Many companies have realised it is somewhat impossible to completely adhere to all the Personal Data Protection laws out there. The way they are focusing on combating this is by providing a comprehensive White Paper to explain their processes and answer questions from people who use their services.
There are several examples of this approach and I think it is a good one, after all, if an organisation or individual does not agree with the approach of an organisation they can always not use their services. I also think this approach is even more important for platforms as they should not be expected to fill in risk assessments on behalf of their clients, organisations don’t have time for this.
A good and well written white paper allows clients of the organisation to:
- understand that they have a good and thorough understanding of GDPR compliance, and its requirements for your business and theirs;
- Understand what types of personal data is being processed, by whom and who is responsible for it;
- how the processing of personal data is protected by technical and organisational processes in relation to credentials and accreditations etc;
- and when clients use the organisation products and services how their own GDPR compliance will be effected in a positive way.
Helping your Clients
A white paper also allows customers to understand how business processes really affect personal data, in a way that they would normally just skim through if an organisation is lucky. Admittedly a white paper tends to be aimed at other organisations rather than individuals but it is still good to have it out there for the people like me, who like to know that the third parties who hold my data are living up to the integrity and confidentiality aspects of GDPR.
Writing a white paper will also help an organisation really understand their own compliance, as it will force them to have a deep understanding of the personal data on its own systems, and how it is protected and used. Organisations need to do a data mapping exercise to understand and assess their privacy risks. This involves:
- Understanding Data flows: looking at the transfer of data from one location to another, within the organisation and from within or outside the EU, and between suppliers, other 3rd parties and to customers/clients themselves.
- Describing Information Flow: doing a walk through of the information life cycle within the organisation, making sure the people using the information are involved in understanding the practical implications of holding and using the information, and considering future use of information collected.
- Identify using GDPR rules the: data items, lawful basis for collecting that information, transfer methods used, location of information, formats in which it is stored, who is accountable for the data, and the types of data being processed.
The challenges of a good data mapping exercise are, identifying what personal data is being collected, working out what safeguards need to be in place for the organisation including those of third party software like Microsoft or Google, and finally understanding the legal and obligations for regulators.
There are companies and tools that will help organisations do this, but before taking on yet another tool, consider what your organisation needs, there is no one tool that solves the problem of understanding what is expected.
What should be in a white paper?
As a starting point I would suggest the following should be covered by an organisation’s white paper:
- Company details (registration number etc)
- Purpose for which the data is being processed, for larger organisations this is likely to fall into multiple sections of the lawful basis for processing data.
- Whether data is being used by automated processes or just manually.
- Right to be forgotten – Is data can be deleted easily and under what circumstances might some of it be retained.
- Storage of data including location.
- If subcontractors use the data and what the organisation has in place to make sure the data is being respected.
- Transfers of data outside the organisation and outside EU member states, or further afield.
- If data is being anonymised so it is not longer subjected to GDPR compliance.
- Security measures in place.
- Who the data protection officer is and how to contact them.
- The data processing terms that clients/customers are signing up to if they use the organisation’s services.
- What third party organisation are also using the data.
I would also suggest making the white paper accessible, easy to read, jargon-free and providing links to things the organisation references (make it easy for the reader to track what is being said), and lastly explain technical points where possible. Going beyond the bare minimum will always shine through to your clients/customers, a white paper can use your organisation’s voice.
DropBox has an example of this kind of documentation (PDF link)
Sharepoint and Onedrive for business cover it in this paper.
Google Chrome’s white paper.