How to get buy-in for DPIAs

February 2022

How do we get people engaged with Data Protection Impact Assessments?

DPIAs often get a bad rap. Privacy people often say their project managers and team leaders don’t understand and don’t like them.  They’re too onerous, they get started but often linger incomplete.

So, how do you get people in the business to understand and play along?

Let’s be clear – risk assessments (and a DPIA is one of these) can be one of the most useful tools in your data protection toolkit. Used properly, they can really help identify, assess and tackle risks before they even see the light of day.

When should you carry out a DPIA?

Just to recap we know we need to conduct DPIAs where our projects, initiatives, system changes and so on, are likely to represent a high risk to those whose data is involved. Note ‘high risk’. You’ll need to take account of the scope, type and manner of the proposed processing.

It’s not always easy to judge where this threshold falls, so some businesses end up carrying out far more DPIAs than needed, whilst others carry out too few. Fortunately the ICO have given examples of processing ‘likely to result in high risk’ to help you make this call.

Regulated sectors, such as financial services & telecoms, have more to think about and may adopt a cautious approach.

Engage with your teams

First rule of DPIA Club is… we MUST talk about it!

Build relationships with the people who ‘do new stuff’ with your data. The people who run development projects and the key stakeholders – such as heads of the main functions which process personal data across your business, e.g. Marketing, Operations, HR, etc. If you have a Procurement team, then target them too.

Ask what projects they have on the horizon. The aim is to make them aware of DPIA requirements and ask them to give you an early ‘heads up’ if they are looking to onboard a new service provider or indeed use data for an innovative new project.

Let them know tech projects and system migrations almost always involve some kind of personal data processing. They should be mindful of the potential for this to lead to privacy risks.

If they think about data protection from the outset it will save valuable time and money in the long run. Save unwelcome hiccups along the line. Give them examples of how things have gone wrong or could go wrong.

You could raise awareness across the business using your intranet, email reminders, posters, drop-in clinics … what ever it takes to get the message across.

A regular dialogue about upcoming technology projects, or using a DPIA screening form (or for larger businesses a technology ‘gating’ process) are good ways to get a heads up on new projects. These will help to quickly identify if a DPIA is needed or not.

Steve Priestly, Head of Data Protection (UK & MET), Travelex:

‘We place a key focus on highlighting to stakeholders of the benefits of early engagement in the DPIA process. Continual collaboration with your stakeholders is also key, understanding what they are trying to achieve. Lastly, ongoing DPIA education and awareness will help in the long-term to imbed a strong data privacy culture.’  

Use a good DPIA template

In my opinion too many businesses use complex and jargon-filled screening questionnaires and DPIA templates, which many people find hard to understand. They ask questions in ‘GDPR-talk’ which people find hard to grasp & answer and they often don’t really help people to identify what privacy risks actually look like.

Take a look at your DPIA template with fresh eyes. If you don’t like it use a better one, or adapt it to fit your business ways of working.

Be prepared for Agile working

So many development projects are Agile now and this requires adapting your approach. You won’t get all the answers you need at the start. Stay close to the project as it evolves and be ready to roll your DPIA in line with scheduled sprints or scrums, but before data migrates. DPIAs – How to assess projects in an Agile environment

DPIA approaches

It’s a good idea to keep tabs on how many data projects are in progress, how many lead to DPIAs and what the status of these is. This means you will know if you need to drum up more engagement or not.

Here are a couple of examples of the approaches taken by different businesses.

Use of technology tools

Stephen Baigrie, Managing Counsel, IT, Procurement & Privacy at Balfour Beatty:

“At Balfour Beatty we use an online privacy compliance platform to manage DPIAs and to enable early stakeholder engagement. We worked with our Group Data Protection Officer and Information Security team to formulate user-friendly assessment templates.

We use a pre-DPIA screening qualifier to help identify if a full DPIA is required and run a working group with Data Protection, Legal and Information Security stakeholders to track DPIAs and vendor due diligence matters.”

