“Are we data protection compliant?” We are asked this question so often that it has almost lost meaning.
Without some recognition of the many layers to this question there is a risk you might not like the answer. The short answers are yes…and no.
Yes, you are probably compliant with SOME aspects of data protection.
No, you are probably not compliant with ALL aspects.
Compliance is a continual requirement; it can rarely, if ever, be fully achieved. The fact that data protection law is principled-based adds complexity.
- It requires organisations to make decisions before it can be applied (via policies, procedures) to that organisation
- It touches all areas of business activity; all areas need to “be compliant”.
- It links to other disciplines, such as information security and records management, which have their own compliance requirements and standards.
- It is subject to change: caselaw emerges providing clarity; new Codes of Practice are written; public policy and other changes all influence how the law should be applied.
But yet, we are regularly asked “are we compliant?” The only true answer to this question is (sorry) a question: What do you mean?
- Are 100% compliant with all aspects of data protection, privacy, and information security?
- Is our paperwork compliant with the law and caselaw?
- Is our practice complaint with our paperwork?
- Is our practice complaint with the law and caselaw?
- Are we compliant now, at this point in time?
- Do we have the sort of governance, culture, resources, policies, and procedures that make it likely you will be managing data protection risk each day in a compliant way?
So, when asking about compliance ask yourself what you really want to know:
- Does your paperwork reflect all aspects of data protection, information security and privacy law?
To what extent does your current documentation – your policies, procedures, logs and other records – address the many aspects to data protection and information security?
This is an important first step, because if your paperwork doesn’t even mention or address an issue there is very limited chance that the organisation is considering it; that staff are aware of it, or are complying with what the law requires on a daily basis.
This is a broad review of how much love and attention to detail has previously been spent on getting your paperwork in shape. Paperwork doesn’t sort compliance alone, but it does form part of the way you demonstrate compliance with your data protection and information security obligation.
Note: Protecture Technology has developed a Data Protection Framework. This assesses paperwork against 135 Element and Requirements across three Sections (Accountability, Transparency and Security).
- Does your paperwork reflect reality?
Your paperwork may address each and every aspect, but we know that anyone can write a policy long on wishful thinking and lofty ambition.
The next critical aspect to assessing compliance is therefore to look at whether your paperwork actually reflects what is possible in reality at your organisation?
For example, I can write a policy stating, “No special category personal data will be shared via email.” This may demonstrate an awareness of the need to address secure sharing of data via email, but, really? Nobody? Ever?!
It just doesn’t seem possible and, in the absence of the paperwork outlining an alternative (e.g. “all sensitive data must be shared via the Egress platform”) it should be flagged as hyperbole and in need of review.
- Does your paperwork demonstrate that key policy decisions have been made?
We can extend point 2 to look beyond practical aspects into the areas of data protection and information security that require decisions to be made.
For example, a policy can say “we will always use the most appropriate lawful basis for processing data, and will maintain a ROPA” but this gives no indication of whether decisions have been made on:
- The use of consent and/or legitimate interests?
- The granularity of consent options?
- The use of legitimate interests to process data obtained via cookies?
- The use of legitimate interests to undertake profiling/analyse of user activity to inform decisions?
And a policy stating that “staff must use appropriate security when working from home using their own personal devices” does not let us know whether decisions have been made on:
- The roles permitted to use their own personal devices.
- The rationale for this – i.e. why they have been permitted, such as they handle non-sensitive / low volumes of data; there is a secure means for them to access work data).
- Can you evidence that decision-making includes assessment of data protection risk?
Three key areas of compliance – Responsibilities of the Controller (Article 24); Data Protection by Design and Default (Article 25) and Security of Processing (Article 32) – all contain the critical requirement to consider the “nature, scope, context and purposes of processing” to making risk-based decisions.
For your paperwork to demonstrate compliance, it should therefore include procedures and criteria that ensure:
- Decisions are informed by an assessment of the nature, scope context and purpose of processing, available resource, and risk appetite.
- Data Protection Impact Assessments (DPIAs) and purpose compatibility assessments are used to assess the impact of new projects and proposed uses of data on personal privacy and your operational, regulatory, financial and ethics risks.
- Can you evidence that your policies and procedures are working in practice?
With all the above in place, it would be a crying shame to miss the final aspect of compliance: being able to demonstrate that you are complying with policies, procedures, and processes.
This requires tools (such as logs of activity) and reporting (such as quarterly operational reporting; reporting to senior management; reporting to Trustees) to provide insight into the ongoing adherence to your policies, procedures, and processes.
For example, reporting on (i) your handling of individual rights requests (ii) on due diligence of suppliers (iii) privacy notices containing the required privacy information (iv) on DPIAs being conducted when needed (v) your handling of breaches and (vi) on training being completed.
The insights from this performance data can then be used to shape future work that will further improve performance and ensure compliance is maintained.
This approach to assessing compliance can deliver the cultural change, records and reporting mechanisms that will sustain and embed practices to provide stakeholders with assurance that their organisation is “data protection compliant.”
For more information contact us…