Privacy Notices and communications are written in clear language that must take into account the comprehension skills of adults and children
  • Privacy Notices are disclosed in the local language
  • An output mechanism allowing the lawful disclosure of a Privacy Notice or communication
  • An input mechanism enabling the acknowledgement of Privacy Notice disclosure
  • An input mechanism enabling the receipt of consent and consent withdrawal to a clearly specified process
  • A mechanism to ask for further proof of identification to ensure that the consenting individual is the valid owner of the personal data
  • A mechanism to ask for additional proof of identification to ensure that the adult consenting on behalf of a child is the child’s actual parent or legal guardian
  • An inventory of Privacy Notices and communications showing what was sent, when sent and acknowledgement
  • An inventory of freely given consent status (accepted/withdrawn) for consent-based processes
  • Change management process to maintain the Privacy Notice and communication text
  • Change management process to maintain the Privacy Notice inventory
  • Change management process to stop/start processing based on the consent status
  • Change management process to communicate the consent status to third parties who have received the data
Components
  • An inventory of each data subject’s personal data
  • Internal instructions to refer all rights access requests directly to the DPO
  • An input mechanism allowing the receipt of a rights request to access, change, delete, restrict, object, request a copy
  • A process to review the rights request and decide on an appropriate course of action
  • An inventory of rights requests showing when received, action taken, resolution, and communication back to the individual
  • A mechanism to allow the individual to view their personal data
  • A mechanism to ask for further proof of identification to ensure that the individual requesting action is the valid owner of the personal data or is legally empowered to enquire about personal data
  • A mechanism to implement the personal data changes or deletions requested by the individual
  • A mechanism to respect the restrictions and objections to processing requested by the individual
  • Change management process to stop/start processing based on the consent status
  • A mechanism to collate, create and send personal data to the individual or another entity
  • Change management process to communicate any changes, deletions, restrictions and objections to third parties who have received the data
Components
  • Open communication channel with the Supervisory Authorities
  • Immediate escalation channel to the Executive upon receipt of a complaint registered with a Supervisory Authority
  • Response plan in the event of a complaint
data protection controls

Data Protection Controls

Head Office

Calle de la Caléndula 93, Miniparc III, Edificio E, 28109, Alcobendas, Madrid, Spain

Call us

+34 915 553 975