An Easter story: GDPR compliance

Apr 16, 2020 9:51:25 AM / by PrivacyPerfect

It was Easter Friday, all sunny and bright. Jamie was inside working on projects, making sure everything was right. He’d crossed all the boxes and ticked all the spaces, but to his surprise he found some Easter eggs under his desk, of all places. He opened it up and found his favourite chocolates from hazelnut, vanilla, and to crunchy. What he also noticed was a list of the things to consider for his company’s next plans, in regards to data privacy.

Easter Blog_ PP-1Before Jamie could think about the other tips and procedures to have in place, he would first need to know the details of each. 

The first Easter egg: a mysterious data map

The first Easter egg he found, had explained how important it was, to have an overview of the different data flows in his organisation, and advised him to look into data mapping. 


A data map provides organisations with an overview of the various data flows within an organisation. For example, it can provide further information on the transfer of data from different suppliers and sub-suppliers through to customers. 


Organisations are required by the GDPR to first map their data flows to assess the privacy risks that they might encounter. In fact, Article 30 GDPR requires organisations with 250 employees or more and organisations that have processing personal data as an integral part of their business, to provide an overview of processing activities. It’s important to note that even when Article 30 doesn’t apply to some organisations, they are still obliged to provide information on processing activities on requests of supervisory authorities and data subjects to. 


Not only did this mean Jamie could have a clear understanding of each and every data flow, but it would also help him in clarifying the processes to the different stakeholders when needed to.

While he started to evaluate his data flows, he stumbled upon another egg. An attractive looking one that was designed with care. As he opened it up, he found another tip that may just help him with the abundance of personal data his organisation processes.            

The pretty Easter egg: privacy by design, privacy by default

Jamie understood that data controllers who manage personal data are obligated to implement technical and organisational safeguards to ensure the protection of personal data against what could be considered as “unlawful processing”. As he opened up the rest of the text on this tip, it read that such a responsibility requires careful data privacy considerations in every processing activity, even before carrying one out. By embedding a data privacy thought process, the chances of potential harmful personal data processing are reduced. As Jamie wondered how this can be achieved, he found two different methods to consider.

Privacy by design

According to the GDPR, privacy by design is a data protection/privacy centered approach that's taken upon initial or design stages of an organisation's plans or methods. This meant that data privacy and security is embedded throughout the lifecycle of processings, products, services, offers, and applications. As Jamie’s company handles personal customer data on a large scale, he found it especially applicable to note down for the upcoming discussions of developing a new IT system next month. He also noted that privacy by design could also apply for C-level management in their plans on updating the company’s policies and business strategies. As Jamie read on, he noticed that upon embedding privacy by design, a privacy strategy will prove even more helpful in identifying possible risks. This gave Jamie a chance to not just understand the steps and mitigating measures that are necessary to his company’s plans, but also to gain guidance for future similar projects.

Privacy by default
While privacy by design emphasises on the importance of considering data privacy in the initial stages, privacy by default lays out practical approaches of doing so. Privacy by default is when (and not limited to) processes, systems, or services include methods for data subjects to determine how much personal data they would like to share. 


What this meant was that the default setting of certain processes should be the choice that’s more “data privacy friendly”. Jamie understood this point, and saw how it connects to the GDPR’s values of purpose limitation and especially data minimisation. In these cases, he understood that it was vital for the purpose of obtaining personal data to be clearly communicated to data subjects and that it was done in an easy-to-understand manner. Jamie referred back to the company’s plans on creating a new IT system next month, and took note to make sure that default preference choices would always be the one with less personal data being opted. Jamie also saw this as an opportunity to narrow down the data intake the company was obtaining, as adopting the measures meant no additional data is taken unless the data subject agrees to it

As there were several things Jamie had taken note of, he was excited to try the tips out and see it in action. 

However, he then noticed a bright red Easter egg that had an important message for him to read. It was one of the most crucial tips of them all, it was the reminder to make a habit of conducting a Data Protection Impact Assessment (DPIA) before a project or plan.

The bright red egg: making DPIAs a habit


DPIAs are an important aspect of an organisation’s accountability obligations under the GDPR. It’s a procedure designed to evaluate processing activities that involve personal data. 


The DPIA helps assess and manage the risks to the rights and freedoms of data subjects that could arise from the processing activities. Not only would DPIAs help in achieving compliance with the GDPR’s principles, but it also helps reduce the risks of future problems by pointing out where necessary safeguards and mitigating measures need to be in place.


Jamie knew that this wasn’t just a way to evaluate his ideas, but it was also a way to get everyone involved in the processes to contribute, as DPIAs require a set of different disciplines to work together. Although DPIAs are often a challenging task, there are great resources that can help walk you through on how to carry one out, and how to overcome the challenges of conducting one.

As Jamie starts to plan out who he needs to work with for the DPIAs, he finds one last egg just within reach.

The last egg: creating a data privacy culture


The last tip he read was to establish a data privacy culture in the workplace, where everyone understands their role to further the organisation’s data privacy efforts.The tip reminded Jamie that compliance efforts aren't a one person task. To successfully carry out obligations and tasks to further stay compliant with the GDPR, everyone involved in the handling of personal data should understand the importance of it. Jamie realised that it was crucial to spread awareness and communicate to people involved. Not only is it important to spread data privacy awareness, but the tip also pointed out how establishing goals and tracking company progress was also just as critical. Making sure everyone in the workplace understands how their roles affect the company’s GDPR compliance efforts allows tasks such as DPIAs and Data Mappings to be carried out effectively and smoothly.     

The egg hunt is completed: this time, it was safe to put all eggs in one basket

With all the tips he found on that day, Jamie understood that each tip didn’t just help his company stay in line with the GDPR, but it would help carry out tasks more efficiently and quicker. Jamie knew that as long as he took the time to consider the tips and steps he found during his Easter hunt, it was safe to put all his eggs in one basket.


Written by PrivacyPerfect

    Lists by Topic

    see all
    harmas_Rajztábla 1-1
    Keep informed!
    Sign up to the Weekly GDPR Digest now.