“Where appropriate, we adopt a self-service model for DPIA completion to help improve privacy awareness and seek to be agile by continuously improving and evolving our privacy processes.”

An integral part of the change governance process

Christopher Whitewood (CIPP/E, CIPM) Privacy & Data Protection Officer at Direct Line Group:]

“We have mandated that a risk assessment must be conducted as part of our change governance process. Our DPIA is included as part of a single online risk assessment form which allows for an early risk assessment by Privacy, Security and Business Continuity Teams.”

“A simple approach allows business areas to fill out one form with a layered question set to determine where further investigation is needed. The online form has been adapted to consider any data ethical concerns at an early stage, but also has the added bonus of the scored risk assessment to form the basis to drive assurance activity.”

So to conclude, I hope this has given you some fresh ideas how to engage with your colleagues about DPIAs. Good luck!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection by Design: Part 3 – Data Protection Impact Assessments

September 2020

Getting your DPIA process on track

Deciding when to carry out a Data Protection Impact Assessment (DPIA), and understanding how to conduct one effectively, is a challenging area.

I’ve come across cases where DPIAs are not being conducted when necessary, or left incomplete. Less frequently, DPIAs are over-used, creating an unnecessary burden on key teams.

DPIAs sit at the heart of Data Protection by Design, and this is part 3 of our series, following on from:

Part 1: Data Protection by Design – The Basics 

Part 2 – How to approach Data Protection by Design

Just to be clear – we may be hearing the term DPIA more frequently, but it’s not a new idea – what changed under GDPR is they were made mandatory in certain circumstances. And even if not mandatory they can be a very useful tool in your data protection toolbox.

So how do you make sure your DPIA process is on track? I’ve taken a look at the key stages you should have in place, and how to get people on-board and improve their understanding.

But first things first.

What is a Data Protection Impact Assessment?

Just to recap, a DPIA is a management tool which helps you:

  • Identify privacy risks
  • Assess these risks
  • Adopt measures to minimise or eliminate risks

It’s a way for you to analyse your processing activities and consider any risks they might pose. It focuses on identifying any risks to people’s rights and freedoms, and considers the principles laid down in data protection law.

The key is to start the assessment process early so you can make sure any problems are found (and hopefully fixed) as soon as possible in any project – be this implementing a new system, designing a new app or creating new processes.

When is a DPIA mandatory?

When considering new systems, technologies or processes a DPIA should be conducted if these might result in a high risk to the rights and freedoms of individuals. A DPIA may also be conducted retrospectively if you believe there are inherent risks.

It’s mandatory, under the GDPR to conduct a DPIA in all of the following scenarios:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
  • a systematic monitoring of a publicly accessible area on a large scale

Each EU regulatory authority has published their own list of other scenarios in which a DPIA would be mandatory. You can find the UK Innformation Commissioner’s Office’s in its DPIA Guidance. This includes;

  • use innovative technology (note the criteria from the European guidelines)
  • process biometric data or genetic data (note the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (note the criteria from the European guidelines)
  • track individuals’ location or behaviour (note the criteria from the European guidelines)
  • profile children or target marketing or online services at them – it’s also worth checking the new ‘Children’s Code’ aimed at protecting children online

When a DPIA is not mandatory… but a good idea

The ICO says it’s “good practice to do a DPIA for any other major project which requires the processing of personal data.” Here are some examples of where it might be advisable to conduct a DPIA, if your processing;

  • would prevent or restrict individuals from exercising their rights
  • means disclosing personal data to other organisations
  • is for a new purpose (i.e. not the purpose the data was originally collected for)
  • will lead to transfer of personal data outside the European Economic Area (EEA)
  • involves contacting individuals in a manner which could be deemed intrusive.

