A parte richiamare codici di condotta e certificazioni il GDPR non si dilunga molto su come un Titolare/Responsabile possa dimostrare la propria conformità al Regolamento.
Fortunatamente è possibile rifarsi a documenti preesistenti o a prese di posizione delle stesse Autorità Garanti.
Il primo documento a cui possiamo riferirci è l’OECD PRIVACY FRAMEWORK, del 2013, che recita:
PART THREE. IMPLEMENTING ACCOUNTABILITY
A data controller should:
a) Have in place a privacy management programme that:
i. gives effect to these Guidelines for all personal data under its control;
ii. is tailored to the structure, scale, volume and sensitivity of its operations;
iii. provides for appropriate safeguards based on privacy risk assessment;
iv. is integrated into its governance structure and establishes internal oversight mechanisms;
v. includes plans for responding to inquiries and incidents;
vi. is updated in light of ongoing monitoring and periodic assessment;
b) Be prepared to demonstrate its privacy management programme as appropriate, in particular at the request of a competent privacy enforcement authority or another entity responsible for promoting adherence to a code of conduct or similar arrangement giving binding effect to these Guidelines; and
c) Provide notice, as appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data. Where the breach is likely to adversely affect data subjects, a data controller should notify affected data subjects
Successivi alla formalizzazione del GDPR abbiamo la pubblicazione dell’Autorità Garante inglese del documento Overview of Generale Data Protection Regulation (GDPR), che riporta le seguenti indicazioni:
How can I demonstrate that I comply?
You must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Pseudonymisation;
- Transparency;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
- You can also:Adhere to approved codes of conduct and/or certification schemes.
Mentre l’Autorità Garante francese, nella sua guida per prepararsi al GDPR riporta le seguenti indicazioni:
Documenter la conformité
Votre dossier devra notamment comporter les éléments suivants
- La documentation sur vos traitements de données personnelles
- le registre des traitements (pour les responsables de traitements) ou des catégories d’activités de traitements (pour les sous-traitants),
- les analyses d’impact sur la protection des données (PIA ; voir étape 4) pour les traitements susceptibles d’engendrer des risques élevés pour les droits et libertés des personnes,
- l’encadrement des transferts de données hors de l’Union européenne (notamment les clauses contractuelles types ou les BCR).
- L’information des personnes
- les mentions d’information,
- les modèles de recueil du consentement des personnes concernées,
- les procédures mises en place pour l’exercice des droits des personnes.
- Les contrats qui définissent les rôles et les responsabilités des acteurs
- les contrats avec les sous-traitants,
- les procédures internes en cas de violations de données,
- les preuves que les personnes concernées ont donné leur consentement lorsque le traitement de leurs données repose sur cette base.
Tre punti di vista non esattamente identici, ma che sicuramente sono di grande aiuto nel definire criteri concreti ai quali attenersi.