Data Protection Network | GDPR | Advice & Resources

What types of data protection risk are there? Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be? There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data. Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions. We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements. International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk. Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage. The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie. Data protection principles 1. Lawfulness, fairness and transparency Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide 2. Purpose limitation Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain. 3. Minimisation Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future? 4. Accuracy Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us. 5. Storage limitation Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance 6. Information Security Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred? 7. Accountability Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach. Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone. We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention. In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide. Mistakes can happen Here are some issues or gaps which could lead to data protection risks coming to the surface. People-related risks – such as lack of training and lack of governance or ownership Process risks – such as poor data handling procedures or manual processing on Excel / Sheets. Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes. If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging. Listen back to our online discussion: Managing and Assessing Data Protection Risks

Why is data mapping so crucial? Locating data across your business and creating your records It’s widely recognised as the best foundation for any successful privacy programme; map your data and create a Record of Processing Activities. It’s one of the UK Information Commissioner’s Office’s (ICO) key expectations: ‘Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.’ Believe it or not, some people don’t get excited by data mapping and record keeping! Nevertheless, maintaining effective records of your data processing is an important obligation under data protection law, which gives a range of benefits to your privacy programme. So let’s take a look. Data discovery and mapping This is the process of mapping out your data and how it flows across the business. Personal data may be held on a wide range of systems used by almost every function of the business – including HR, Marketing, Operations, IT, Logistics and so on. In many situations the data may be located on third party supplier systems. So where to start? First talk with your IT colleagues who look after the systems the data is located on. Some businesses may already have inventory of their systems. Mature businesses might even have an Information Asset Register (IAR), which lists all your information assets on each system. If so, you’re off to a flyer! But if you’re not in that fortunate position, there are various ways to conduct a data mapping exercise. We suggest you take it a step at a time and set clear priorities. Focus on datasets are likely to pose the greatest data protection risk, in the event of a data breach or other privacy violation. You can always build out from there later. You might consider using technology to ‘sniff out’ personal data. Or you might talk with your IT teams to draft an inventory of your key systems & service providers, what personal data they hold and who the internal ‘owners’ (decision-makers) for these datasets are. Record of Processing Activities (RoPA) A RoPA is a key requirement for many organisations under the UK & EU GDPRs, applying to both controllers and processors. There’s a limited exemption for organisations with less than 250 employees. (See ICO Guidance) But what is the data used for? A RoPA links your personal data assets to the activities which the data is used for, by whom, where the data is located, any third parties its shared with, what measures are in place to protect it… and so on. Fortunately, these activities (or uses for personal data) are usually linked to specific business functions/teams within an organisation. For example, the HR team will know all the activities associated with recruitment and employment of staff. To create the RoPA, the two main approaches are to a) invest in privacy software with a RoPA module or b) use an Excel base template from a Supervisory Authority (e.g. the ICO) and populate it by collaborating with all the business functions which use personal data. This is not a task to be taken lightly; the requirements for record keeping are onerous. It’s an area which many businesses have found challenging. And once you’ve create the RoPA, you’ll need to keep it up to date over time. Gain extra benefits Your RoPA should be the first place to look if you suffer a data breach, helping you to identify the categories of individual, sensitivity of the data, any data processors involved, who the data was shared with and so on. It can also be very helpful to reference your RoPA when handling Data Subject Access Requests, so you know where to look for the data required. A proportionate approach for smaller organisations Even smaller organisations, which may benefit from exemption from creating a full RoPA, still have basic record keeping responsibilities, which should not be overlooked and could still prove very useful. Smaller organisations only need to document their processing which is: not occasional – therefore all the frequent processing must still be documented; or activities which could result in a risk to the rights and freedoms of individuals; or those which involve the processing of special categories of personal data, or data on criminal convictions. A short guide to keeping your data records complete and up-to-date 1. Why? – The need for accurate records If your records are allowed to become outdated, you can quickly lose track of the reach of your processing. Resulting in uncertainty when you most need it. After all, if you don’t know about certain processing, or hold a record of it, how can you possibly be sure the business is protecting that data? There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment. If requested you might need to make your records available to a Supervisory Authority, such as the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult. 2. Who? – Stakeholder relations Make sure you have enlisted the support of your Board, as you’ll need help from many stakeholders to update you about changes to data processing in their area and notify you of new service providers to keep the RoPA updated. No DPO or data protection team can create or maintain the records their own. They always need the support of others. We suggest you use a ‘top down’ as well as ‘bottom up’ approach. Have you identified ‘data owners’ who are accountable for key datasets within the business? For example: Human Resources – employment & recruitment data Sales & Marketing – customer / client data Procurement – supplier data; and so on Each data owner needs to understand their role & responsibilities to meet internal data policies and ensure their function’s processing complies with data laws. Building a regular two-way dialogue with data owners is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it. 3. What? – Make sure you’re capturing all the right information Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor (or may act as both). If you want to check, see the ICO’s guidance on documentation. I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Remember, you can’t make sure personal data is adequately protected if you don’t know where it is and what it’s used for. Good luck!