What the ICO expects you to do

The ICO DPIA guidance has a handy checklist of areas to focus on:

  • provide training so staff understand the need to consider a DPIA at the early stages of any plan involving personal data
  • make sure existing policies, processes and procedures include references to DPIA requirements
  • understand the types of processing that require a DPIA, and use the screening checklist to identify the need for a DPIA, where necessary
  • create and document a DPIA process
  • provide training for relevant staff on how to carry out a DPIA

How to build a robust DPIA process

So how do you go about fulfilling the ICO’s expectations above? Here are some steps to take.

A. Getting Board / Senior Management buy-in

Growing awareness and buy-in from across the organisation is crucial. It can be helpful to highlight why DPIAs are a good thing, for example;

    • they’re a warning system – they alert compliance teams, and the business as a whole, of risks before they occur. Prevention is always better than cure
    • by identifying risks before they’ve an adverse impact, DPIAs can protect you against potential damage to your brand reputation, e.g. from complaints or enforcement action
    • they help management make informed decisions about how your processing will affect the privacy of individuals
    • they show you take data protection seriously and provide evidence, should you need it, of your compliance

Training is also important, I’ll come on to this in a bit, but first you need to make sure your process is fit for purpose….

B. Creating a screening questionnaire

Create a quick set of questions for business owners or project leads to use, which help to identify if a DPIA is required or not.
These can ask about the type of personal data being used, whether it entails any special category data or children’s data, what the aim of the project is and so on.

The answers can be assessed to judge whether a more detailed assessment is really required or not. (It can also show where more training might be needed, if people struggle to answer the questions).

C. The DPIA itself

You need to develop a robust process for conducting a DPIA. The ICO has a template you can use, but it’s good idea to adapt this to suit your business. Make sure it’s easy to understand and not full of data protection jargon.

These are the core aspects it needs to cover:

    • describe the processing you are planning to do – it’s nature, scope, context and purposes
    • assess its necessity and proportionality
    • identify and asses any risks
    • identify solutions and integrate into a plan
    • sign off and record outcomes
    • implement risk control plans
    • and finally, keep your DPIA under review

Let’s look at these seven key stages in a little more depth…

1. Describe your processing

These are some of the type of questions you’d want answers to (this is not an exhaustive list):

    • how is personal data being collected/used/stored and how long it is retained for?
    • what are the source(s) of the personal data?
    • what is the relationship with individuals whose data will be processed?
    • what types of personal data does it involve, does this include special category data, children’s data or other vulnerable groups?
    • what is the scale of the activity – how many individuals will be affected?
    • is the processing within individuals’ reasonable expectations?
    • will data be transferred to a third party and is this third party based outside the EEA?
    • what risks have already been identified?
    • what are the objectives? Why is it important to the business and / or beneficial for individuals?

2. Necessity and proportionality

Consider the following questions (again, this is not an exhaustive list):

    • what is the most appropriate lawful basis for processing?
    • is there another way to achieve the same outcome?
    • have you ensured that the minimum amount of personal data is used to achieve your objectives (i.e. data minimisation)?
    • how can you ensure data quality and integrity is maintained?
    • how will you inform individuals about any new processing?
    • how will individuals’ rights be upheld?
    • are any processors used and if so how will you ensure their compliance?
    • how will international transfers be protected, what safeguard mechanisms will be used?
    • who will have access to personal data, does this need to be restricted?
    • where will data be stored and how will it be kept secure?
    • how long will data be retained and how will data be destroyed when no longer required?
    • have the relevant staff received appropriate data protection training?

3. Identify and assess the risks

Identify any privacy issues with the project and associated risks. These may be risks to the individuals whose data is being processed, compliance or commercial risks.

Is there potential for harm, whether this be physical, material or non-material? A DPIA should ideally benchmark the level of risk using a risk matrix which considers both the likelihood and the severity of any impact on individuals.

You don’t have to eliminate all risks, but they should be documented, and any residual risks need to be understood and, if appropriate, accepted by the business.

