The answer to the problem of superficial compliance is to develop a more continuous view into the state of compliance of the processing of personal data with the GDPR and in particular to mitigate the risk involved for the data subject through the establishment of near real-time risk management with strong and effective continuous monitoring and response processes.
Continuous monitoring will enable the DPO to be involved, properly and in a timely manner with all issues relating to the protection of personal information, track progress in maintaining complete records of processing activities, investigating complaints and responding to information requests.
Continuous monitoring is most effective when it coordinates activities with operational staff responsibilities, enables regular status updates of safeguards implemented to protect fundamental rights and freedoms of natural persons and ensures that the processing of personal data complies with the GDPR.
Where a data protection impact assessment indicates that processing operations involve a high risk, continuous monitoring will track the status and effectiveness of the measures taken by the controller to mitigate the risk in terms of available technology and costs of implementation, and/or alternatively that a consultation of the supervisory authority has taken place prior to the processing.
The output of a strategically designed and well-managed organization-wide GDPR monitoring program can be used to maintain an enterprise-wide profile of the status of data protection and therefore level of risk with which the organisation operates, keeps the required processing information and processes personal data lawfully on an ongoing basis.
Seals and Certification
Building capability and demonstrating compliance with the GDPR cannot be done with checklists or a gap analysis. Effective processes with measurement based outcomes are necessary, together with continuous monitoring of the specific compliance arrangements, continuous improvement and near real-time reporting.
Benefits of Continuous Monitoring
Continuous monitoring can be applied to each of the six sequential steps for integrating data protection and risk management processes. Continuous monitoring indirectly supports:
- Identifying and categorising personal data
- Selecting technical and organisational measures
- Implement technical and organisational measures
- Assessing technical and organisational measures
- Authorising the processing of personal data
- Monitoring technical and organisational measures.
Sample measures for monitoring performance
- Percentage of processing of personal data not adapted to the principles and rules of the GDPR
- Number of exceptions to privacy management architecture standard
- Percentage of architectural domains that comply with GDPR obligations
- Percentage effectiveness of cyber security controls
- Existence, timeliness and completeness of data subject risk profiles.
Start with the GDPR obligations
As with every system development lifecycle, ensuring that the requirements analysis is done properly is the most important of all activities. If requirements are not valid and complete, all activity that follows will go in the wrong direction. Requirements analysis must begin with understanding the GDPR obligations and stating clearly which aspects the continuous monitoring program is intended to address. This requires true understanding of the organization’s business and operational processes and goals, as well as barriers (e.g. financial resources) to achieving these goals.
Identify the functions that the processes and technical components the continuous monitoring effort will depend upon then develop appropriate performance metrics for those functions, processes, technical and organizational measures.
Finally, the GDPR analysis must also elucidate how each technology and organizational arrangement, the physical environment, and any critical data gathered must be protected.