Julian Hayes from Veneto Privacy shares some tips and tricks for businesses considering organisational controls around data protection.
Why are organisational controls so important?
Organisational controls are often an underestimated part of data protection compliance but critically important in order for organisations to demonstrate compliance.
It’s really important that your organisation is set up with a framework around data protection and security. Beyond legal obligations, it makes good business sense, allows for proper control and utilisation of data, and can even help streamline process costs.
With a few simple process measures, some enthusiasm and the right tools, organisations can still thrive with their data processing activities safe in the knowledge that structures are there to keep them on the right track.
Data management programme
A data management programme is a living project with continuous cycles enabling organisational activities that support good data privacy practices. Standard components of a good programme would feature:
- Data Protection Training & Communications plan for the year.
- Data Privacy Management Group, managing data retention, security and access controls and Data Protection Impact Assessment reviews. These assessments require expert knowledge in data protection and security in order to establish the legal basis for the processing, what security measures are required, establishing whether a balancing test of legitimate interest is required and having oversight of the full extent of the processing.
- Data Curation, ensuring data integrity, utility and interoperability within the organisation and its other data processes.
- Data Governance, an integral part for the programme with key decision makers appointed where high-level decisions are made on data protection and security risks.
It’s always good to capitalise interest in data protection from colleagues within your organisation and let them assist you with your data protection programme objectives, with meetups, information sharing and privacy representation for their departments. At Veneto Privacy, we’ve implemented formal and informal data privacy working groups and have seen first-hand that this privacy culture can grow compliance maturity for organisations making the Data Protection function, with the support of these advocates as a more integrated and trusted unit.
In setting up a Data Privacy working group, it’s always good to set out clear objectives for all stakeholders and what their responsibilities are in their participation. Some items the group can help the Data Protection function manage include: Product & Service plans for the forthcoming quarter; reconciling the Register of Data Processing (Article 30 GDRP) for data processing activities in their business unit; co-ordinating on investigations or regulatory enquiries; and of course cascading changes in the data protection landscape that may impact on the business. These advocates can be the eyes and ears of data protection for you!
Training and Knowledge
Your business can have the best internal processes for reporting data protection breaches, but these are worthless when staff have not been trained to be able to react or even identify a data breach.
Who does the buck stop with? Who is responsible for the management and ownership of data? Without a governance structure and clear accountability within defined roles (CTO, CEO etc.) your organisation cannot say it has implemented ‘organisational measures’ under Article 32 of the GDPR.
Does our business need a Data Protection Officer?
Yes, if your organisation processes large amounts of personally identifiable data or the processing involves large scale systematic processing of such data. Importantly, the Data Protection Officer needs to have independence in some decision-making processes and should not be conflicted when it comes to determining privacy risks.
Further, organisations based outside of the EU that offer services within the union must by law appoint an EU Representative based within the territory, who can be contacted by consumers and data protection authorities.
Having policies in place internally that support both security and data protection are critically important for organisational compliance, and even more important is that these are communicated to all levels of the organisation, whether it’s big or small. Policies allow colleagues to understand the ‘dos and don’ts’ when it comes to handling data and are the go-to resources to identifying an escalation path when they come across an issue.
Basic policy structures usually comprise of the following items:
- Information Security Policy – Setting out minimum security requirements for handling data in the organisation and often including a data classification procedure based on the information’s sensitivity.
- Data Protection Management Policy – Establishing what steps need be made in protecting personally identifiable data, where a Data Protection Impact Assessment may be required, how to contact the Data Protection Officer and defined ownership of data within the organisation.
- Data Breach Management Policy – This is a critical policy which ideally would be co-owned with your Information Security team in order to have a solid policy established that enables identification of alleged data breaches, triage, deep-dive investigation and whether notification to the authorities of impacted parties is required.