A case study on how to run Privacy compliance obligations in an organisation in economically depressing times. The studey includes various tools that can be deployed to counter resource reduction.
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Data Protection Compliance In Economically Depressing Times
1. Case study: Data Protection (Privacy)
compliance management in economically
depressing times
BY
Ben Oguntala, LLB, LLM
ben.oguntala@dataprotectionofficer.com
www.dataprotectionofficer.com
Copyright 2011
This paper covers:
1. Policy management and implementation including periodic review
2. Dissemination of policies and procedures to all business units
3. Assessment of business changes that impact 3rd parties
4. Privacy impact assessment across business units
5. Privacy audit of suppliers
6. Operational support of businesses
7. Privacy standard enforcement
8. Managing subject Access request and responses
9. Privacy audit of business units
www.dataprotectionofficer.com info@dataprotectionofficer.com
2. Contents
Introduction ............................................................................................................................................ 3
The role of the Data Protection Officer .................................................................................................. 4
Resource deficiency impact .................................................................................................................... 5
Resource responsibilities on key privacy areas....................................................................................... 6
Policy management and implementation including periodic review ..................................................... 7
Dissemination of policies and procedures to all business units ............................................................. 8
Privacy impact assessment across business units and 3rd parties .......................................................... 9
Privacy audit of suppliers ...................................................................................................................... 10
Operational support of businesses ....................................................................................................... 11
Privacy standard enforcement.............................................................................................................. 12
Managing subject Access request (SAR) and responses ....................................................................... 13
Privacy audit of business units, projects and suppliers ........................................................................ 14
www.dataprotectionofficer.com info@dataprotectionofficer.com
3. Introduction
Most countries in Europe and America are faced with an austere period for the next few years and
consequently most organisations within these countries especially Government and private sectors
are going to be faced with the challenges of cost reduction whilst the requirements and obligations
stay the same.
Within the Data Protection/Privacy management sector this austere period will manifest itself in the
form of reduction of Privacy staff and resources for managing the day to day requirements of a Data
protection and privacy/compliance management.
A reduction in resources increases the likelihood of breaching the EU Data protection directive or UK
Data protection Act of 1998. The key areas impacted include:
1. Policy management and implementation including periodic review
2. Dissemination of policies and procedures to all business units
3. Assessment of business changes that impact 3rd parties
4. Privacy impact assessment across business units
5. Privacy audit of suppliers
6. Operational support of businesses
7. Privacy standard enforcement
8. Managing subject Access request and responses
9. Privacy audit of business units
To address this problem, www.dataprotectionofficer.com has a portal based solution that is
designed to assist Chief privacy Officers, Data Protection Officers and compliance teams in
maintaining their obligations.
The diagram above depicts the areas of control the www.dataprotectionofficer.com provides the
data protection officer, with diminishing resources the obligations toward Data Protection
compliance can still be achieved.
www.dataprotectionofficer.com info@dataprotectionofficer.com
4. The role of the Data Protection Officer
The diagram below depicts how a typical organisation’s privacy management structure is organised;
it demonstrates the key areas of concerns and the associated obligations related to them. As the
resources are reduced, the key areas may be deficient and increase the propensity to breach the
Data Protection Act.
The solution provided by www.dataprotectionofficer.com was designed privacy lawyers and
compliance Consultants; thereby it has an innate compliance capability even when there are
diminishing resources.
The solution also provides you with the ability to pick and choose areas you wish to automate, for
example, strategy is predominantly handled by senior management and rarely change frequently.
Therefore the automation will allow visibility of how effective the strategy is within your
organisation and where improvements can be made.
Operational support, Complaints & resources, Subject Access request, incidents and Audit &
compliance are resource intensive, we have tools designed to reduce the resource intensiveness and
requirements allowing your organisation to still maintain the same level of compliance by integrating
the solution into your current environment.
www.dataprotectionofficer.com info@dataprotectionofficer.com
5. Resource deficiency impact
Depending on the size of your organization, the economic depression may have varying degrees of
impact, in some of situations, as a Small to medium organisation, you may be left with 1 or 2
resources to manage the entire privacy regime and in other larger organisations you may simply be
left with 4 resources.
With this in mind, our solution is designed to allow you to operate with minimum resources in order
to achieve optimum efficiency along with key performance indicators.
