From Privacy Law(S) to an Operational Privacy Programme

Eric Bedell, Luxembourg Chapter Chair, Onetrust PrivacyconnectGDPR – enforcing accountability

The EU General Data Protection Regulation of 2018, shifted the way organisations need to deal with personal data.

Before GDPR, it was akin to childhood, where one needed to request autorisations or had to follow the strict rules from authorities before using personal data. After GDPR, it has grown up, reaching maturity, where one should do what is thought to be best outcome and be-accountable for that.

Privacy has been relegated for a long time to a secondary role, an afterthought, with the business considering it as part of a legal checklist. But now, after EU enforced the GDPR and various EU countries providing guidelines and best practicies, organisations need to embed privacy into its new normality.

Everyone is involved at different levels and we all have an impact on privacy, from the amount of our own information that we willingly disclose or, as employees, when we handle someone else’s personal data. Everyone agrees that it is not an easy move from the old world to the new, especially in this time of mass data collection. Sometimes, one part of an organisation does not know what other parts are doing. Ever more difficult are the budget allocations for financing Sizing, targeting, prioritizing and preparing for continuous improvement cycles in privacy management, instead of implementing a succession of one-off projects should help your organisation overcome the challenges.

When leading such a privacy programme, several areas should be concidered to improve efficiency. The first, in my view, is the networking aspect. It is really beneficial to share experiences, issues and successes with your peers.
Organisations that have not already developed their own privacy compliance frameworks should use a standardised framework to ease their path to privacy compliance. The three key areas of a privacy compliance framework combine an accountability framework, management systems and a privacy programme must be driven as a well as arisk management programme,aligned with the organisation’s global risk programme. Privacy risk must be considered as a risk for the whole organisation, and not as something that a Privacy Office(r) manages in isolation. The value of understanding your data processing activities, as required by GDRP (Record of Processing Activities), can be an incredible source of information for your broader risk management efforts. In addition, assessing risk, given the potential impacts of privacy issues, is a key element of protecting personal data.

Once a framework has been selected (based on network capability, external elements and subsequently developed based on risk assessment) the DPO can commence building a privacy programme. Some important conciderations when doing so:

1. Implement Governance model aligned with the type and size of the organisation (using Privacy references/resources located in various lines of business is advantageous)

2. Enforcing the “privacy by design” principle is key. Privacy has to be embeded in all activties.

3. Building a continuous improvement methodology, as it is unrealistic to believe every privacy requirements can be completed in one go.

4. Do not use “finger pointing” or “naming and shaming” approaches, especially when managing breaches and compliance issues.

5. To avoid human errors or unlawful management of personal data, implement training and awareness campaigns, for both employees and management.

6. The Data Protection Office(r) should rarely veto anything, instead educate the business and advise on potential better methods.

After EU enforced the GDPR and various EU countries providing guidelines and best practicies, organisations need to embed privacy into its new normality

7. Another, often forgotten, aspect of awareness is reporting to senior management. In order to procure appropriate financing, a privacy programme must be visible, not only because of its risks but also for its achievements.

8. Finally, in preparation for the future, I recommend starting to embed ethics into the privacy programme. This is not because this is a legal necessity but because your customers/employees expect you to do it.

With a well-balanced, operational, Privacy Programme, it can be assured that the organisation will be successful. With Privacy no longer an afterthought, it may even become a marketing advantage.