Cookie compensation demands A quick buck for non-compliance? What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office. It’s not ransomware or a phishing attempt. No… it’s the dreaded cookie compensation demand! Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you. And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box. Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck. For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited. How do they know our cookies aren’t compliant? It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed. What’s the claim? Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR). The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not. The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’ As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000. To pay, or not to pay? Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay. If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues. What are the cookie rules? Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive. In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary. Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary. When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online. The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law. What can we do to protect ourselves? The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary. There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough. Alternatively the options are to ignore, stand your ground or pay out. I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.

Data Protection Impact Assessments: 10 Tips How to get your DPIA process on track Do teams know when a Data Protection Impact Assessment should be conducted? Are you carrying out too many, or too few? Don’t make DPIAs a onerous box ticking exercise. If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed. If this is happening it’s time to shout about what a valuable tool they are! Assessing potential data protection risks from the start of a project, acts as handy warning system for the business and protects those whose person information is involved from unnecessary risks. DPIAs help to identify risks in advance, before they can potentially become a bigger problem. 10 tips for getting your DPIA process on track 1. Create a DPIA screening questionnaire Put together a set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity. This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they aren’t necessary. 2. Identify types of projects likely to need a DPIA In some situations DPIAs are mandatory under UK/EU GDPR, in others they may be a ‘good to do’. So, it’s helpful to set out some clear guidelines which explain your organisation’s position on this. When does your business consider it appropriate to carry out a DPIA? For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does the project involve children or special category data? Are you transferring data outside the UK/EEA? And so on. 3. Don’t forget your marketing related activities It can be easy to forget marketing related activities could require or benefit from a DPIA. If marketing could result in a ‘high risk’ to individuals it’s likely you’ll need to do an assessment of the data protection risks. Here are some examples; ‘large scale’ profiling of individuals for marketing purposes matching datasets for marketing purposes processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data using geo-location data for marketing purposes tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes. targeting children or other vulnerable individuals for marketing purposes. 4. Design an easy-to-use DPIA process You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which is as straight-forward as possible for people to follow. The ICO has published a DPIA template, but there is nothing to stop you adapting this to suit your business. You may also choose to have a simplified version for less complex projects. Does your process help your teams to identify and assess privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable. 5. DPIA training Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on. The DPO, or data protection lead, can’t be expected to do this single-handed. The ICO in their DPIA guidance specifically mentions the need to provide specialist training. 6. Awareness If teams don’t know what DPIAs are, they may push forward with new projects and innovations, and fail to consider the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a complaint, breach and/or regulatory scrutiny. Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide. 7. Start early Talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them early on. 8. Collaborate A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays. Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures. 9. Keep revisiting your DPIA Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an data protection impact. 10. Review Once a DPIA is completed, set review dates, so you can check if things have changed. For instance, you may have developed a new app, and six months later you want to improve the functionality, adding new features – what data protection issues could this raise? Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make them more effective. Why not ask teams for feedback on how they can be improved? DPIAs can feel a bit daunting, but the more familiar people are with the process, the risks they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.

