The Data Protection Officer’s (DPO’s) Toolkit
2018 saw the General Data Protection Regulations (GDPR) in Europe, California Consumer Privacy Act (CCPA) in America, and the Personal Data Protection Bill (PDPB) in India introduce privacy protections to nearly 2 billion citizens.
With enforcement set to take centre stage in 2019, what essentials do data leaders need to keep themselves out of the crossfires of regulators?
6 Essentials of the DPO’s Toolkit
1. Data inventory
2. Data monitoring
3. Data rights fulfilment
4. Data champions
5. Data training
6. Data security
1. Data inventory
The first step to taking control of your data is being able to answer ‘what data do I have?’ ‘why do I have it?’ ‘who can process it?’ ‘where is it stored?’ ‘how and when do I delete it?’
Creating an inventory of all of your data processes is the first step for any DPO needing to comply with global privacy legislations (and mandatory under the GDPR Article 30 Records of Processing Activity).
Discover and document your organisations’ data practices; this will give you the best possible platform to comply with global privacy regulations and get the most value from your data.
2. Data monitoring
So you’ve documented your data practices, but is that really how data is being processed on your network – Is your data inventory reflective of your true data practices?
The answer is usually no. Luckily, the days of manual data audits and ‘privacy compliance platforms’ with no data monitoring capabilities are over and cutting edge data discovery and compliance technologies like Exonar are now available.
By monitoring your data estate you can make sure your marketing leads stay in your marketing department, your payroll files stay within your payroll department, and your Top Secret Project X documents remain exactly where you want them to be.
3. Data Rights Fulfilment
2019 is the year citizens take back control of their data.
Personal information belongs to the individual it relates to and organisations are required to provide full access to that data upon request under the GDPR in Europe (within 30 days) and CCPA in
America (within 45 days). In Europe 48% of Generation X and Y have exercised their right to access with over a third of all European citizens having done so since May 2018.
As a data leader, you must have a permanent and robust process in place for being able to respond to subject access requests (SARs), detailing the personal information you are processing and what you are using it for.
Subject Access Requests (SARs) can take days to fulfil if you are relying on manual data discovery so employing a data discovery tool to help you can reduce your SAR response time from days to minutes.
4. Data Champions
Data is big and it’s only getting bigger. A DPO is (for now) only human and keeping your data estate in compliance is only possible with a little help from some friends.
Once you’ve got your data inventory you should have a good understanding of your business units that have data processes that fit into natural silos e.g. Sales, HR, Legal, Payroll, Customer Services, Operations A, Operations B.
Assign a data champion for each business process, ensure they understand what the data inventory says about expected data practices, and empower your data champions with the resources needed to keep your data estate in compliance.
Data champions within their business units will often understand the nuances of data processing in more detail than a DPO so delegation of responsibility is key.
5. Data Training
Data protection is a collective action problem. If you have thousands of employees it only takes a small number of bad practices to throw your compliance programme into disarray.
If you have a strong handle on your data inventory, are monitoring your data repositories, and have data champions willing to help you, delivering an organisation wide training programme to communicate expected data practices is the way to embed a culture of privacy into your organisation and reduce your exposure to insider breaches.
As with most leadership, communication is key!
6. Data security
So you understand your information estate and your employees are doing their utmost to process data appropriately; now it’s time to lock down your high risk systems.
Your data inventory and data champions should be able to give you a clear view of the IT systems (and locked filing cabinets) that store and process your most valuable data.
Identify your high, medium and low risk IT systems/applications/shared drives/data repositories/locked filing cabinets, communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.
Embracing the crossover between data privacy and cyber security will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.
With these 6 tools you will be in an excellent position to navigate the data privacy landscape in 2019 and beyond.
In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.
The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.
With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.
We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:
California Consumer Privacy Act
|Section 1||–||This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.|
In the beginning, there was a team – Read Part 2 of our essential guides to GDPR
Explain GDPR to your organisation, identify your board sponsor, form a posse from legal, compliance, technology and your key personal information owners like HR and customer services. Then get everyone in a room, work out your high-level programme plan and cost it across internal resource, external advice/resource, tech spend, training and ongoing costs. Then you’ll all have a pretty clear view of life under GDPR.
Our free guides will cut through the myths and help you get a grip on GDPR as May 25th approaches – and here is Part 2. Let us help you see GDPR in a different, practical light.