Data protection by design and by default is a concept that should now be widely adopted across Europe, but I wonder if it is. The problem with data protection by design and by default is that in many cases in means that the organisation operating model has to change, and when an operating model changes, inevitably the inputs and outputs of that model change with it. This is why, when on the run up to May 2018 when GDPR ‘went live’ there was a flurry of activity. Organisations cleansing their marketing databases, writing records of processing activities, privacy notices and maybe even implementing new policies. It does lead you to wonder though, if any of this information is still current and if it isn’t, is this data protection by design.
Many organisations will have spent small fortunes on consultants to audit their business only to ignore the outputs and continue in the same manner that they had previously. Some will have progressed beyond the audit and implemented some of the advice, but it is unlikely that many, other than the large institutions, have taken data protection seriously and implemented a personal data management system (PDMS).
Personal Data Management System
A PDMS is a collection of objectives, controls, policies, systems and procedures put in place to manage personal data within an organisation. It provides assurance to the management teams that personal data is being managed according to the data protection principles and provides evidence to the regulators that the principles are embedded within the organisations operating model.
A well designed and well managed PDMS satisfies Article 5 of the General Data Protection Regulation (GDPR) as a minimum, which in turn will ensure that the organisation is meeting most of the other fundamental requirements of GDPR.
A PDMS cannot operate without knowledge of the activities in an organisation where personal data is processed, this register of activities will inform the organisation of why data is collected, where data is processed inside and outside of the organisation and how long it is required both in use and in retention.
The activities register, or record of processing activities (ROPA), will enable a swift identification of the activities which pose a higher risk to the data subjects or those where a clear lawful reason for the activity does not exist. The PDSM will address these issues by recording legitimate interest assessments (LIA) and data protection impact assessments (DPIA) and capturing the risks that these identify.
Risk management will capture these risks, assess them, determine a treatment strategy for the risk and put in place an action plan to mitigate or monitor the risk. A management process would then ensure that risks are managed, lessons are learned and a feedback loop built into the system to ensure continual development.
Understanding where data is shared provides for the PDMS to ensure that Data Processor contractual arrangements are compliant, that higher risk data transfers are assessed for security against the organisations policy and that third country transfers are assessed for appropriate safeguards for the personal data being transferred.
Knowing how long personal data is required and how long it will be retained, exposes the requirement for a data management procedure. This procedure will ensure that the treatment of data is changed during its retention period, for example it is archived with greater controls. In addition, governance procedures will need to be in place to trigger destruction at the end of life because there will be exceptions where personal data should not be destroyed as per the retention policy.
Policy should be developed at an early stage and it should be reviewed at regular intervals and updated if risks have been identified or circumstances have changed. Policy should not just be written and forgotten, the organisation should be able to evidence that all appropriate staff have read and understood the policy and the PDMS should ensure that these staff review the policy regularly to instil the knowledge into the organisation. Similarly, awareness extends to other risks outside of policy, therefore the PDMS should be able to evidence that staff are regularly made aware of the need to protect personal data through awareness campaigns or annual training.
A PDMS will provide for the assessment of risks to personal data from alternative sources, incidents such as data breaches or a data subjects exercising their rights indicate a risk to the organisation and should therefore be captured, managed, reported and actions planned for both the incident resolution and the problem resolution.
Don’t stop at the audit.
2018 saw many organisation auditing their controls around personal data and some have put in place further objectives and controls to manage personal data. The audit process will have highlighted a number of additional projects to be undertaken. The question outstanding is, did your GDPR projects lead your organisation to implement a PDMS or has it merely plugged a few gaps? Have you implemented some policy and procedure, or have you implemented data protection by design and by default?
ProvePrivacy in an online PDMS, which will be available to organisations across Europe from April 2019, it will be provided direct to organisations via www.proveprivacy.com or through our network of partners. The partner network will receive income through our referral scheme and greater insights into their clients needs, enabling them to improve their service by providing focused advice. The ProvePrivacy partnership programme is available to both Consultants and Virtual DPOs. For more information email firstname.lastname@example.org