GDPR Compliance

How OneTrust Helps

GDPR Compliance

Operationalise Privacy and Automate Record Keeping

The new EU General Data Protection Regulation (GDPR) requires organizations to undertake significant operational reform to meet the increased obligations of handling personal data. Appropriate record keeping is critical as the GDPR requires organizations to demonstrate compliance and accountability.


The OneTrust privacy management software platform helps organizations meet these GDPR requirements by automating privacy impact assessments and data mapping, identifying privacy risks, and enforcing risk management activities in an integrated platform.

Steps to GDPR Compliance

Create an Actionable Plan with a Readiness Assessment

The GDPR requires implementation of appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the Regulation, and reviewed and updated where necessary.


The OneTrust Readiness Assessment tool is designed to identify gaps in your current privacy program as it relates to GDPR; provide executive-level visibility and reporting; and demonstrate accountability and compliance in the event of a regulatory sweep.


GDPR Articles

Article 5: Principles Relating to Processing of Personal Data

Article 24: Responsibility of the Controller

Generate a Processing Register for Article 30

The GDPR requires processors of personal information to take responsibility for keeping records of their processing activities. Data mapping describes the operational process to generate a central inventory of the organization’s data flows, and keeping it up-to-date.


Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet GDPR requirements. OneTrust helps leverage an organization’s existing data map and inventory to meet Article 30 obligations.


How OneTrust Helps:

OneTrust enables organizations to select a pre-defined template (for example a GDPR Article 30 template), and then customize the template by adding or removing attributes, data elements, categories of data subjects, terminology, any other values based on unique business requirements.


Populate the data flow inventory through many approaches such as questionnaires, scanning technologies, in-person workshops, or through a bulk import. Once data has been populated, automatically generate a searchable inventory and visual data maps based on the underlying data inventory. Keep it up to date with an included PIA module to capture data flows from new projects being reviewed, audited, and view ongoing scan results.


GDPR Articles

Article 6: Lawfulness of Processing

Article 30: Records of Processing Activities (Primary)

Article 32: Security of Processing

Operationalize Data Protection Impact Assessment (DPIA) and Privacy by Design

The GDPR requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk. Many details within the GDPR make this more involved than a standard questionnaire; for example, requiring a Data Protection Officer (DPO) involvement in specific workflows, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.


In addition, organizations in practice implement a lightweight screening questionnaire to analyze risk and then determine if a full DPIA is needed. These workflow and documentation requirements, as well as the user experience and integration expectations of your business users, require purpose-built tools to operationalize GDPR.


Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.


How OneTrust Helps:

OneTrust provides numerous pre-defined screening and DPIA questionnaires to choose from, or organizations can import and tailor their own using a point and click, drag and drop interface. Configure the appropriate approval and risk tracking workflows, distribute the questionnaires to business users via email notifications or a self-service portal, and collect responses and analyze risks through automation rules or a manual risk identification. Organizations can assign follow-up mitigation tasks to automatically prompt and enforce remediation, and easily run reports for regulators, project management or business users.


GDPR Articles

Article 25: Data Protection by Design and by Default

Article 35: Data Protection Impact Assessments

Article 36: Prior Consultation

Meet EU Privacy Cookie Compliance Requirements

The GDPR has influenced the drafting of new ePrivacy regulation that brings the current ePrivacy Directive in line with the GDPR. Organizations face increased penalties and more focused regulatory action under the newly drafted regulation.


How OneTrust Helps:

OneTrust helps proactively address the regulation by conducting ongoing scans of all an organization’s websites, and automatically categorizing any cookies and tracking technologies found based on the regulatory guidance available. The scan produces a detailed, actionable report to analyze these technologies within digital marketing teams to make updates as needed. OneTrust can automatically generate a highly customizable cookie banner with the ability to feed the results of the website scan into the cookie notice as part of an organization’s privacy policy. Within the cookie banner, provide visitors a preference center to put them in control of opting-in and out of tracking.


GDPR Articles

Article 7: Conditions for Consent

Article 21: Right to Object

ePrivacy Directive / Draft Regulation

Build a Data Subject Rights Request Portal

The GDPR gives data subjects new rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, there are specific record keeping requirements around the time to respond, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few.


How OneTrust Helps:

OneTrust provides organizations the ability to tailor a branded web form, link to the form from the company’s privacy policy webpage, receive notification when a request has been submitted, and automatically request an extension if a deadline approaches. When the request is fulfilled, securely transmit the data to the individual, and link the request to the underlying data map to efficiently fulfill the request, as well as ultimately generate the proper documentation and evidence should a regulator inquire about the request.


GDPR Articles

Article 12: Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject

Article 13: Information to be Provided Where Personal Data are Collected from the Data Subject

Article 14: Information to be Provided where Personal Data have not been Obtained from the Data Subject

Article 15: Right of Access by the Data Subject

Article 16: Right to Rectification

Article 17: Right to Erasure (“Right to be Forgotten”)

Article 18: Right to Restriction of Processing

Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing

Article 20: Right to Data Portability

Article 21: Right to Object

Build a Framework for Consent Management

The GDPR sets a new, high standard for organizations processing data based on consent. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.


OneTrust provides a consent management solution that can be embedded into the organization’s website, devices and internal systems by capturing consent transactions in a standardized way. Organizations can then demonstrate consent individually to regulators as well as provide data subjects a list of all the things they have consented to for them to accept or withdraw their consent.


GDPR Articles

Article 7: Conditions for Consent

Review and Remediate Vendor Risks

The GDPR holds the controller responsible for actions or breaches by the processor. It is critical to analyze vendor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a supplier or vendor has a breach. In addition, it allows organizations to quickly understand what data was impacted in that breach.


How OneTrust Helps:

OneTrust enables organizations to conduct this vendor due diligence both during the initial vendor onboarding phase as well as re-audit existing vendors on a risk-based schedule. Vendor privacy and security assessment questionnaires can be sent directly to the supplier or third party to complete and generate a central record of all your vendors, contracts, data transfers, the legal basis for any cross-border transfers, and the proper security obligations.


GDPR Articles

Article 28 (1)-(3): Processor

Article 24 (1): Responsibility of the Controller

Article 29: Processing Under the Authority of the Controller or Processor

Article 46 (1): Transfers Subject to Appropriate Safeguards

Prepare an Incident Reporting & Breach Management Workflow

The GDPR includes strict 72-hour notification requirements to the supervisory authority and under certain circumstances an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.


How OneTrust Helps:

OneTrust helps organizations have a systematic process to document the incident, understand if the incident has resulted in a breach, analyze the breach for harm to the individual, and determine if notification is required to the supervisory authority or data subject.


GDPR Articles

Article 33: Notification of a Personal Data Breach to the Supervisory Authority

Article 34: Communication of Personal Data Breach to the Data Subject