A Privacy Assessment: What it is and Why you need it

In our previous article, we shared our thoughts on the importance of baseline training and why it  should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function   a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO)  for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..

A Privacy Assessment: What it is and Why you need it

Conducting a privacy assessment is crucial to your data protection compliance journey. A privacy assessment is an in-depth evaluation of the personal data an organisation holds and its current data handling practices. Through this process you can identify the key privacy risks facing your organisation and the compliance gaps you need to fill. Privacy assessments involve two critical steps: data mapping and  gaps assessment. In this article, we consider the value of a privacy assessment to your privacy compliance program. We describe the best way to do this assessment in order to optimise your organisation’s compliance program. This article is part of our ongoing ‘Roadmap to Data Protection Compliance’ series which gives practical guidelines to businesses looking to comply with data protection laws. Previous articles in this series tackled initial training and sensitisation as a first step towards compliance and establishing a privacy governance framework as the second step. What is a privacy assessment? A privacy assessment is an analysis of how personal data is collected, used, shared, and maintained within an organisation. It is a risk management process that helps institutions identify the impact of their data processing operations on individuals’ privacy. Once data protection issues are identified, your organisation can develop remedial or mitigating actions to ensure compliance with data protection laws. Why conduct a privacy assessment? Privacy assessments give key privacy compliance stakeholders in your organisation a keen understanding of the personal data you collect and how it is processed. Privacy assessments can serve you in the following ways: – How to Carry out a Privacy Assessment There are two steps to carrying out a privacy assessment. The first is data mapping. A data map is a complete record or inventory of all the personal data processed in your organisation. This inventory provides an overview of how the data flows from its initial collection to the point it is erased. For a more in-depth look at how mapping supports privacy compliance click here. The second step is a gap analysis. This is a critical evaluation of all the data maps to identify data privacy gaps. In essence, you assess the extent of current compliance with data protection laws and regulations. You also identify the existing risks and data protection gaps in the processing of personal data in your organisation. Some best practices for privacy assessments include: Conclusion The privacy assessment process identifies all data protection gaps and privacy risk factors. We see how data has come into the organisation and how it moves, how it is used, how it is stored and secured and how it is finally erased. Your organisation can then implement the recommendations from the privacy assessment report, allowing you to develop an effective compliance program. Next week we continue with the ‘Roadmap to Data Protection Compliance‘ series by advising on the key policies required for data protection compliance.