Document per process, feature & flow:

1. Who is the consumer (those receiving the personal data)
2. What do they need (sub-action: classify data)
   • Why do they need it (parallel-action: legal-boundaries, personal data)
3. What should be delivered
4. When should it be delivered
5. What kind of integrity and/or demands do I have
   • Are they allowed to share the data with others
   • Where should the data be processed, stored etc.
6. How to deliver
   • Did you perform the mandatory practices to both the data and the process?
   • In case of sensitive data or protected data:
     • Dynamic masking
     • Flagging / Logging
     • Psuedo/Anonymising
7. How to produce the result
   • Which outside resources do I need
8. What kind of integrity and/or demands have my sources in regards of processing this data
9. Could the data which is processed lead to becoming personal data and therefor protected data
10. How do I track my data?

The following original text was written before GDPR was fully implemented. A lot of things has happened since then. The text has not been adjusted in anyway except for this disclaimer mentioning such.

Background

GDPR requires you to take technical and organisational measures prior to the start of processing and during such. To be able to live up to the requirements, you should have created a firm understanding of the data you or someone else on your behalf, are processing. The 10 commandments help you form and document criteria in Article 5 and others.

The 10 commandments where created by taking into account a data centric approach and known effective measures and practices to protect any form of data, not just personal data. For completion, I added the base principles for full transparency around performing such.

The most significant privacy changes when GDPR came into effect:

• Whether a business is based outside of the EU, but offers goods and services to individuals in the EU, or monitors their behaviour, the GDPR will apply
• You will have to keep full records of any data processed, including the type of data and the purpose it is used for. You will also need to give much more detailed notices to people you collect information from.
• Most, if not all, need to designate a D.P.O. to take responsibility for data protection compliance. Their tasks will include liaising and cooperating with supervisory authorities and monitoring compliance. The D.P.O. will need sufficient expert knowledge of data protection law and practices to conduct Privacy Impact Assessments and ensure appropriate policies are in place.
• Consent to processing of personal data must be freely given, specific, informed, unambiguous and displayed by a statement or by a clear affirmative action. Individuals have the right to withdraw consent at any time.
• You will not be able to charge for complying with a request and will have a month to comply
• The GDPR imposes a mandatory breach notification. Breaches, accidental or unlawful loss, alteration or unauthorised access to personal data, will have to be reported within 72 hours.
• Fines

Design for Privacy – Operational Impacts

• Data protection officer (required for most cases)
• Explicit consent using data and for which reasons
• Cross-border data control
• Very strict rules in regards of profiling
• Right to be forgotten and data portability – Facilitate erasure and/or retrieve data on a subject (1 month)
• Document all flows so the DPO can track and trace (plus point out processors and controllers and liabilities)
• Anonymize data wherever possible, use pseudonymization if needed/applicable
• Codes of conduct established
• Biggest reason for adapters: Consequences because of GDPR (fines)

Data Protection Impact Assessment

The 10 commandments help you perform and gather the requirements for performing a DPIA. The part that is missing is the treat modelling part where you look at the risks and rights of the individual(s) in question. The evaluation part in stage 2 and implementation and follow-up is the proven part of the DPIA and part of due-care/due-diligence requirements when performing processing on personal data.

Data-centric Context: The 4 W's of Data Centric Security

1. Where is the data
2. What is the data
3. Who has access to the data
4. Why to they need access to the data

This results in Administrative, Technical & Physical measures

Lifecycle - PDCA

• Form Privacy Design Strategy (1-2)
• Create Privacy Design Patterns (3)
• Implementation of privacy Enhancing technologies (4)
• Evaluate (5-6)

Process cycle Step-by-Step

1. Concept Development
2. Analysis
3. Design
4. Implementation
5. Testing
6. Evaluation

Mandatory Practices to apply

Data Oriented

• Minimise: Limit as much as possible the processing of personal data
• Separate: Distribute or isolate personal data as much as possible
• Abstract: Limit as much as possible the detail in which personal data is processed
• Hide (not obfuscate): Prevent personal data to become public or known (Encrypt etc)

Process Oriented

• Inform: Inform data subjects about the processing of their personal data
• Control: Provide data subjects control towards the processing of their personal data
• Enforce: Commit to processing personal data in a privacy friendly way, and enforce this
• Demonstrate: Demonstrate you are processing personal data in a privacy friendly way

Final words

Organisations will have to change procedures, educate personnel and potentially re-think and adjust business models to account for these rights to be allowed to continue to operate in the near future.

In achieving GDPR compliance, one must focus on getting everyone to work together in ongoing efforts to ensure governance, risk and compliance across the organisation. Especially when dealing with GDPR, which requires greater transparency, improved corporate governance, and sustainable business models. In fact, GDPR makes it "easier"! GDPR is about harmonisation of regulation and facilitating the free flow of information. It balances the privacy of the individual, interest of the organisations and legal requirements.

I hope the 10 commandments gives you the ability to ask the right questions in your organisation so you can make informed decisions. Any feedback is appreciated