The 9 Pillars of Data Privacy

It’s impossible to navigate the Internet today without being asked to hand over our personal details at practically every website we visit.

Organisations use this information for a variety of purposes – some of which improve the user experience, while others inform business decisions or processes. But for whatever reason organisations process personal data, it comes with a price.

If organisations don’t properly protect or use personal data, individuals could be subject to fraudulent activity or be targeted by scams. Alternatively, the exposure of sensitive information could mean that victims face embarrassment or reputational damage.

These situations all come with knock-on effects for the organisation involved, from PR disasters and regulatory penalties to the ongoing costs associated with rectifying the damage.

There has been a growing incentive to raise the public’s awareness of the importance of these issues – and for nearly the past two decades, 28 January has marked Data Privacy Day.

The international event helps people better understand online privacy and provides guidance on how we can protect our personal information online.

In the run-up to Data Privacy Day, we will be exploring several facets of online security and the steps that organisations can take to bolster their privacy controls.

To get us started, we will be looking at DQM’s 9 pillars of data privacy. The framework forms the basis of our GDPR RADAR™ tool, which we use to assess organisations’ data protection compliance practices.

The pillars, listed below, represent the key components of an effective data privacy programme that combines guidance from the GDPR (General Data Protection Regulation), alongside best practices for implementing an ISMS (information security management system) and a PIMS (personal information management system).

1. Governance

Governance relates to the way that the leadership team directs and oversees information governance activities. Governance starts with a leadership team member setting direction and receiving regular reports on progress. This person must receive appropriate training and support to oversee the programme.

Governance also includes the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor compliance are in place and operating throughout the organisation.

2. Risk management

Effective risk management addresses the corporate arrangements for privacy risk management, the extent to which the corporate risk regime incorporates information-specific risks, and which risks to the rights and freedoms of natural subjects are addressed.

It concerns the methods used to identify, assess and control the risks it faces. This includes data protection risks to individuals when personal data is processed.

3. Data protection officer

Where a DPO (data protection officer) is mandatory, the role should be positioned appropriately, and the appointed DPO must be capable of meeting the requirements of both the EU GDPR and the UK GDPR.

The role is described in Article 37 of the GDPR, and an organisation must appoint a DPO if:

• It is a public authority or body; or
• Its core activities involve large-scale systematic monitoring of individuals; or
• Its core activities consist of large-scale processing of special category data.

The ICO offers a free tool to help determine if organisations need to appoint a mandatory DPO, along with clear guidance about what the role of DPO looks like and how organisations need to lawfully support the DPO.

4. Roles and responsibilities

Roles and responsibilities related to data privacy must be defined and established throughout the organisation.

To ensure the organisation complies with its legal, regulatory, contractual and other obligations, it must establish how those obligations translate into job responsibilities and allocate those responsibilities to appropriate roles.

The individuals who are allocated roles will need to receive appropriate training or support to carry them out correctly. For example, additional training may be identified for those responsible for privacy by design or when completing a DPIA (data protection impact assessment).

5. Scope of compliance

It’s essential that the scope of compliance is clearly defined, taking account of all the data processing in which the organisation has a role under both the EU GDPR and the UK GDPR.

This includes identifying where the organisation is acting as a data controller or as a data processor, as well as any data-sharing activities and international transfers.

To determine the scope of compliance, all databases that hold personal data, as well as all extraterritorial/cross-border processing, must be identified.

Determining which areas of your organisation fall under the scope of the GDPR is paramount and there are a key number of ways to do this, including assessing the following:

• What processes in the business are in scope.
• What third parties and countries are in scope.
• Your role as part of that scope as a data controller or processor.
• What contracts say about the scope.

6. Privacy by design

Article 25 of the GDPR requires organisations to ensure that data is protected by design and by default. This means ensuring that decisions relating to systems and processes take data protection and information security considerations into account.

Certain types of personal data processing require a DPIA. Having a documented process showing why DPIAs are carried out or are not being carried out provides assurance that the possibility has been considered, and helps the organisation manage its data protection risks.

We recommend adopting a two-stage process for DPIAs. The first stage requires the organisation to assess processing activities against a series of screening questions.

If any of the screening questions are answered positively, then a full DPIA is required (stage 2). An organisation should also be mindful of instances in the law and statutory guidance that require a DPIA.

7. Privacy information management system

A wide range of documentation is required to ensure that an organisation can demonstrate compliance with the requirements of the EU GDPR and/or the UK GDPR and the DPA 2018. The scale of the documentation should be appropriate to the size and complexity of the organisation.

These requirements should be managed using a PIMS (privacy information management system). At the heart of this framework are records of processing activities, which are typically the first documents the supervisory authority will request in the event of an investigation.

The requirements for these records are set out in Article 30 of the GDPR. These records become increasingly valuable over time and particularly whenever the organisation needs to understand the impact of a proposed change or a processing issue that it identifies.

8. Information security management system

An ISMS (information security management system) comprises the technical and organisational measures to ensure there is adequate security of personal data held in hard copy or electronic format, or processed through the organisation’s systems.

Typically, organisations implement policies and procedures, which are supported by record-keeping processes to demonstrate that the policies and procedures are followed and mechanisms to alert leadership when they are not.

They also implement processes to regularly review the policies and procedures based on information from a number of sources, including feedback from process users, reviews of new technical standards, an assessment of best practice, and any other relevant information.

The international standard is ISO 27001. In the UK, the Cyber Essentials scheme has also been produced by the National Cyber Security Centre as a baseline that all businesses should be aligned to.

9. Rights of data subjects

Data subject rights relates to the rights of individuals as set out in the GDPR. In short, this means that organisations must:

• Identify an appropriate lawful basis for each processing activity it carries out, and ensure all the requirements for that basis are met;
• Inform individuals in the event of a personal data breach with a high risk of harming them; and
• Ensure it can identify data subject rights requests and handle them appropriately.

The organisation needs processes that will enable it to both facilitate data subject rights and respond to data subjects exercising any or all of these.

How you can get started

You can find support you need to assess how your organisation stacks up against the nine pillars of data privacy with DQM GRC. We’ll assess your data privacy practices as part of our GDPR Gap Analysis.

With this service, our data protection experts will visit your organisation to determine your regulatory compliance posture. Using the GDPR RADAR™ tool, they’ll break down their findings into easy-to-understand visual guides.

DQM GRC specialise in working with large or complex organisations, helping them to understand how to apply the GDPR to their business practices, although we can also support smaller firms.

Our consultants are on hand to assess your current practices, understand your requirements, and advise you on the steps you must take to ensure GDPR compliance.