The numbers above may vary depending on size of the organisation.
www.dataprotectionofficer.com info@dataprotectionofficer.com
6. Resource responsibilities on key privacy areas
The resources within privacy have specific responsibilities and if reduced may expose the area to
potential breaches, our solution is designed to plug each hole in order to ensure adequate coverage
should the resource reduction actually materialise.
www.dataprotectionofficer.com info@dataprotectionofficer.com
7. Policy management and implementation including periodic review
Assuming there is only 1 resource available in this area, the www.dataprotectionofficer.com solution
will enable your organisation’s resource(s) to:
1. Draft policies and procedures
2. Single click dissemination of policies to all business units
3. Single interface management of all policies, procedures and processes
4. Single dashboard view of all policies
Data
Protection
The diagram above depicts the policy dashboard capturing the essential policies and their
commensurate procedures.
www.dataprotectionofficer.com info@dataprotectionofficer.com
8. Dissemination of policies and procedures to all business units
The policy dashboard will allow you to:
1. Create Data Protection and other privacy related policies
2. Create a group or national policy
3. Create a local policy if applicable
4. Create relevant department policies relating to the main policy
5. Assign operational responsibility for procedures to an offer
6. The responsibility will then be able to create their procedures to match the policies
7. Monitor risks, incidents and audits
All business units within your entire enterprise will have their key personnel listed on the
organization chart and once policy is updated will be alerted via email.
Each business unit will have the responsible officer listed as well as the key personnel in the business
unit responsible for the operations related to privacy and data protection.
www.dataprotectionofficer.com info@dataprotectionofficer.com
9. Privacy impact assessment across business units and 3rd parties
All projects and business changes once approved will be able to submit their projects/changes via
the portal to the Data Protection/Privacy team for Privacy impact assessment (PIA).
Initial survey
PIA
PIA
PIA
PIA
PIA
PIA
The process below depicts how your business units are able to submits projects and changes to your
privacy or Data protection team for privacy impact assessment.
www.dataprotectionofficer.com info@dataprotectionofficer.com
10. Privacy audit of suppliers
The portal contains an organisational chart that also includes suppliers, the diagram below lists
suppliers and the number of information Assets your are sharing with them as well as any associated
incidents recorded against the assets.
This single interface simplifies the supplier engagement process and compliance management.
Each asset associated with the supplier is listed and can be audited, non compliances can be
registered against each asset.
www.dataprotectionofficer.com info@dataprotectionofficer.com
11. Operational support of businesses
The operation support is perhaps the most likely to suffer from a resource deduction and to address
the problem we have simplified the engagement process making it possible to maintain the same
level of service to the business.
Our initial approach is the automated privacy impact assessment which determines the level of
privacy impact the project has an automatically scores the project.
The initial survey is part of the Privacy impact assessment and is designed to weed out project that
do not have any privacy impact thereby focusing only on projects with privacy risks.
This process is adequate for limited resourced teams by streamlining the end to end process and
focusing on privacy impacting projects and changes.
www.dataprotectionofficer.com info@dataprotectionofficer.com
12. Privacy standard enforcement
Our strategy in this area is to automate as much of the technology based provisions available; all IT
systems that contain information assets will be automatically protected from build in order to
ensure that inherent compliance.
www.dataprotectionofficer.com info@dataprotectionofficer.com
13. Managing subject Access request (SAR) and responses
Subject Access request can arrive from numerous ingress points in your organisation; the
www.dataprotectionofficer.com solution captures all your various ingress points as well as various
business units and integrates them into a single dashboard.
Every time a SAR is registered is there is an automatic tracking process that captures the request,
alerts the team and places the request on the SAR dashboard. The role of the Data Protection team
will be to ensure all requests have a response with the 40 day limit, in order to achieve this task we
have an automatic countdown that tracks the request from day zero till a response is made.
The dashboard automatically assigns a SAR ID to the SAR and allows the Data Protection/Privacy
team to carry out the admin checks and validity checks as well as be able to assign the request to an
officer for a response whilst still having overall visibility.
At 5 days left, the dashboard entry changes to Amber and sends an alert to team that a SAR has 5
days to go and has had no activity allowing the team to act on the SAR prior to breach.
www.dataprotectionofficer.com info@dataprotectionofficer.com
14. Privacy audit of business units, projects and suppliers
The www.dataprotectionofficer.com solution automates the essential elements of a privacy audits
by automatically tracking the key audit requirements, the key audit metrics captured automatically
captured allowing remote audit and allows the focus on high level non compliances.
The key elements for our audit module include:
1. Business units
2. Policies and procedures
www.dataprotectionofficer.com info@dataprotectionofficer.com