Triggering the highest penalties and the risk of class actions, the management of data subject rights in line with legislation is critical. This complex area of data privacy encapsulates the types of requests coming in, the act of finding the data to fulfil a request as well as the documentation, response times, identity validation and security requirements.
Most companies rely on or engage the services of third-party vendors. However, managing personal data has inherent risks when it leaves your control and managing this risk has become a major challenge. The GDPR and other privacy regulations hold companies liable for the protection of the personal data that they control even when a third-party vendor is processing that data on their behalf. it is critical to analyse a vendor’s ability to protect the personal data that you as a business control and demonstrate that you have taken sufficient care in your selection of third-party vendors.
The GDPR makes it obligatory for many organisations to appoint Data Protection Officers. It has also greatly increased the risks of non-compliance.
The costs of recruiting, managing and training a DPO can be high. DPOs need specialist knowledge and skills which should be up to date as legislation and technology evolves. The DPO role is “to do right” for the data subject so there can be a conflict of interest, which has already attracted fines in some organisations, when senior executives act as DPOs while they also have a fiduciary duty to act in the best interest of the organisation.
Obtaining, recording and processing consent under the GDPR and other privacy regulations requires operationalising a detailed consent and preference management process. We deploy automated tools to provide a platform for to have data subjects greater control and visibility over their communication preferences.
As more data privacy regulations come into force, organisations must inform the visitors to their websites about cookie and tracking technologies in use, as well as giving granular choice and control over their consent.
Privacy Impact Assessments are at the cornerstone in helping guide organisations in how they use personal data. The Data Privacy Group deliver that consistent collaboration between operational elements of a business and its leaders to address all privacy-related regulatory requirements.
We support companies in developing their PIAs. We can also audit existing PIAs to ensure that they deliver a risk-based assessment based on the impact on the individual’s privacy.
Under the General Data Protection Regulation (GDPR), EU-based companies, as well as many companies outside the EU, have had to make significant operational changes in order to comply with the many new rights and obligations. Specifically, Article 5(2) of the GDPR makes accountability an expressed obligation, and Article 28(1) states that controllers shall use only processors providing sufficient guarantees. Validating that these measures are in place is a challenge, both for controllers and processors.
Notification requirements to the supervisory authority and the potential additional notification requirements to the data subjects make it critical for organisations to have a systematic process in place to meet these requirements.
We deploy tools to maintain incident and breach records; evaluate the breach against notification requirements; and analyse overall risk with connections to the underlying data inventory. We provide a systematic process to document the incident; understand if it has resulted in a breach; analyse harm to the individual; determine if a notification to the supervisory authority or the data subject is required and facilitate the notifications.