What Next With Your Personal Data Inventory (Article 30)?

3 Step Guide, Survey Results and Article 30² Toolkit

What Next With Your Personal Data Inventory (Article 30)?

Data privacy legislation requires organisations to discover and document their personal data processes e.g. GDPR – Article 30 ‘Record of Processing Activities’. For most organisations the simplest way to fulfil this obligation is to create and maintain a Personal Data Inventory.

Understanding what data you have, why you have it, where it is processed, who can access it, when it should be deleted, and how it is secured is the foundation of any data privacy or cyber security programme that aims to protect personal data and comply with data privacy legislation i.e. GDPR, CCPA, PIPEDA, PDBP and more.

Exonar Survey

Exonar surveyed 104 organisations to understand their experience discovering and operationalising their Personal Data Inventory. We have detailed the findings of this survey alongside a 3 Step Guide to Personal Data Inventory and Article 30² Toolkit.

Our first section on data discovery and personal data inventory will be most useful for organisations who are planning to create their Personal Data Inventory (e.g. those preparing for the California Consumer Privacy Act (CCPA) in 2020).

Our second and third sections will be most useful for organisations who have already created their Personal Data Inventory (e.g. those complying with General Data Protection Regulation (GDPR) from May 2018) to explain next steps for monitoring and compliance activities.

The Article 30² Toolkit can be filled to help you structure your journey through this process.

Download: What Next With Your Personal Data Inventory (Article 30)?

Download: Article 30² Toolkit

 

The Data Protection Officer’s (DPO’s) Toolkit – The 6 Essentials

The Data Protection Officer’s (DPO’s) Toolkit

2018 saw the General Data Protection Regulations (GDPR) in Europe, California Consumer Privacy Act (CCPA) in America, and the Personal Data Protection Bill (PDPB) in India introduce privacy protections to nearly 2 billion citizens.

With enforcement set to take centre stage in 2019, what essentials do data leaders need to keep themselves out of the crossfires of regulators?

6 Essentials of the DPO’s Toolkit

1. Data inventory
2. Data monitoring
3. Data rights fulfilment
4. Data champions
5. Data training
6. Data security

1. Data inventory

The first step to taking control of your data is being able to answer ‘what data do I have?’ ‘why do I have it?’ ‘who can process it?’ ‘where is it stored?’ ‘how and when do I delete it?’

Creating an inventory of all of your data processes is the first step for any DPO needing to comply with global privacy legislations (and mandatory under the GDPR Article 30 Records of Processing Activity).

Discover and document your organisations’ data practices; this will give you the best possible platform to comply with global privacy regulations and get the most value from your data.

2. Data monitoring

So you’ve documented your data practices, but is that really how data is being processed on your network – Is your data inventory reflective of your true data practices?

The answer is usually no. Luckily, the days of manual data audits and ‘privacy compliance platforms’ with no data monitoring capabilities are over and cutting edge data discovery and compliance technologies like Exonar are now available.


By monitoring your data estate you can make sure your marketing leads stay in your marketing department, your payroll files stay within your payroll department, and your Top Secret Project X documents remain exactly where you want them to be.

3. Data Rights Fulfilment

2019 is the year citizens take back control of their data.

Personal information belongs to the individual it relates to and organisations are required to provide full access to that data upon request under the GDPR in Europe (within 30 days) and CCPA in
America (within 45 days). In Europe 48% of Generation X and Y have exercised their right to access with over a third of all European citizens having done so since May 2018.

As a data leader, you must have a permanent and robust process in place for being able to respond to subject access requests (SARs), detailing the personal information you are processing and what you are using it for.

Subject Access Requests (SARs) can take days to fulfil if you are relying on manual data discovery so employing a data discovery tool to help you can reduce your SAR response time from days to minutes.

4. Data Champions

Data is big and it’s only getting bigger. A DPO is (for now) only human and keeping your data estate in compliance is only possible with a little help from some friends.

Once you’ve got your data inventory you should have a good understanding of your business units that have data processes that fit into natural silos e.g. Sales, HR, Legal, Payroll, Customer Services, Operations A, Operations B.

Assign a data champion for each business process, ensure they understand what the data inventory says about expected data practices, and empower your data champions with the resources needed to keep your data estate in compliance.

Data champions within their business units will often understand the nuances of data processing in more detail than a DPO so delegation of responsibility is key.

5. Data Training

Data protection is a collective action problem. If you have thousands of employees it only takes a small number of bad practices to throw your compliance programme into disarray.

If you have a strong handle on your data inventory, are monitoring your data repositories, and have data champions willing to help you, delivering an organisation wide training programme to communicate expected data practices is the way to embed a culture of privacy into your organisation and reduce your exposure to insider breaches.

