Compliance - HOW TO ?!
Where many want to do the "minimum", consisting of having Privacy and Cookies Notices/ Policies on their websites (which merely conveys the wrong perception of having done something), others struggle with the fundamental question of what should we do, to do it "properly"?
Taking the example of the GDPR (since at present time it is the most comprehensive piece of enforceable Personal Data Protection Legislation), the law doesn't help in this case because it states that some things are "optional" (e.g. undergoing a Corporate DPIA or having an appointed DPO), in the sense that one is only obliged to do it if some conditions/ requirements are met... while not making the disclaimer that although something may not be "mandatory", if not done, it is practically impossible to achieve compliance. This, however, is only perceived with "practice" and experience in the "field".
So, after having done many (dozens) of Corporate DPIAs (not only focused on the GDPR but also other Personal Data Protection laws such as CCPA, PDPA, LGPD, etc...) for clients operating out of several geographies and having become the Data Protection Officer of some, I am now sharing the 4 fundamental steps that companies MUST undergo if they want to set on a "serious" path towards compliance with Personal Data Protection laws:
1 - DO A CORPORATE DPIA
2 - APPOINT A DATA PROTECTION OFFICER
3 - IMPLEMENT A REGISTRY OF PROCESSING ACTIVITIES
4 - HAVE DATA PROCESSING AGREEMENTS IN PLACE WITH YOUR PARTNERS
DO A CORPORATE DPIA
The Corporate DPIA (Data Protection Impact Assessment) is an internal endeavor (project) through which the organization will document WHICH Personal Data it processes and WHY under WHAT Lawful Basis, for HOW LONG and with WHOM is it shared and WHY.
This will allow assessing if any of the processing activities or DataMap components are in breach of the Security and Confidentiality of Personal Data, hence rendering the natural person to whom it pertains to at WHICH degree of RISK... and therefore, being able to define and implement adequate Mitigation Actions that make both such RISK towards the natural person tend to zero as well as the organization to comply with the law.
APPOINT A DATA PROTECTION OFFICER
The DPO is the "maestro" in this "symphony", the one who will manage the collaboration of distinct resources (e.g. legal team; CISO; CIO; Quality; HR; other...) under the specific scope of the Corporate DPIA to achieve a compliant mode of operation and then, will ensure that it remains so by auditing and coaching the organization plus interacting with Data Subjects and Supervisory Authorities alike, as well as DPOs from other partner organizations.
You may not call him/ her "the DPO", yet someone will have to assure those services... call it "Jeronimo" even... or "Mr. Fixer", yet without a centralized view of the ongoing status of processing... well, good luck with your compliance endeavor.
IMPLEMENT A REGISTRY OF PROCESSING ACTIVITIES (ROPA)
Compliance with these laws is ALL ABOUT having the operation DOCUMENTED as law-abiding, and that means a ROPA.
Some ROPA components are "Automatic", in the sense that computers/ Servers and software will generate auditable operations records, whereas other components need to be "manual".
One "vital" component of the ROPA consists of documenting the interactions with Data Subjects, Supervisory Authority and Partners, meaning:
- Someone signed a Contract or Provided Explicit Consent towards processing activities over his/ her Personal Data?! Needs to go into the ROPA.
- Someone exercise their Right of Access or Erasure, other... yep, you guessed it... needs to be in the ROPA.
- A Supervisory Authority has sent you an inquiry... ROPA with it.
- You have sent a Data Processing Agreement to a partner (that acts either as a Processor or Controller towards you) or you are negotiating the terms of a DPA ... register all in the ROPA.
Without a ROPA you have no way whatsoever of demonstrating in a documented manner that your Processing Activities comply with legal requirements.
HAVE DATA PROCESSING AGREEMENTS IN PLACE WITH YOUR PARTNERS
A Data Processing Agreement mirrors the commitment between two parties that share the processing of Personal Data under the same "purpose" and "scope" towards ensuring the Security and Confidentiality of that Data as well as the Privacy of the natural person to whom such data pertains to.
The ruling of all Personal Data Protection laws around the Globe focuses on the activities of one party (and its co-processing partners) while processing Personal Data (collecting, accessing. processing, hosting, sharing).
Since your organization or yourself have no leverage over other organizations that act as co-processing partners (Controllers/ Processors) the only way to document such mutual commitment is via a contract.
Due to the fact that many of these laws require (either explicitly or implicitely) that you/ your organization while acting as the Prime Contractor (Controller) ensures that the partners it has chosen to act as Processors observe the law, there is no compliance without such ratified mutual commitment.