If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

4. Identify solutions and integrate into a plan

Develop solutions which will eliminate or minimise privacy risks and then consider how these solutions impact on the project.

It can be helpful to use the established ‘four strategies for risk management’ (the 4Ts), i.e.

    • Treat the risk, i.e. adopt measures to minimise or eliminate risk
    • Transfer the risk, e.g. outsource the processing
    • Tolerate, e.g. accept risk if its within the organisations accepted level of risk
    • Terminate it, i.e. stop that specific processing or change the process in such a way that the risk no longer exists

5. Sign off and record outcomes

Someone must sign-off that the DPIA is complete and be accountable for any residual risks. It’s a good idea to log residual risks in your Risk Register.

6. Implement risk control plans

7. And finally, keep your DPIA under review

There’s also lots of useful content on this in the ICO’s DPIA Guidance.

D. Awareness and Training

Once you have your questionnaire and DPIA process ready to go, it’s time to make sure people know about it! If people aren’t aware they’ll be busy doing fabulously innovative things, not considering the potential data protection issues and impact on people’s privacy.

Making sure your teams know what a DPIA is, in simple layman’s terms, is an important step – building an understanding about why it’s important and the benefits to the business as a whole.

Creating short, easy to understand, guidelines and raising awareness via other means helps reinforce the message that DPIAs are a good thing and people need to think data protection in their day to day work.

It’s also important to develop people’s skills. After all the DPO (or team/person responsible for data protection) can’t do this single-handed. You need key people to know;

    • what a DPIA entails
    • how to answer the questions
    • what are the types of risks to look out for
      and
    • what type of solutions will mitigate any identified risks

Holding workshops with relevant staff to discuss how you conduct a DPIA, and / or perhaps run through an example, can help improve people’s skills. My key tip would be to try and not over-complicate things and to keep it straightforward.

In summary, whether you are required by law or not to complete a DPIA they are a useful way to make sure data protection is considered from the outset, with no nasty surprises just before your project launches!

“But it’s essential that we go live on Friday!” If I had a penny for every time I’ve heard this one. If only they’d known, or thought of, speaking to the people responsible for data protection.

Often a DPIA won’t required, but there’ll be times when it’s mandatory or just a very good idea.

 

Data Protection team over-stretched?  We can review your existing DPIA process or help you to develop one. We can also do remote DPIA workshops for key members of your teams – Get in touch

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection by Design: Part 1 – The Basics

August 2020

Data Protection by Design and by Default – What does it mean? 

You might hear the terms ‘privacy by design’ and ‘data protection by design and by default’ being used when discussing data protection. We’re frequently told to think privacy first, by considering data protection at the outset of any project and embedding it into policies and processes.

That’s all very well, but what does ‘Data Protection by Design’ really mean (and why is it also called ‘Privacy by Design’)? Do you need to be concerned about it? And how do you approach it in practice?

When you delve into the detail, this stuff quickly becomes complex. I’m going to try and avoid ‘privacy speak’ and jargon as much as I can and give an overview of how it all started and where we are now.

What is Privacy/Data Protection by Design?

Data Protection by Design (and also ‘by Default’) are terms ushered in by GDPR.

But the concept’s not new; the roots lie in Privacy by Design which has been around for some time. The brains behind Privacy by Design is Ann Cavoukian (a former Information and Privacy Commissioner for the Canadian province of Ontario). The concept was officially recognised as an essential component of fundamental privacy protection in 2010.

Cavoukian’s approach led to a new way of integrating privacy into products, business processes and policies. At its core it’s all about incorporating privacy measures at the design stage of a project or policy, rather than bolting them on afterwards.

The basis of this approach is to allow businesses to protect data and privacy without compromising commercial effectiveness right from Day One. I’m sure practitioners in other fields, for example Health and Safety or HR, will be familiar with this approach too.

Privacy by Design is based on seven principles designed to embed privacy into a project’s lifecycle. For more detail take a look at the IAPP’s Privacy by Design the foundational principles.

