Data Privacy questions you need to answer to determine if your compliance is up to scratch

Due to the evolving nature of data privacy laws, either with new laws being introduced and enforced or clarification on existing laws, businesses need to review their privacy compliance constantly.

However, our Data Privacy team is often called into organizations who have worked hard to achieve compliance some time ago, and whose business and the regulations that apply to it have changed, leaving their compliance undermined. By failing to adapt to new regulations, update necessary security measures or monitor how changes to the business affect which laws it must adhere to, many are left dangerously exposed.

To help, we’ve put together our top 10 questions you need to answer and continuously revisit to ensure your data privacy compliance is up to scratch for 2020, and beyond.

10 Data privacy questions your business needs to ask

Have you incorporated “Privacy by Design” into your projects?

Ann Cavoukian’s 7 Principles of Privacy by Design ensure businesses consider data privacy, security and data protection from the very start of new technology projects or changes to process, and crucially in such a way that prevents the new initiatives’ objectives being undermined. Unfortunately, too many businesses implement privacy only as an afterthought, meaning functionality almost always has to be curtailed, turning the privacy function from business enabler and protector into “business blocker”.

Have you incorporated “Privacy by Design” into your projects?

When a data breach occurs, many businesses panic, compounding the impact. Advance planning and regular stress testing however will ensure you have a clear proportional and flexible strategy focused on protecting and informing your customers, and your business in the process. Such pre-preparation will reduce the damage to your organization’s reputation if there was a data breach.

Is access to data on a need-to-know basis?

An important question to ask is who has access to your data and is it necessary for their work and business operations? You may find that some of your employees have privileged access to sensitive data or to information they simply don’t need. Also, do you know which of your suppliers have access to your data – including employees? If so, you’ll need to ensure there are contractual protections in place determining the level of access permitted and the remedies in case of a data breach.

Do you know what kind of data your company collects and processes?

Gathering data is vital to any organization but exactly how much data is needed and what kind of data is it?

Most privacy laws around the world require organizations to be transparent about the data they process. The GDPR for example requires companies to maintain a detailed and explicit record of every item of personal data they collect and use – the Record of Processing Activities, or RoPA. But this is more than a paperwork exercise. It is also of enormous practical value. By understanding the source and purpose of every piece of received data, the company can better determine what data they genuinely need to receive and what the next steps – including disposal – need to be.

Is your company’s privacy notice an accurate reflection of what your company does with personal data?

The way data is captured and processed must be accurately and transparently stated in a privacy notice or privacy policy that is freely available and easily accessed. Have you updated your company’s privacy notice recently?

Have you considered the impact of Brexit on your GDPR and wider data privacy obligations?

If the UK leaves the EU under a no-deal Brexit, the UK is a third country without data adequacy and no surviving status quo. Overnight, it becomes an illegitimate territory for EU personal data. There are a series of measures that businesses active in the UK will need to consider or revisit, some of which are part of standard GDPR adherence, but some that are specific to Brexit itself .

Does my organization need a Data Protection Officer?

Under many privacy regulations, organizations need to determine if they need to appoint a Data Protection Officer (or similar titles). For example, under GDPR, if your business is a public authority or is processing personal or sensitive data at large scale, you are mandated under Articles 37-39 to have a Data Protection Officer. If you last reviewed your need for a DPO some time ago, it might be worth revisiting this as you may have breached the threshold. It is also worth checking the duties of the DPO under the various frameworks, as these are changing. It’s also worth noting that whilst DPOs can be appointed internally, they might not be suitable for the role, an option to overcome this is to outsource this role to a specialist.

Does your company have a process in place to respond to data subject access requests and/or complaints?

Under the GDPR legislation, EU citizens can request access to their data, find out if their data is being processed, and request a transfer of their data to another system. There must be a process in place which states who handles these requests. They must also be able to retrieve all the data as well as securely transfer the data to the person who made the request. This must be provided free of charge and without “undue delay.”

Are you ready for CCPA?

The California Consumer Privacy Act (CCPA) comes into effect on 1st January 2020 and will affect any business that serves Californian residents, has at least $25 million in annual revenue, as well as any companies of any size that have personal data on at least 50,000 people or collect more than half their revenue from the sale of personal data. It’s estimated that only 44% of in-scope businesses are prepared – are you one of them?

How Calligo can help

If any of these questions appear relevant to your business, submit an enquiry or book an initial free consultation with the Calligo Privacy Team.