Quite often we see posts or articles about how data protection compliance should not become a box ticking exercise to achieve compliance but, are we looking at the bigger picture when we say this? Does ‘box ticking’ have its place in data protection compliance? To understand and answer this, we need to first ensure the context of how data protection compliance can be measured and achieved is understood.
What is ‘Box Ticking’ in relation to Data Protection Compliance?
It is fair to assume that organisations which have determined that they need to address data protection risk have recognised that they need some sort of system in place, in order to understand the landscape in which personal data is processed.
Establishing a system to identify data protection risk requires a good knowledge on the subject, as the data collection requirements will be informed by the possible outcomes.
It seems fair therefore to define box-ticking as ‘a system used to collect information relating to possible data protection risks with the purpose of evidencing compliance.’
What is the use?
There are some very clear, well established use cases for box ticking in the data protection context, each centred around understanding the extent of the risk involved in the processing.
- RoPA / Privacy Impact Assessments – are detailed exercises to understand the risks within activities undertaken by an organisation, they help to build a picture of transparency, lawful basis, data storage and data sharing risks.
- High Risks Assessments – are essential for those parts of the business who do not understand the risks in the detail that a Data Protection Professional might. They would be a pre-cursor to a Data Protection Impact Assessment (DPIA), which would address the risk more fully.
- Legitimate Interest Assessments (LIA) – will rely on some level of data collection both binary and contextual. These should be a series of questions, pitched at a suitable level; so as to determine the balance of risk for activities with no clear alternative lawful basis.
- Contract Assessments – will help you to determine if the basic data protection clauses are in place and provide some comfort as to the level of compliance of the third party you are contracting with.
Data collection and therefore ‘box ticking’ does have its uses as a way to initiate data protection by default for those who don’t understand the risk nuance.
It doesn’t stop there!
The data collection exercise is useless though if nothing is done with the information that has been collected. The ‘box ticking’ will identify risks to personal data and these risks must be addressed in a structured manner. This is where risk management expertise is needed to ensure that the risks identified are mitigated and managed effectively.
There are therefore two aspects of box ticking that must be done correctly:
- It is very important that the data collection process builds relevant knowledge. It is essential that your system used to collect the information is designed well, ensuring that the outputs are clear, measurable and manageable.
- Any data collection process must be supported with follow up actions, otherwise all you will be able to evidence is that you are not compliant.
Conclusion
We don’t believe that ‘box-ticking’ is a bad thing, in fact, we believe that it is essential to data protection compliance. It is stage 1 of your compliance strategy, it informs your data protection risk management framework, and enables you to build a way of working which involves the activity owners and your executives in the data protection compliance decision making process.
If you would like to learn more about how ProvePrivacy can tick the boxes for your organisation, book a demonstration.
