Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Loading in …3
×
1 of 17

Data Protection Compliance In Economically Depressing Times

0

Share

Download to read offline

A case study on how to run Privacy compliance obligations in an organisation in economically depressing times. The studey includes various tools that can be deployed to counter resource reduction.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Data Protection Compliance In Economically Depressing Times

  1. 1. Case study: Data Protection (Privacy) compliance management in economically depressing times BY Ben Oguntala, LLB, LLM ben.oguntala@dataprotectionofficer.com www.dataprotectionofficer.com Copyright 2011 This paper covers: 1. Policy management and implementation including periodic review 2. Dissemination of policies and procedures to all business units 3. Assessment of business changes that impact 3rd parties 4. Privacy impact assessment across business units 5. Privacy audit of suppliers 6. Operational support of businesses 7. Privacy standard enforcement 8. Managing subject Access request and responses 9. Privacy audit of business units www.dataprotectionofficer.com info@dataprotectionofficer.com
  2. 2. Contents Introduction ............................................................................................................................................ 3 The role of the Data Protection Officer .................................................................................................. 4 Resource deficiency impact .................................................................................................................... 5 Resource responsibilities on key privacy areas....................................................................................... 6 Policy management and implementation including periodic review ..................................................... 7 Dissemination of policies and procedures to all business units ............................................................. 8 Privacy impact assessment across business units and 3rd parties .......................................................... 9 Privacy audit of suppliers ...................................................................................................................... 10 Operational support of businesses ....................................................................................................... 11 Privacy standard enforcement.............................................................................................................. 12 Managing subject Access request (SAR) and responses ....................................................................... 13 Privacy audit of business units, projects and suppliers ........................................................................ 14 www.dataprotectionofficer.com info@dataprotectionofficer.com
  3. 3. Introduction Most countries in Europe and America are faced with an austere period for the next few years and consequently most organisations within these countries especially Government and private sectors are going to be faced with the challenges of cost reduction whilst the requirements and obligations stay the same. Within the Data Protection/Privacy management sector this austere period will manifest itself in the form of reduction of Privacy staff and resources for managing the day to day requirements of a Data protection and privacy/compliance management. A reduction in resources increases the likelihood of breaching the EU Data protection directive or UK Data protection Act of 1998. The key areas impacted include: 1. Policy management and implementation including periodic review 2. Dissemination of policies and procedures to all business units 3. Assessment of business changes that impact 3rd parties 4. Privacy impact assessment across business units 5. Privacy audit of suppliers 6. Operational support of businesses 7. Privacy standard enforcement 8. Managing subject Access request and responses 9. Privacy audit of business units To address this problem, www.dataprotectionofficer.com has a portal based solution that is designed to assist Chief privacy Officers, Data Protection Officers and compliance teams in maintaining their obligations. The diagram above depicts the areas of control the www.dataprotectionofficer.com provides the data protection officer, with diminishing resources the obligations toward Data Protection compliance can still be achieved. www.dataprotectionofficer.com info@dataprotectionofficer.com
  4. 4. The role of the Data Protection Officer The diagram below depicts how a typical organisation’s privacy management structure is organised; it demonstrates the key areas of concerns and the associated obligations related to them. As the resources are reduced, the key areas may be deficient and increase the propensity to breach the Data Protection Act. The solution provided by www.dataprotectionofficer.com was designed privacy lawyers and compliance Consultants; thereby it has an innate compliance capability even when there are diminishing resources. The solution also provides you with the ability to pick and choose areas you wish to automate, for example, strategy is predominantly handled by senior management and rarely change frequently. Therefore the automation will allow visibility of how effective the strategy is within your organisation and where improvements can be made. Operational support, Complaints & resources, Subject Access request, incidents and Audit & compliance are resource intensive, we have tools designed to reduce the resource intensiveness and requirements allowing your organisation to still maintain the same level of compliance by integrating the solution into your current environment. www.dataprotectionofficer.com info@dataprotectionofficer.com
  5. 5. Resource deficiency impact Depending on the size of your organization, the economic depression may have varying degrees of impact, in some of situations, as a Small to medium organisation, you may be left with 1 or 2 resources to manage the entire privacy regime and in other larger organisations you may simply be left with 4 resources. With this in mind, our solution is designed to allow you to operate with minimum resources in order to achieve optimum efficiency along with key performance indicators. The numbers above may vary depending on size of the organisation. www.dataprotectionofficer.com info@dataprotectionofficer.com
