How to know what privacy gaps need to be addressed in a privacy programme? This article will provide you an answer highlighting important steps to consider on the way.
First step is to map out legal requirements laid out in privacy laws an organization is subject to. How to achieve this? If an organization does a business within the boundaries of one country (meaning no offices, establishments, agents in third countries), it should take into consideration that country’s laws. After that, the organization should verify whether it processes personal data of individuals from that country only or its operations include processing of personal data of the individuals from other countries as well (the individuals located in, residents or citizens of those countries). If the latter is the case, this would mean that organization should include laws of those countries in its analysis.
For global organizations, in addition to the above, laws of the countries where they have presence, such as establishments or agents, should be taken into account.
Why is this important? Organizations must understand legal requirements of the privacy laws that apply to them. These laws should be scoped and included in the analysis as explained further in this article.
Below are the most important and the most common requirements under privacy laws or laws regulating some aspects of privacy of individuals (note that some laws may have specifics hard to generalize and include here). For the purpose of this article, we will assume that all of the below have to be addressed. In real life, organizations should assess their current state of privacy and compare with the requirements under privacy laws to understand what gaps need to be closed.
1) Scope of the law
After understanding its operations as described above, an organization might have a number of privacy laws to look into.The easiest way to determine whether a privacy law applies is to look into its scope.
If the organization’s processing of personal data falls under the scope of the law, then the organization should proceed with the below steps.
2) Notification requirements
In some cases, organizations have to register themselves with data protection authorities. If the organization meets certain threshold, a Data Protection Officer (DPO) or similar role has to be appointed. Ultimately, almost every privacy law contains data breach reporting requirements (to the authorities and/or individuals). These all require notifications to the authorities.
One-off reporting requirements such as registering the organization or the DPO, might be dealt with straight away. However, personal data breach notifications have to be considered only when personal data breaches occur. The personal data breach notification requirements should be mapped for each jurisdiction, e.g,. deadlines and thresholds for reporting to the authorities and the individuals, so in case of the data breach the organization is equipped to react quickly.
3) Record of processing activities
Some privacy laws mandate having a record of processing activities. However, even if not mandated by the law, such record is the backbone of every privacy programme. Therefore, every organization should create one.
The process may be a bit different depending on whether organization uses an automated tool to maintain or maintains the record manually. What both approaches will have in common is a communication plan, training to and face to face meetings with relevant stakeholders.
The record should be updated every time a new process is introduced and it should be reviewed at least annually – this is when communications come in handy.
4) Legal basis
Almost every privacy law contains legal basis for processing of personal data. In some cases, privacy laws prescribe consent as the only legal basis, while in other they prescribe more than one legal basis to rely on when processing personal data.
This step goes hand in hand with the record of processing activities. Once an organization maps out its processes, appropriate legal basis can be determined for each one of them (depending on the jurisdiction).
Certain privacy laws contain underlying principles which direct how organizations should process personal data. It is important to be aware of these as even though the law does not contain specific use cases, a principle may shed more light on whether that processing is allowed under the law or not (think of fairness for example).
The organization should be aware of principles for every privacy law that applies to it. These would have to be embedded in the organization’s processing of personal data. A mean to achieve this is through privacy impact assessments, trainings, policies, communications to employees and similar.
6) Rights of individuals
Most of the privacy laws give certain rights to individuals, such as right to access, erasure, rectification, object, restriction and portability (these rights may vary depending on the law). Even though not really a right per se, transparency should be looked as one, as every individual whose personal data are processed by the organization should be provided with details of the processing.
This is quite a comprehensive piece of work to be done. The organization must have a proper understanding of its data flows, including points of collection, which systems are used as upstream and downstream systems, how long different categories of data have to be kept for, etc. This is important as only then the organization will be able to meet its obligations, e.g., deliver all personal data of an individual to them. In addition, appropriate procedures for dealing with requests from individuals must be in place, followed by trainings and awareness sessions to employees, especially the ones in customer facing roles who are likely to receive such requests (HR representatives should not be overlooked as they are also likely to receive such requests from employees).
7) Transfers of personal data
In some cases, personal data must be kept within the boundaries of a country where the personal data is collected, or where an organization is located. In others the organization has to employ certain safeguards should it wish to transfer data out of those countries.
