Posts

The Data Protection Officer’s (DPO’s) Toolkit – The 6 Essentials

The Data Protection Officer’s (DPO’s) Toolkit

2018 saw the General Data Protection Regulations (GDPR) in Europe, California Consumer Privacy Act (CCPA) in America, and the Personal Data Protection Bill (PDPB) in India introduce privacy protections to nearly 2 billion citizens.

With enforcement set to take centre stage in 2019, what essentials do data leaders need to keep themselves out of the crossfires of regulators?

6 Essentials of the DPO’s Toolkit

1. Data inventory
2. Data monitoring
3. Data rights fulfilment
4. Data champions
5. Data training
6. Data security

1. Data inventory

The first step to taking control of your data is being able to answer ‘what data do I have?’ ‘why do I have it?’ ‘who can process it?’ ‘where is it stored?’ ‘how and when do I delete it?’

Creating an inventory of all of your data processes is the first step for any DPO needing to comply with global privacy legislations (and mandatory under the GDPR Article 30 Records of Processing Activity).

Discover and document your organisations’ data practices; this will give you the best possible platform to comply with global privacy regulations and get the most value from your data.

2. Data monitoring

So you’ve documented your data practices, but is that really how data is being processed on your network – Is your data inventory reflective of your true data practices?

The answer is usually no. Luckily, the days of manual data audits and ‘privacy compliance platforms’ with no data monitoring capabilities are over and cutting edge data discovery and compliance technologies like Exonar are now available.


By monitoring your data estate you can make sure your marketing leads stay in your marketing department, your payroll files stay within your payroll department, and your Top Secret Project X documents remain exactly where you want them to be.

3. Data Rights Fulfilment

2019 is the year citizens take back control of their data.

Personal information belongs to the individual it relates to and organisations are required to provide full access to that data upon request under the GDPR in Europe (within 30 days) and CCPA in
America (within 45 days). In Europe 48% of Generation X and Y have exercised their right to access with over a third of all European citizens having done so since May 2018.

As a data leader, you must have a permanent and robust process in place for being able to respond to subject access requests (SARs), detailing the personal information you are processing and what you are using it for.

Subject Access Requests (SARs) can take days to fulfil if you are relying on manual data discovery so employing a data discovery tool to help you can reduce your SAR response time from days to minutes.

4. Data Champions

Data is big and it’s only getting bigger. A DPO is (for now) only human and keeping your data estate in compliance is only possible with a little help from some friends.

Once you’ve got your data inventory you should have a good understanding of your business units that have data processes that fit into natural silos e.g. Sales, HR, Legal, Payroll, Customer Services, Operations A, Operations B.

Assign a data champion for each business process, ensure they understand what the data inventory says about expected data practices, and empower your data champions with the resources needed to keep your data estate in compliance.

Data champions within their business units will often understand the nuances of data processing in more detail than a DPO so delegation of responsibility is key.

5. Data Training

Data protection is a collective action problem. If you have thousands of employees it only takes a small number of bad practices to throw your compliance programme into disarray.

If you have a strong handle on your data inventory, are monitoring your data repositories, and have data champions willing to help you, delivering an organisation wide training programme to communicate expected data practices is the way to embed a culture of privacy into your organisation and reduce your exposure to insider breaches.

As with most leadership, communication is key!

6. Data security

So you understand your information estate and your employees are doing their utmost to process data appropriately; now it’s time to lock down your high risk systems.


Your data inventory and data champions should be able to give you a clear view of the IT systems (and locked filing cabinets) that store and process your most valuable data.

Identify your high, medium and low risk IT systems/applications/shared drives/data repositories/locked filing cabinets, communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.

 

Embracing the crossover between data privacy and cyber security will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.


With these 6 tools you will be in an excellent position to navigate the data privacy landscape in 2019 and beyond.