GDPR introduced and changed the UK and European privacy rules exponentially. The inclusion of Article 25, ‘Privacy by Design’ and ‘Privacy by Default’, formed the basis of embedding global data privacy compliance management into everyday operations and system processing. Privacy by Designs details that organisations should consider data privacy at the initial design stages of introducing new products, processes or services that involve processing personal data.
This has been taken care of by introducing rigid processes and policies that control how data should be collected, processed, disclosed, and retained. Risk assessments such as a Data Protection Impact Assessment. Many see it as the bedrock of achieving and maintaining privacy compliance in GDPR and in many other data privacy laws.
In article 25 of the GDPR, the EDPB created the data privacy beast, a group of silos within organisations tasked to ensure that all data processing is compliant and stays that way.
Legal & Compliance, Data Owners, IT, and Systems development are four silos that contribute to implementing and maintaining privacy compliance.
So, let’s look into what resource-sapping tasks challenge each silo.
Legal: Legal are tasked to understand the data processing task, data subject category types of data, and the purpose and nature of the processing; if the processor is located outside of the UK / EU, then is adequacy achieved or are SCC contracts needed together with a data transfer impact assessment. Once all are gathered, then contracts need to be put in place if the processor is new or updated if an existing processor. Lastly, the privacy notice should be reviewed to see if it requires editing.
That, of course, is one such example. Still, as we know, legal and compliance may perform this process on many occasions during an average month, adding to additional resource time and a growing team performing repetitive tasks over time.
Data Owners: Data owners must organise their team and document access matched to their staff job roles. Organise data retention schedules to match the type and classification of the data. If they are involved in the processor relationship management, they are involved heavily with the legal team to ensure they provide information that enables the legal team to secure contracts. They regularly provision policy, contract and security reviews which can result in significant resource-sapping tasks.
IT: The IT team liaise with the DPO, data owners and development teams to apply the correct access permissions, data classification, data retention and backup schedules. Update all policies concerning the above and create new policies, storage locations etc. The setting of encryption at rest and in transit.
Development teams: The development teams are crucial to privacy compliance and request the requirements from the compliance team and DPO. If the development team applies the design by default at the start of the implementation and references a DPIA throughout the project, this can provide a surprising reward.
I have often asked development teams what the most frustrating thing about data privacy compliance is. The answer is always close to the number of reworks needed in the code to meet the compliance standards.
Is it a Sustainable Approach?
So how sustainable is this silo approach against ever-growing privacy regulation?
At Formiti, we are always looking to the future and how we can simplify the compliance programs, we implement for clients. The current silo approach, we think, has a shelf life of perhaps three years at the most as it will be unsustainable to organisations with budgetary constraints, and outsourcing pricing will almost certainly increase.
What is the Future?
In our opinion, the future of data privacy compliance management is moving data governance and compliance management into code, a code that fully automates the privacy framework. A code that looks at every aspect of the above silo tasks, including the automation of matching data processing to legal documents and reporting any discrepancies in living contracts with other controllers or processors.
Look out for our next article Data Privacy Management “Breaking Down The Silos,” which shows how the future of data privacy compliance automation will be delivered. Have you up and running in an average of five hours of implementation time, with an ROI of under one year?