DPOs and conflict of interests EU Court of Justice says businesses should conduct assessment I was recently mulling over with colleagues whether someone could be both the CEO and Data Protection Officer, along with another client query about whether someone could wear two hats; Consumer Services Manager and DPO. UK/EU GDPR specially tells us a DPO ‘may fulfil other tasks and duties’, but says the controller or processor must make sure ‘any such tasks and duties do not result in a conflict of interests’. So, I read with some interest the recent judgement from the EU Court of Justice about the role of a DPO and the risk of a conflict of interests. (Albeit, it probably doesn’t say any more than we already suspected). The court confirms, DPOs should be ‘in a position to perform their duties and tasks in an independent manner’. This means they should not be carrying out tasks or duties with would result in them determining the objectives and methods of processing personal data within the organisation. Where an individual may have two, or multiple roles (including DPO), organisations are urged to make an assessment of whether there’s a potential conflict of interests. This should be done on a case-by-case basis taking into account all relevant circumstances, including organisational structure. What matters is what happens in practice. If a DPO has two roles, the organisation needs to make sure there are clear rules in place to avoid, or limit, any conflict of interests arising. (And it’s not the DPO’s job to try and resolve this). If a DPO’s other job means they have responsibility for the data processing itself, there’s likely to be a conflict. But, in practice this may be a difficult line to draw. The law also tells us a DPO cannot be dismissed for or penalised for performing DPO tasks. However, DPOs could be dismissed from the role if they are unable or no longer able to carry out their duties and tasks in an independent manner. So, can a CEO also be a DPO, probably far from ideal. Can a Customer Service Manager also be a DPO? Possibly, if the different roles are clearly defined. The European Data Protection Board’s DPO guidance gives us a bit of a steer. This says conflicting positions within an organisation may include; ‘senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)’. This may extend to ‘other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’. Clearly if you’re a smaller business, but judge you should have a DPO, it may be prove challenging to appoint a suitable person where a conflict doesn’t arise with limited numbers to chose from. One would hope any regulator would take size and resources into account. It’s probably a good idea to follow this judgement and conduct an assessment. Clearly set out what different role’s entail, document your decision and be ready to defend if you have to. With all of this it’s worth remembering; the law sets out specific tasks and duties a DPO must perform not every business needs a DPO! Read Why DPO is not just a title covering who needs a DPO and what the role entails.

Data protection and our suppliers How to manage the third parties we work with One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers. Those acting as our processors, supporting our business. Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first. Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence. Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed. What does good supplier management look like? In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us? Seven-point supplier management checklist 1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as: Do they have a DPO or another individual in the business responsible for data protection? Can they provide evidence of data protection policies and procedures? Have they experienced a data breach before? What information security procedures do they have in place? How regularly are their security measures tested? Do they hold any form of certification? In which country/region will the data be processed? Who are their sub-processors and where do they process the data? The above is by no means an exhaustive list. 2. International Data Transfers There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place. For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs). There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed. 3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept? UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses. 4. Instructions – Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it? 5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent? It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments. 6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities. For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised. Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider: What categories of data is handled? What’s the data volume? How risky is the processing? What could be the impact if a data breach occurred? Was any due diligence carried out when the supplier was onboarded? Is the supplier accredited or certified? Have there been any complaints relating to privacy / breaches? Have there been changes in ownership or scope of processing? Have there been significant changes in processes and workflow? 7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering. It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.

Data Governance Quick Guide Taking control of our data In essence Data governance is a framework of management practices which makes sure data is used properly in line with our organisational aims, the law and best practice. Think of it as embedding Data Protection by Design and by Default across the organisation. It means business objectives can be met without taking unnecessary risks with data. Data governance helps us to: protect the business and those whose data we process: customers, employees, etc. reduce our organisational risk profile educate our people, by providing policy & guidance to them on how to use data in the safe and appropriate ways build in an ethical approach build our reputation, customer trust and enhance the value of our data assets support our teams’ innovation with use of data. The 6 data governance steps 1. Data discovery It’s vital to identify data assets held across the business understanding how personal data is being gathered, stored, used and shared. It can be helpful to map where the data is located on systems, and document it. Most medium to large businesses will need to do this anyway to create and maintain an Information Asset Register (IAR) and Records of Processing Activity (RoPA). 2. Policies & standards If our people don’t know how we expect them to behave when handling other people’s data, we can’t expect them to make a great job of it. Are your policies and procedures all up to scratch? Having a straight-forward, easy to understand and practical Data Protection Policy is a good place to start (alongside relevant training). The importance of well-crafted easy to use policies shouldn’t be underestimated. 3. Stakeholder accountability We need to identify key stakeholders within the business. Likely to be heads of key functions, such as HR, Operations, Sales & Marketing, and so on. It’s good to establish data roles and responsibilities, so people are clear what aspects they and others are responsible for. Who has the authority to make decisions about certain data? 4. Risk assessment process Businesses should have risk assessment procedures to discover, assess, prioritise and take action to mitigate data risks. A governance programme helps teams to identify and assess both existing and emerging risks, so they can be efficiently assessed and mitigated. Think of data like a balance sheet: it has great potential to create value, but also carries risks and liabilities. The aim of a data governance programme is to protect both the business and those whose data we process from harm which may arise. For example, things like inaccurate data, unlawful or unfair processing or using people’s data in ways they would not expect or want. For certain projects it will be necessary to conduct a Data Protection Impact Assessment (DPIA). 5. Technical and organisational measures (TOMs) Once privacy risks have been identified, we need to consider what measures could be put in place to tackle them. You may choose to mitigate them internally with new procedures or security measures, or perhaps work with a third party to adopt technical or operational measures. Privacy Enhancing Technologies – how they can help Organisational measures include making sure there’s good awareness about data protection across the business, and employees receive appropriate training. 6. Executive oversight Risks should be reported up the line to make sure the Senior leadership team has proper oversight and the opportunity to take appropriate action. If your organisation has a Data Protection Officer (DPO) this reporting will be part of the formal accountabilities for their role. But remember not all businesses need to have a DPO. Should we appoint a DPO? Overcoming cultural challenges Data protection and privacy professionals face a cultural challenge to win hearts and minds. I have sometimes heard legal or privacy teams described as ‘the department of no’. That’s not how we want to be seen! Smart businesses are realising the value of taking privacy seriously. We should help our business colleagues to balance the needs of commercial and operational functions with legal & ethical requirements. We shouldn’t just explain what the law requires. We must go further and help them our colleagues to find practical solutions. Collaboration and mutual understanding are essential ingredients for successful data governance.

