#top3dataprotectionissues series

by Tim Clements
 #top3dataprotectionissues No. 1

You need to look beyond compliance and cultivate a narrative that is

interesting and aligns with the value the processing of data brings to your
company.
The narrative also needs to be contextual, realistic, and unique.
Copy/pasting from others or some textbook will not work here.
Your colleagues in the business need to see their work or objectives
reflected in your purpose, mission/vision, or whatever you want to call it.

#1 You’re perceived as a necessary evil or an

overhead;

#2 You talk in riddles of articles and recitals;

#3 ‘privacy’ gets forwarded to you.
Anything concerning ‘data protection’ or
 #top3dataprotectionissues No. 2

Aligning data protection with your business is essential.

Identifying data touchpoints in your business strategy will
fuel conversations and open doors for alignment and,
eventually, contributions to funding.
A *Data Protection Strategy* driven by a 'purpose' (see
my 1st top3 post) is like a tube of glue - it helps bond data
protection to the data-driven elements of your company's
business strategy.

#1 You only have a shoestring budget;

Data protection is not living and breathing in
#2 the business;

#3 Risk management is ‘best guess’.

 #top3dataprotectionissues No. 3

Why should a business case be important to you?

Your company is probably no different from any other.
You can’t just spend money as you wish, and there’s not
teams of people sitting around waiting to be given work.
You need to justify any funding you request, or changes
you want to make.
In most companies, this involves producing a business
case which essentially is a document that addresses five
key questions: why, what, how, when and who.

#1 We don’t have one;

#2 The data protection leader does not have the

competences or knowledge to produce one;

#3 We must act to avoid the 4% and 2% fines

 #top3dataprotectionissues No. 4

Steering Committees should be seen as a positive

mechanism by supporting the privacy program and should
ideally comprise individuals who have a stake in the
processing operations of the company.
Their stake may be their ownership of data-related
elements of the business strategy where they are
motivated to achieve personal objectives
Draft a ToR that sets out their role and your role, and the
objectives, expectations and the work the committee
needs to perform.

#1 Our committee dissolved on 25 May 2018 when

our GDPR project closed down;

#2 The committee members represent corporate

functions rather than processing entities;

#3 I find the Steering Committee meetings

uncomfortable
 #top3dataprotectionissues No. 5

A few tips:
• Recognise that data protection is a team sport requiring
a multi-disciplinary team.
• To ensure data protection is living and breathing, the
data protection leader must either have strong business
skills or engage with others who can help: strategy,
planning, communication, business analysis
• Never forget the key word is DATA, and reflect on the
pervasiveness of DATA
…

#1 Data protection ‘responsible’ with a day job;

#2 Anchored ultimately under a CFO;

#3 Anchored in legal, with mainly legal resources.

 #top3dataprotectionissues No. 6

A framework should bring structure and predictability to your work

whilst keeping a close eye on risk. It’s your operating model for data
protection: policies, procedures, roles & responsibilities, decision-
making mechanisms, information flows within the program, as well as
employee engagement.
It must not be a burden for you or your company. It must be aligned with
how your business operates, everyone must be able to understand it, and
where relevant, see the part they need to play in it.
If your framework is based on an existing external framework or
standard(s) then you’ll be able to incorporate lots of knowledge, insights
and lessons learned from others - or as some say, best practice.

#1 Copy/paste frameworks;

#2 A framework is 'just' policies and

procedures;
#3 No embedment in your company’s
operational procedures.
 #top3dataprotectionissues No. 7

There are many one-person data protection armies out

there.
You may be one of them.
It's often a sad reflection of how seriously your superiors
view data protection.
You are not alone.

#1 The one-person army;

#2 Central team = more capacity to deal with other

people's issues;

#3 The knowledge gap.

 #top3dataprotectionissues No. 8

Writing effective data protection policies is a highly

under-estimated task.
Remember, the target audience for data protection policies
is your company's workforce.
Why would anyone write them in a way that makes them
hard to understand?

#1 Policies written by lawyers;

#2 No harmonisation;

#3 No internal ownership.
 #top3dataprotectionissues No. 9

Demonstrating accountability.
It’s an important word, and a key data protection
principle, but do all companies really understand it?

#1 Not fully understanding what accountability

means;

#2 Lack of evidence;

#3 Who holds you to account?

 #top3dataprotectionissues No. 10

Some data protection leaders now recognise the vast gap

that often exists between their policies and knowledge on
the ground - in the trenches where the processing of data
about people takes place.
If you are a legal-oriented DP Leader you may need help
to transpose high level policy statements into actionable
steps that vary depending upon employee context.

#1 Employees must figure out the policy statements

themselves;

#2 Employee context varies across your company;

#3 They see data protection as your issue to solve,

not theirs.
 #top3dataprotectionissues No. 11

The current state of data protection includes many legacy

‘legal solutions’ to legal requirements, and this includes
the typical mechanism used by companies to fulfil
processing transparency obligations to individuals, the
privacy notice, (or statement, policy, etc).
These ‘legal solutions’ are often clunky and not user-
friendly.
The common template for a privacy notice has been
replicated globally and tends to be only accessible via a
link in tiny text, hidden away at the bottom of a webpage.
Opaque transparency?

#1 Too long and generic;

#2 Too legal-oriented (and threatening);

#3 Lack of innovation.
 #top3dataprotectionissues No. 12

As a data protection leader, you strive to make your work

living and breathing in your organisation, right?
Your good intentions can quickly evaporate if you’ve not
embedded controls in your company's operational
processes and procedures that will trigger numerous
mechanisms making data protection effective.
Some common examples include ROPA updates,
considerations to perform a DPIA, data breaches,
complaints, vendor due diligence, to name a few.

#1 We circulated the template;

#2 No agreement with process owners;

#3 "It's clearly stated in our policies..."

 #top3dataprotectionissues No. 13

You need to be extremely careful attempting to introduce

a 'culture of privacy' in companies.
Don’t mess with it unless you really know what you’re
doing.

#1 Conflicting culture;

#2 Insufficient attention to department

(sub)cultures;

#3 Not understanding the constraints.

 #top3dataprotectionissues No. 14

To truly be in control of processing, you need a full

understanding of the processing activities carried out by
your company.
A good starting point is to get introduced to your
company’s customer journey maps.
They’ll provide context and will enable you to get a better
understanding of the bigger picture side of processing.
They are enriched with information that will help you
understand, where transparency obligations apply, where
data life-cycle phases are critical, among many things.

#1 Drowning in line entries;

#2 Isolation;

#3 Responsibilities not embedded.

#top3dataprotectionissues No. 15

Just considering whether to conduct a DPIA is an opportunity

to generate evidence (an accountability mechanism) and to
ensure you understand and address risks to individuals
appropriately.
DPIA quality is critical.
Although you have a template and your documentation may
appear complete, some companies don’t pay sufficient attention
to the process itself and the people that need to be involved

#1 One person does the DPIA;

#2 We have a tool (or template);
#3 Not understanding what’s at risk.
#top3dataprotectionissues No. 16

When it comes to processing, your company is either in

control, or it’s not.
There’s no ‘kind of in control.’
On a basic level, your ROPA will provide an overview of
your processing.
How can you claim to be in control if you don’t have one,
or it was last updated a year or more ago?
Many of the ROPA issues companies have, stem from an
over-eagerness to populate their ROPA without a strategy
or governance model.

#1 Static and out of date;

#2 Zero value;

#3 Money wasted.