Image of team of engineers and business people looking at plans on a table representing the operationalising of the EU GDPR and Privacy by Design
Operationalising GDPR and Privacy by Design

Operationalising GDPR and Privacy by Design

The implementation of effective and compliant data handling practices is an issue that affects business across the world.  The new requirements of the GDPR which affect companies that are doing business globally means that organisations need to apply their “Privacy by Design” minds to how exactly they implement efficient and effective processes and systems. Two of the most valuable tools in this regard are privacy impact assessment (PIA) and data mapping, both of which are pivotal in documenting and tracking new initiatives.

The rapidly evolving privacy and data management space, as well as the sheer volume of information that is today part and parcel of running a competitive organisation on the global stage can mean that management can be extremely challenging.

However, the situation need not be completely overwhelming. There are lots of initiatives that organisations can roll out to ensure that data is tracked and protected in line with international requirements, including the GDPR. At the foundation of all of this is knowing as a privacy professional what’s going on within your organisation and ensuring robust documentation.

The two of the most powerful tools in the armoury of every privacy professional are data mapping and privacy impact assessments, both of which can be used to optimise and conform to the requirements of the EU General Data Protection Regulation (GDPR) in terms of accountability requirements.

The right tools for the “Privacy by Design” job

It’s essential that privacy professionals understand that if you’re going to make decisions, and you’re going to make them carefully and within context, you want those recorded, and you want those recorded ahead of time. You don’t want to revisit this information later and try to correct it. To do privacy by design, professionals need to become embedded with the people responsible for developing.  Data mapping and privacy impact assessment are not magic wands that you can wave and get a complete solution, however it’s a good foundation.”

The structured approach using privacy impact assessment (PIA) in conjunction with data mapping starts with the privacy assessment process, which consists of planning the intake questions, gathering responses and taking action. However, even within this structured approach for privacy by design there are potential pitfalls for the unwary or inexperienced.

One of the most important contributing factors to the success is just how carefully intake questions are structured. You could start with a question like ‘are you processing personal data? Yes or no?’ That feels good if you’re a privacy professional because you think you’re going to get a useful answer. You asked the right question. It turns out if you put that into practice, there are lots of people that won’t know what you’re talking about. Or they learn that if they say yes, lots of more work comes their way. How do you avoid that? It’s about the construction of the questions. A better approach might be to put the data elements in front of someone and suggest some of the things that make up personal data and allow them to select those. Is that harder? Not really, but the approach pays dividends in the form of more accurate results.

The importance of the ‘Threshold Assessment’

Privacy professionals should make sure that assessments are conducted on a regular basis – and the key to maintaining operational efficiently and support of employees may be to simply find out just how much work is required up front using a threshold assessment. A short list of around 10 screening questions can indicate whether a full privacy impact assessment is needed. This allows the privacy office to remain aware of risk within the organization while also focusing time only on the issues that matter.

If a threshold assessment indicates that that further investigation is necessary, the key is to minimise workload and disruption while ensuring that the privacy impact assessment process is as effective as possible. An optimal way to do this is to use software or give employees a way to skip ahead past questions that are not relevant. The ideal approach is to use branching logic to allow employees to get through the questionnaire as quickly and efficiently as possible. You don’t want employees to have to wade through fifty questions in order to get ten answers. Anything you can do to make them more comfortable working with you, to know that you’re not there to waste their time – those are good things to do.

Make it audience appropriate

The final step is reviewing the results of the assessment and reporting to senior management – and this can also have its challenges. The privacy professional should always keep in mind that they are developing these reports for two primary audiences.

There is an internal audience and an external audience. The internal one is the management that you report to, or the people who work with you. All of them want to know what you think about this, and all of them want to have some sort of overview of where the risk is within the organisation.

The other audience would be the regulators or the people external to the company – and it’s important to have access to the data in a quick and logical way, not have it scattered across a variety of folders in a whole lot of different systems. That can be challenging, but it’s essential that information be stored in a logical manner and that it can be accessed in a repeatable way.

Implementing data mapping

There are three key steps for the second part of the process – data mapping. Data maps are useful from the moment that they are completed, and they remain valuable for privacy by design over the short, medium and long term, if the process is handled correctly.

One of the most effective ways to ensure that the data mapping exercise provides value is to ensure that there is a close relationship and integration between the set of questions in the assessment phase and what is required for data mapping. This allows automatic updating of the data map. The point is that you’re asking the right questions in a repeated way so that you could have something that’s evergreen to reference.

No one’s going to want to create a data map and then never see it used again or never see the value of having the data map in the first place. You have to take this back into your organisation and do something with it. It can’t just be because ‘we have to’ or ‘we’ll be held accountable if we don’t.’

One of the most important consideration when rolling out the assessment and data mapping program is to be as all inclusive as possible. Through an approach which leverages interest from departments across the organisation it is possible to create value and ensure the active cooperation of a diverse group of employees in the future. Privacy practice is not the only place that creates a bunch of questions. The security folks love [these sorts of programmes] as well, so does legal. You might think about working together, providing one assessment.

Operationalising Privacy by Design – What’s the bottom line?

Using this methodology to achieve privacy by design should pay dividends not only in the useful of the data that is gathered, but also in identifying where risk exists within the organization. The approach also decreases the possibility of employee pushback against what can be seen as a time intensive activity.

Organisations need to make sure that these processes are something that can be done repeatedly and efficiently.  For me there are several key imperatives in this approach.

  1. Spending time planning your intake questions is essential.  How you ask your questions determines the quality of the answers you get.
  2. The threshold step makes a big difference. Using threshold questions you find the high risk issues quickly and you keep your focus where it needs to be.
  3. Automate distribution of questions as much as possible to make sure that your limited privacy resources are spent on privacy and not sending out reminders and tracking down documents.
  4. Remember your audience for your reports and outcomes.  You need to be creating value for an internal and external audience and you need to be able to demonstrate accountability.

Finally, if you combine the practices of privacy impact assessments and data mapping in the way that has been outlined, you have a great foundation for privacy by design which will enable your organization to design with privacy in mind at the outset.