  6. 6. Resource responsibilities on key privacy areas The resources within privacy have specific responsibilities and if reduced may expose the area to potential breaches, our solution is designed to plug each hole in order to ensure adequate coverage should the resource reduction actually materialise. www.dataprotectionofficer.com info@dataprotectionofficer.com
  7. 7. Policy management and implementation including periodic review Assuming there is only 1 resource available in this area, the www.dataprotectionofficer.com solution will enable your organisation’s resource(s) to: 1. Draft policies and procedures 2. Single click dissemination of policies to all business units 3. Single interface management of all policies, procedures and processes 4. Single dashboard view of all policies Data Protection The diagram above depicts the policy dashboard capturing the essential policies and their commensurate procedures. www.dataprotectionofficer.com info@dataprotectionofficer.com
  8. 8. Dissemination of policies and procedures to all business units The policy dashboard will allow you to: 1. Create Data Protection and other privacy related policies 2. Create a group or national policy 3. Create a local policy if applicable 4. Create relevant department policies relating to the main policy 5. Assign operational responsibility for procedures to an offer 6. The responsibility will then be able to create their procedures to match the policies 7. Monitor risks, incidents and audits All business units within your entire enterprise will have their key personnel listed on the organization chart and once policy is updated will be alerted via email. Each business unit will have the responsible officer listed as well as the key personnel in the business unit responsible for the operations related to privacy and data protection. www.dataprotectionofficer.com info@dataprotectionofficer.com
  9. 9. Privacy impact assessment across business units and 3rd parties All projects and business changes once approved will be able to submit their projects/changes via the portal to the Data Protection/Privacy team for Privacy impact assessment (PIA). Initial survey PIA PIA PIA PIA PIA PIA The process below depicts how your business units are able to submits projects and changes to your privacy or Data protection team for privacy impact assessment. www.dataprotectionofficer.com info@dataprotectionofficer.com
  10. 10. Privacy audit of suppliers The portal contains an organisational chart that also includes suppliers, the diagram below lists suppliers and the number of information Assets your are sharing with them as well as any associated incidents recorded against the assets. This single interface simplifies the supplier engagement process and compliance management. Each asset associated with the supplier is listed and can be audited, non compliances can be registered against each asset. www.dataprotectionofficer.com info@dataprotectionofficer.com
  11. 11. Operational support of businesses The operation support is perhaps the most likely to suffer from a resource deduction and to address the problem we have simplified the engagement process making it possible to maintain the same level of service to the business. Our initial approach is the automated privacy impact assessment which determines the level of privacy impact the project has an automatically scores the project. The initial survey is part of the Privacy impact assessment and is designed to weed out project that do not have any privacy impact thereby focusing only on projects with privacy risks. This process is adequate for limited resourced teams by streamlining the end to end process and focusing on privacy impacting projects and changes. www.dataprotectionofficer.com info@dataprotectionofficer.com
  12. 12. Privacy standard enforcement Our strategy in this area is to automate as much of the technology based provisions available; all IT systems that contain information assets will be automatically protected from build in order to ensure that inherent compliance. www.dataprotectionofficer.com info@dataprotectionofficer.com
  13. 13. Managing subject Access request (SAR) and responses Subject Access request can arrive from numerous ingress points in your organisation; the www.dataprotectionofficer.com solution captures all your various ingress points as well as various business units and integrates them into a single dashboard. Every time a SAR is registered is there is an automatic tracking process that captures the request, alerts the team and places the request on the SAR dashboard. The role of the Data Protection team will be to ensure all requests have a response with the 40 day limit, in order to achieve this task we have an automatic countdown that tracks the request from day zero till a response is made. The dashboard automatically assigns a SAR ID to the SAR and allows the Data Protection/Privacy team to carry out the admin checks and validity checks as well as be able to assign the request to an officer for a response whilst still having overall visibility. At 5 days left, the dashboard entry changes to Amber and sends an alert to team that a SAR has 5 days to go and has had no activity allowing the team to act on the SAR prior to breach. www.dataprotectionofficer.com info@dataprotectionofficer.com
  14. 14. Privacy audit of business units, projects and suppliers The www.dataprotectionofficer.com solution automates the essential elements of a privacy audits by automatically tracking the key audit requirements, the key audit metrics captured automatically captured allowing remote audit and allows the focus on high level non compliances. The key elements for our audit module include: 1. Business units 2. Policies and procedures www.dataprotectionofficer.com info@dataprotectionofficer.com
  15. 15. 3. Suppliers 4. Key performance indicators www.dataprotectionofficer.com info@dataprotectionofficer.com
  16. 16. 5. Privacy process audit 6. Projects and changes www.dataprotectionofficer.com info@dataprotectionofficer.com
  17. 17. 7. Information Asset register --------------The end ---------------------- www.dataprotectionofficer.com info@dataprotectionofficer.com

×