SNAPSHOT ASSESSMENT

Data protection checklist   Every organisation is likely to be impacted by the Regulation in different ways, depending on a range of factors such as the sector in which they operate, the nature and volume of personal data routinely processed and maturity of regulatory compliance within the current operating model. It makes sense to undertake a snapshot assessment of the impact of the new regime on the business, so that any early steps can be taken to identify and implement any necessary changes. 

Any assessment ought to be tailored to the specific needs of the business but is likely to focus on the following key issues:
Topic
Description  What you need to know
1. Fair processing 
The Regulation creates a shift in approach to the way controllers currently determine what amounts to "fair and lawful" processing of personal data. In the future, the individual will have much greater say in determining how their data may be lawfully used, with active rights to change consent based processing and rights to object to processing based on "implied" rights (ie legitimate interests).

  • Be clear about the basis on which data are currently justified for use based on points of collection from individuals
  • Where use is based on consent, or "legitimate interests", look at adopting a more dynamic preference model for future use
2. Privacy notices 

Privacy policies will need to include mandatory information about the way in which data are processed and the statutory rights available to individuals. The wording must be clearly comprehensible to the target audience.

  • Check format and content of current privacy notices
  • Notices will almost certainly require amendment to include additional information and a refresh to be in plain language
3. Information governance

Data controllers must establish a compliance framework which demonstrates to a regulator that the organisation is taking active measures to ensure responsibility for effective data protection, including documentation and regular audit processes.

  • Establish an information governance model within the organization supported by clear reporting lines at all levels
  • Review and refresh internal policies and procedures  to ensure fit for purpose
  • Establish effective privacy audit and review processes 
4. Privacy impact assessments
Privacy impact assessments should be carried out as a matter of routine for projects which might be exposing individuals to enhanced privacy risks to due to the nature or scope of the processing operation. 
  • Develop a standard privacy impact assessment process
  • Embed into all new projects
5. Data protection officer

Certain types of organisations must appoint a data protection officer 

  • Check if the  organisation is likely to be required to appoint a data protection officer. If so take steps to appoint a suitable individual. 
6. Data breach 
Where a data breach occurs, the controller must (in some cases) notify local regulators  and the  relevant data subjects affected by the breach.

  • Establish a data breach management process to identify, escalate and manage data breaches effectively 
7. One-stop-shop
If a controller has multiple points of presence across the EU, it may take advantage of the "one stop shop" -mechanism to appoint a supervisory authority in the country of the main establishment of a controller as a single supervisory body across all EU operations. The one-stop-shop principle applies to processors as well.
  • Consider if this mechanism would be relevant to EU operations
  • If so, consider which country would be best suited to be the main point of establishment and take steps to organise the business accordingly 
8. Sharing data outside the organisation or outside Europe
The rules on transferring data to other organisations, for example in the context of a commercial joint venture, outsourced service model, or offshore are stringent and require the controller to take full responsibility for proper and secure handling supported by effective due diligence and contractual measures.
  • Establish clear ground rules for managing data handling throughout the supply chain
  • Underpin with standard due diligence checklists and data sharing / processor agreements incorporating EU model clauses as appropriate 

INFORMATION GOVERNANCE FRAMEWORK

Establishing an effective information governance framework across the organisation is the best way of preparing for compliance and managing risk. Ideally this framework should adopt compliance 'building blocks' that reflect the key features of the Regulation, as represented visually in the diagram below:

Data protection: information governance framework

Within the DLA Piper global privacy practice we have developed a comprehensive set of tools to support development of each component part of the information governance framework. For further information please contact us.

PRIVACY IMPACT ASSESSMENT

A key tenet of the new regulatory landscape is an expectation that organisations will promote privacy and data protection compliance from the start of any new project - ensuring that privacy risk is identified and managed from the very earliest design-phase when creating new products and services. 

Projects should do this by carrying out privacy impact assessments as a matter of routine, especially when considering new arrangements that may involve handling sensitive data fields, or large volumes of personal data. The following basic ground rules should help set outline parameters to those involved in the design process:

TASK 
DO    DON'T 
COLLECTION    limit type / volume of data collected to 'as needed' to complete specific tasks authorised in advance    do not collect sensitive data other than exceptionally
do not ignore privacy policy or notice commitments on fair use 
ACCESS    provide users with access rights as needed to perform their tasks    do not set privileged account access by default 
SHARING    control data sharing within and outside the organisation    do not send data outside the organisation or offshore unless additional protections are in place 
USE    design systems with user preferences in mind    do not assume data collected for one purpose may be used for other purposes 
STORAGE    have effective data retention policies     do not keep data indefinitely or without good reason 
PROCESSING    use aggregated, key coded, pseudonymous or anonymous data where possible    do not link identifiable user data without prior consent 
GOVERNANCE    establish information governance structures up to board level    do not ignore the importance of managing risk across the org.