It is important to map out data flows in a record of processing activities, including countries where data flows. After that exercise is done, the organization may realize that the data flows to countries and that it must employ additional safeguards for those transfers or that the personal data must not leave the particular country.
8) Personal data of children
Protecting children’s personal data is present in many privacy laws or laws protecting privacy of children.Organizations processing personal data of children should look into specifics of these laws for further requirements.
In most cases parental consent should be obtained. It should be identified what processes involve children’s personal data, so that consent satisfying legal requirements is obtained where required.
9) Processing of special categories of personal data
Many privacy laws contain provisions on specific categories of personal data such as biometric data, sexual orientation, data related to criminal convictions and offences and similar.Processing of such personal data usually carries additional responsibilities for organizations.
An organization must identify in its record of processing activities, which processing activities involve special categories of personal data. Based on that, additional requirements will be applied where required, such as prescribed legal basis for processing special categories of personal data.
10) Processing by third parties
Organizations often outsource processing of personal data to third parties, e.g., processors. Some privacy laws mandate that agreements between parties should include certain clauses. In other cases,when data is transferred to organizations with equivalent status under the law, e.g., independent or joint controllers, agreements should cover the relationship by assigning clear roles and responsibilities between parties.
Record of processing activities should include names of third-parties involved in processing of personal data and their status. If that is the case, the organization can assess whether appropriate agreements with those third parties are in place e.g., an agreement with the processor which would satisfy conditions under Article 28 GDPR.
11) Privacy impact assessments
In order to protect individuals when processing their personal data and comply with privacy laws organizations need to embed requirements under privacy laws for every processing of personal data.
The most convenient way to ensure compliance with privacy laws is by performing Privacy Impact Assessments (Data Protection Impact Assessments). Some laws prescribe cases when it is necessary to carry out one, but even when it is not a legal requirement, a well-established process of conducting them can help organizations embed privacy by design in new or processes which undergo changes.
12) Notices, policies, procedures and trainings
Organization must publish notices to inform its customers and employees how it processes personal data. In addition, policies and procedures providing guidance to the organization’s employees on various privacy matters should be put in place and communicated properly. It goes without saying that privacy training, both general and role-specific, must be provided to the employees.
13) Security of personal data
Privacy laws usually do not prescribe security standards. Instead they stipulate that personal data should be safeguarded properly. In this case, privacy professionals have to work closely with their security colleagues to develop an appropriate security policy.
A record of processing activities should contain information about what systems are used to process personal data, or whether personal data is kept in a “paper” form. An organization should ensure that all processes adhere to its security standards, and by knowing what systems are in use, or where the personal data is kept can help greatly.
14) Employee personal data
Some privacy laws contain additional requirements when it comes to employees’ personal data. In addition, many employment laws contain requirements on the retention of employee’s personal data.
An organization should identify processes involving personal data of its employees, and apply the legal requirements to them.
Most of the consumer-oriented organizations engage themselves in some form of marketing. Sometimes marketing related requirements may be part of privacy, consumer protection or marketing specific laws. Usually, the marketing can be performed if consent of individuals is obtained; however, some jurisdictions allow marketing as long as an unsubscribe facility is offered or if organizations have an existing relationship with customers.
Legal requirements and marketing rules for each country whose laws regulating marketing apply should be mapped out, taking into consideration different forms of marketing.
Not all countries contain cookie specific requirements. Some of them regulate cookies only if personal data is processed by using cookies.
An organization must understand which laws regulating cookies apply to it and understand their requirements so it can comply with such laws.
As you can see, running the privacy programme without a record of processing activities can be extremely challenging. That is why, an organization must keep the record up-to-date to enable conducting gap analysis without unnecessary delays and repeating of activities.
After legal requirements are mapped out and gaps identified by comparing the legal requirements with current as-is state of privacy, the organization should create actions to close those gaps.
Depending on the level of automation, these actions may include changes in the systems and underlying processes, which in return means that representatives from IT and other relevant departments should be included in the planning activities and the execution phase.
In order to run the successful privacy programme an organization must answer the question whether it should employ the highest standard across the organization or strictly comply with laws. This decision lies with the management of each organization, and the position should be clearly set from the beginning, to avoid additional effort when trying to fix gaps resulting from the analysis.
Ideas expressed in this article are personal views of the author and do not constitute legal advice.