Fast forward to GDPR…

In the past, Privacy by Design was considered a great approach to take and adopted by many businesses worldwide – but it wasn’t mandatory. What’s different now is GDPR has made it a legal requirement.

GDPR also gave us the new term Data Protection by Design and by Default. This means organisations who fall under the scope of GDPR are obliged to put appropriate technical and organisational measures in place. These are commonly referred to as TOMs.

ICO guidance explains why, ‘businesses have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities.’

You need to make sure data protection principles, such as data minimisation and purpose limitation, are implemented effectively from the start. Crucially, such measures also need to focus on protecting people’s privacy rights.

The ICO has produced detailed guidance on the topic, to help you navigate how to consider data protection and privacy issues at the start of your projects, products and processes.

As an aside, this doesn’t mean everything grinding to a halt, claiming ‘I can’t do that because of GDPR’!

The more familiar you become with the basic principles, the easier it is to explain and incorporate them into your business. That’s not to say it’s always a piece of cake – sometimes it isn’t – but neither does it have to be the ball and chain some make it out to be.

Do you need to worry about this stuff?

There’s a short answer to this question – Yes! It’s a legal requirement under GDPR, albeit some organisations will take this very seriously and others will take a laxer approach.

How to make a start

This is a topic that can feel overwhelming to begin with. It’s common to think, “how on earth do I get everyone across our business to think about data protection and consider people’s privacy in everything we do?”

Here are a few tips on organisational measures;

  • Benefits – think about how this approach is good for business and for your employees. It’s not just about trying to avoid data breaches, it’s about being trustworthy, taking care about how you handle and use people’s information. Privacy can be a brand asset; it can save costs and improve the bottom line. Increasingly organisations want to work with partners who can demonstrate sound privacy credentials. In many instances some of the most sensitive data your handle will be that of your employees. You all have an interest in making sure you handle everyone’s personal data in a secure and private way.
  • Collaborate with InfoSec – The two disciplines of privacy and security are intrinsically linked. Businesses are most successful at protecting personal data when the Info Sec and Data Protection teams are joined up, working in tandem.
  • Innovation – gone are the days when data protection was the place where dreams went to die! Sure, there are checks and balances that need to be considered when a great idea has privacy risks. When this happens, it’s up to the data protection team to be as innovative as their colleagues in helping that idea flourish. You never know – your approach to privacy can add value to a project, not diminish its effectiveness.
  • Awareness – think about fresh ways to get the message across – data protection matters. This is a balancing act, because we wouldn’t want to scare people to the extent they worry about the slightest thing. Try to explain that once data protection principles are embedded, much of it is common sense.
  • DPIAs – data protection impact assessments are one of the most important tools in your data protection by design toolbox (you don’t have one?). DPIAs are like a fire alarm – are your developers busy creating the most fabulous app ever? The DPIA should alert them to issues which, if ignored, might be project-breaking to fix later. As an aside, many DPIA templates I’ve seen are unduly complex and impossible for most staff to even attempt. So, try and make this an easier process – jettison the jargon and ask straight-forward questions.
  • Data Governance – I apologise, this really is the dreariest of terms. Nonetheless, it’s seriously worth developing a governance framework across your business which sets out who is responsible, who is accountable for your data and how the data is used. It can help to make sure processes and policies are robust and kept up to date.
  • Training – there’s nothing more empowering than effective training; making sure your people understand data protection principles, what privacy risks might look like and understand how it’s relevant to their job. Once this stuff is explained simply and effectively, it’s amazing how quickly this falls into place.

There’s an old saying: “What’s the best way to eat an entire elephant?” The answer is, “by breaking it into pieces first.”

You know your business – all you need to do now is break down the data protection stuff into manageable chunks as you apply them to your projects. The first couple might be tricky, but after that? There’s no substitute for getting stuck in and applying the principles to real-world problems. And the good news is there’s plenty of advice, training, templates and guidance available.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.