Data privacy in 5 steps
Kevin Kiley, Vice President of Sales and Business Development at OneTrust, will be a speaker at Ireland’s third annual cyber security conference, Dublin Information Sec 2018 on October 15 in the RDS Concert Hall, Dublin. OneTrust, is a global leader in privacy management and marketing compliance software.
Data privacy is not a one-and-done thing. There are operational tasks required to ensure the organisation’s level of compliance is up-to-date and many GDPR requirements have also not yet been definitively interpreted.
1. Look out for domestic legislation and EDPB guidelines
The GDPR, while attempting to regulate most of the data privacy agenda uniformly across the EU, still leaves certain issues to be specified by each EU Member State in national legislation. However, quite a few member states haven’t passed the implementing legislation in time to meet the GDPR effective date. This means that very often there may be additional country-specific requirements or criteria applicable to data processing, which still must be complied with despite being only made public after many organisations’ data protection programs have been reformed.
2. Keep your GDPR compliance framework up-to-date
GDPR compliance should be perceived as an ongoing exercise, rather than as a means to an end. As such, it requires regular effort to ensure that the data privacy framework functions properly, is comprehensive and adequately reflects the realities of your organisations’ operations.
3. Privacy by design and by default – a constant effort
Privacy by design gained major traction through GDPR as a concept aiming for more in-depth approach beyond merely addressing privacy as an afterthought. Privacy by default being an important element of the ‘privacy by design’ approach, it seeks to deliver maximum degree of privacy by ensuring that personal data are automatically protected by any system or business practice.
The reason why the ‘privacy by design approach’ is so important for all organisations, is its key role in all stages of projects’ lifecycles for GDPR compliance and privacy levels in general. If the privacy consideration becomes another element of our design-thinking prospective while building new systems or further developing applications or data- collecting methods, it can make an immense difference to the level of data protection afforded to the subjects and would make addressing your organisation's privacy risks that much easier.
4. Codes of conduct and certification – keep up with their approval process
GDPR foresees the approval of codes of conduct and accreditation of certifications (GDPR Arts. 40–42) to help organisations demonstrate compliance with data privacy requirements and best practice. Codes of conduct may even be binding for certain professional associations and as such may potentially apply to your organisation by virtue of its membership(s).
As of today, there are however no codes of conduct or certifications, seals and marks approved under the GDPR. In their absence, there are still accountability requirements of the GDPR present: specifically, Article 5(2) of the GDPR makes accountability an expressed obligation, and Article 28(1) states that controllers shall use only processors providing sufficient guarantees. This means organisations are now held accountable to work with third parties that have measures in place to comply with the GDPR. Validating that these measures are in place, however, is a challenge for both controllers and processors.
5. ePrivacy Regulation – get ready for its practical impacts
Dublin Information Sec 2018 in an Independent News and Media event. Please visit www.independent.ie/infosec18 for further information and tickets.