The implementation of effective and compliant data handling practices is an issue that affects business across the world. The new requirements of the GDPR which affect companies that are doing business globally means that organisations need to apply their “Privacy by Design” minds to how exactly they implement efficient and effective processes and systems. Two of the most valuable tools in this regard are privacy impact assessment (PIA) and data mapping, both of which are pivotal in documenting and tracking new initiatives.
The rapidly evolving privacy and data management space, as well as the sheer volume of information that is today part and parcel of running a competitive organisation on the global stage can mean that management can be extremely challenging.
However, the situation need not be completely overwhelming. There are lots of initiatives that organisations can roll out to ensure that data is tracked and protected in line with international requirements, including the GDPR. At the foundation of all of this is knowing as a privacy professional what’s going on within your organisation and ensuring robust documentation.
The two of the most powerful tools in the armoury of every privacy professional are data mapping and privacy impact assessments, both of which can be used to optimise and conform to the requirements of the EU General Data Protection Regulation (GDPR) in terms of accountability requirements.
The right tools for the “Privacy by Design” job
It’s essential that privacy professionals understand that if you’re going to make decisions, and you’re going to make them carefully and within context, you want those recorded, and you want those recorded ahead of time. You don’t want to revisit this information later and try to correct it. To do privacy by design, professionals need to become embedded with the people responsible for developing. Data mapping and privacy impact assessment are not magic wands that you can wave and get a complete solution, however it’s a good foundation.”
The structured approach using privacy impact assessment (PIA) in conjunction with data mapping starts with the privacy assessment process, which consists of planning the intake questions, gathering responses and taking action. However, even within this structured approach for privacy by design there are potential pitfalls for the unwary or inexperienced.
One of the most important contributing factors to the success is just how carefully intake questions are structured. You could start with a question like ‘are you processing personal data? Yes or no?’ That feels good if you’re a privacy professional because you think you’re going to get a useful answer. You asked the right question. It turns out if you put that into practice, there are lots of people that won’t know what you’re talking about. Or they learn that if they say yes, lots of more work comes their way. How do you avoid that? It’s about the construction of the questions. A better approach might be to put the data elements in front of someone and suggest some of the things that make up personal data and allow them to select those. Is that harder? Not really, but the approach pays dividends in the form of more accurate results.
The importance of the ‘Threshold Assessment’
Privacy professionals should make sure that assessments are conducted on a regular basis – and the key to maintaining operational efficiently and support of employees may be to simply find out just how much work is required up front using a threshold assessment. A short list of around 10 screening questions can indicate whether a full privacy impact assessment is needed. This allows the privacy office to remain aware of risk within the organization while also focusing time only on the issues that matter.
If a threshold assessment indicates that that further investigation is necessary, the key is to minimise workload and disruption while ensuring that the privacy impact assessment process is as effective as possible. An optimal way to do this is to use software or give employees a way to skip ahead past questions that are not relevant. The ideal approach is to use branching logic to allow employees to get through the questionnaire as quickly and efficiently as possible. You don’t want employees to have to wade through fifty questions in order to get ten answers. Anything you can do to make them more comfortable working with you, to know that you’re not there to waste their time – those are good things to do.