As with most leadership, communication is key!

6. Data security

So you understand your information estate and your employees are doing their utmost to process data appropriately; now it’s time to lock down your high risk systems.


Your data inventory and data champions should be able to give you a clear view of the IT systems (and locked filing cabinets) that store and process your most valuable data.

Identify your high, medium and low risk IT systems/applications/shared drives/data repositories/locked filing cabinets, communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.

 

Embracing the crossover between data privacy and cyber security will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.


With these 6 tools you will be in an excellent position to navigate the data privacy landscape in 2019 and beyond.

 

CCPA – The Definitive, Easily Searchable Text

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.

We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:

California Consumer Privacy Act

CCPA 2018 Introduction

Section 1

Section 1 This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.

Section 2

Article A In 1972, California voters amended the California Constuition…
Article B Since California voters approved the right of privacy, the…
Article C At the same time, California is one of the world’s leaders in…
Article D As the role of technology and data in the every daily…
Article E Many businesses collect personal information from…
Article F The unauthorized disclosure of personal information and…
Article G In March 2018, it came to light that tens of millions of people…
Article H People desire privacy and more control over their information.
Article I Therefore, it is the intent of the Legislature to further…
Article I (1) The right of Californians to know what personal information is being collected about them.
Article I (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
Article I (3) The right of Californians to say no to the sale of personal information.
Article I (4) The right of Californians to access their personal information.
Article I (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Section 3 – Title 1.81.5 CCPA 2017 added toPart 4 of Division 3 of the Civil Code

Law Section 1798.100 Right to Know What Personal Information is Being Collected.
Law Section 1798.105 Compliance with Right to Say No and Notice Requirements.
Law Section 1798.110 Articles (A), (B), (C), (D).
Law Section 1798.115 Articles (A), (B), (C), (D).
Law Section 1798.120 Articles (A), (B), (C), (D).
Law Section 1798.125 Articles (A), (B).
Law Section 1798.130 Articles (A), (B), (C).
Law Section 1798.135 Articles (A), (B), (C).
Law Section 1798.140 Articles (A), (B), (C), (D), (E)…(Y).
Law Section 1798.145 Articles (A), (B), (C), (D), (E)…(J).
Law Section 1798.150 Articles (A), (B), (C).
Law Section 1798.155 Articles (A), (B), (C), (D).
Law Section 1798.160 Articles (A), (B).
Law Section 1798.175 This title is intended to further the constitutional right…
Law Section 1798.180 This title is a matter of statewide concern and supersedes…
Law Section 1798.185 Articles (A), (B).
Law Section 1798.190 If a series of steps or transactions were component parts…
Law Section 1798.192 Any provision of a contract or agreement of any kind that purports…
Law Section 1798.194 This title shall be liberally construed to effectuate its purposes..
Law Section 1798.196 This title is intended to supplement federal and state law, if permissible…
Law Section 1798.198 Articles (A), (B).

Section 4

Article (A) The provisions of this bill are severable. If any provision of this bill or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

Simplifying GDPR – Get the team signed up and on the pitch

In the beginning, there was a team – Read Part 2 of our essential guides to GDPR

Explain GDPR to your organisation, identify your board sponsor, form a posse from legal, compliance, technology and your key personal information owners like HR and customer services. Then get everyone in a room, work out your high-level programme plan and cost it across internal resource, external advice/resource, tech spend, training and ongoing costs. Then you’ll all have a pretty clear view of life under GDPR.

Our free guides will cut through the myths and help you get a grip on GDPR as May 25th approaches – and here is Part 2. Let us help you see GDPR in a different, practical light.

Read Part 2

 

Simplifying GDPR – Your Essential Exonar Four-Part Guide

Understand the game – then score some easy wins and be 2-0 up by half-time

It’s one of those large-scale legislative changes to the way we all work that always seems a long way off and then suddenly heaves into view – GDPR. 

We’ve plenty of thoughts on the subject, thoughts that we believe are worth sharing and will help you in your approach to managing this new regulation.

At Exonar we help you map and understand your personal data: instantly, simply and at scale. Yes, GDPR arrives on May 25th 2018. Yes, the clock is ticking – but no, it’s not the complex and resource-sapping behemoth you could be excused for assuming. It’s an evolution of the UK’s existing Data Protection Act 1998, not a revolution; it clarifies, simplifies and codifies data protection for the digital age. It’s also a terrific opportunity to streamline the way you use personal data – in easier and more effective ways than you might think – while adding significantly to your audience’s trust in your organisation and brand.

Our free fortnightly guides will cut through the myths and help you get a grip on GDPR as May approaches – and here is Part 1. Let us help you see GDPR in a different, practical light.

Read Part 1