Are we conducting too many DPIAs – or not enough? How to decide when to conduct Data Protection Impact Assessments Make no mistake, Data Protection Impact Assessments (DPIAs) are a really useful risk management tool. They help organisations to identify likely data protection risks before they materialise, so corrective action can be taken. Protecting your customers, staff and the interests of the business. DPIAs are key element of the GDPR’s focus on accountability and Data Protection by Design. It’s not easy working out when a DPIA is necessary, or when it might be useful, even if not strictly required by law. Businesses need to be in control of their exposure to risk, but don’t want to burden their teams with unnecessary work. So it falls to privacy professionals to use their judgement in what can be a delicate balancing act. Lack of clarity around when DPIAs are genuinely needed could lead businesses to carry out far more DPIAs than needed – whilst others may carry out too few. When are DPIAs required? We should check if a DPIA is required during the planning stage of new projects, or when changes are being planned to existing activity. Where needed, DPIAs must be conducted BEFORE the new processing begins. DPIAs are considered legally necessary when the processing of personal data is likely to involve a ‘high risk’ to the rights and freedoms of individuals. What does ‘high risk’ look like? Why types of activity might fall into ‘high risk’ isn’t always clear. Fortunately the ICO have given examples of processing likely to result in high risk to help you make this call. Regulated sectors, such as financial services and telecoms, have specific regulatory risks to consider too. Give consideration to the scope, types of data used and the manner of processing. It’s wise to also take account of any protective measures already in place. In situations where the nature, scope, context and purposes of processing are very similar to another activity, where a DPIA has already been carried out, you may not need to conduct another. Three key steps for a robust DPIA screening process 1. Engage your key teams In larger organisations, building good relationships with key teams such as Procurement, IT, Project Management, Legal and Information Security can really help. They might hear about projects involving personal data before you do. Make sure they’re aware when a DPIA may be required. This means they’ll be more likely to ‘raise a hand’ and let you know when a project which might require a DPIA comes across their desk. In smaller businesses there may still be others who can help ‘raise a hand’ and let you know about relevant projects. Work out who those people are. 2. Confirm the businesses appetite for risk Is your organisation the sort which only wants DPIAs to be carried out when strictly required by law? Or perhaps you want a greater level of oversight? Choosing to carry out DPIAs as your standard risk assessment methodology for any significant projects involving personal data – even if they might appear to involve lower levels of risks to individuals. Logic says you’ll never be 100% sure unless you carry out an assessment and DPIAs are a tried and tested way to give you oversight and confidence. But this approach requires more time, resources and commitment from the business. You need to strike the right balance for your organisation. 3. Adopt a DPIA screening process If you don’t currently use a screening process, you really should consider adopting one. It’s a quick and methodical way to identify if a project does or does not require a DPIA. You can use a short set of standard questions, which can be provided for stakeholders to complete and return or discussed in a call. So the question ‘Is a DPIA needed or not?’ can be reached rapidly and with confidence. Personally I prefer to arrange a short call with the stakeholders, using my screening questionnaire as a prompt to guide the discussion. Don’t forget to keep a record of your decisions! Including when you decide a DPIA isn’t necessary. Try not to burden colleagues with unnecessary assessments for every project, if there really is minimal risk. This is unlikely to be a well-received approach. Raise awareness and have a built-in DPIA screening process to make sure you catch the projects which really do warrant a deeper dive.