Your SlideShare is downloading. ×
Data Protection Compliance In Economically Depressing Times
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Data Protection Compliance In Economically Depressing Times

316
views

Published on

A case study on how to run Privacy compliance obligations in an organisation in economically depressing times. The studey includes various tools that can be deployed to counter resource reduction.

A case study on how to run Privacy compliance obligations in an organisation in economically depressing times. The studey includes various tools that can be deployed to counter resource reduction.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
316
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Case study: Data Protection (Privacy)compliance management in economicallydepressing timesBYBen Oguntala, LLB, LLMben.oguntala@dataprotectionofficer.comwww.dataprotectionofficer.comCopyright 2011This paper covers: 1. Policy management and implementation including periodic review 2. Dissemination of policies and procedures to all business units 3. Assessment of business changes that impact 3rd parties 4. Privacy impact assessment across business units 5. Privacy audit of suppliers 6. Operational support of businesses 7. Privacy standard enforcement 8. Managing subject Access request and responses 9. Privacy audit of business units www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 2. ContentsIntroduction ............................................................................................................................................ 3The role of the Data Protection Officer .................................................................................................. 4Resource deficiency impact .................................................................................................................... 5Resource responsibilities on key privacy areas....................................................................................... 6Policy management and implementation including periodic review ..................................................... 7Dissemination of policies and procedures to all business units ............................................................. 8Privacy impact assessment across business units and 3rd parties .......................................................... 9Privacy audit of suppliers ...................................................................................................................... 10Operational support of businesses ....................................................................................................... 11Privacy standard enforcement.............................................................................................................. 12Managing subject Access request (SAR) and responses ....................................................................... 13Privacy audit of business units, projects and suppliers ........................................................................ 14 www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 3. IntroductionMost countries in Europe and America are faced with an austere period for the next few years andconsequently most organisations within these countries especially Government and private sectorsare going to be faced with the challenges of cost reduction whilst the requirements and obligationsstay the same.Within the Data Protection/Privacy management sector this austere period will manifest itself in theform of reduction of Privacy staff and resources for managing the day to day requirements of a Dataprotection and privacy/compliance management.A reduction in resources increases the likelihood of breaching the EU Data protection directive or UKData protection Act of 1998. The key areas impacted include: 1. Policy management and implementation including periodic review 2. Dissemination of policies and procedures to all business units 3. Assessment of business changes that impact 3rd parties 4. Privacy impact assessment across business units 5. Privacy audit of suppliers 6. Operational support of businesses 7. Privacy standard enforcement 8. Managing subject Access request and responses 9. Privacy audit of business unitsTo address this problem, www.dataprotectionofficer.com has a portal based solution that isdesigned to assist Chief privacy Officers, Data Protection Officers and compliance teams inmaintaining their obligations.The diagram above depicts the areas of control the www.dataprotectionofficer.com provides thedata protection officer, with diminishing resources the obligations toward Data Protectioncompliance can still be achieved. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 4. The role of the Data Protection OfficerThe diagram below depicts how a typical organisation’s privacy management structure is organised;it demonstrates the key areas of concerns and the associated obligations related to them. As theresources are reduced, the key areas may be deficient and increase the propensity to breach theData Protection Act.The solution provided by www.dataprotectionofficer.com was designed privacy lawyers andcompliance Consultants; thereby it has an innate compliance capability even when there arediminishing resources.The solution also provides you with the ability to pick and choose areas you wish to automate, forexample, strategy is predominantly handled by senior management and rarely change frequently.Therefore the automation will allow visibility of how effective the strategy is within yourorganisation and where improvements can be made.Operational support, Complaints & resources, Subject Access request, incidents and Audit &compliance are resource intensive, we have tools designed to reduce the resource intensiveness andrequirements allowing your organisation to still maintain the same level of compliance by integratingthe solution into your current environment. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 5. Resource deficiency impactDepending on the size of your organization, the economic depression may have varying degrees ofimpact, in some of situations, as a Small to medium organisation, you may be left with 1 or 2resources to manage the entire privacy regime and in other larger organisations you may simply beleft with 4 resources.With this in mind, our solution is designed to allow you to operate with minimum resources in orderto achieve optimum efficiency along with key performance indicators.The numbers above may vary depending on size of the organisation. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 6. Resource responsibilities on key privacy areasThe resources within privacy have specific responsibilities and if reduced may expose the area topotential breaches, our solution is designed to plug each hole in order to ensure adequate coverageshould the resource reduction actually materialise. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 7. Policy management and implementation including periodic reviewAssuming there is only 1 resource available in this area, the www.dataprotectionofficer.com solutionwill enable your organisation’s resource(s) to: 1. Draft policies and procedures 2. Single click dissemination of policies to all business units 3. Single interface management of all policies, procedures and processes 4. Single dashboard view of all policies Data ProtectionThe diagram above depicts the policy dashboard capturing the essential policies and theircommensurate procedures. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 8. Dissemination of policies and procedures to all business unitsThe policy dashboard will allow you to: 1. Create Data Protection and other privacy related policies 2. Create a group or national policy 3. Create a local policy if applicable 4. Create relevant department policies relating to the main policy 5. Assign operational responsibility for procedures to an offer 6. The responsibility will then be able to create their procedures to match the policies 7. Monitor risks, incidents and auditsAll business units within your entire enterprise will have their key personnel listed on theorganization chart and once policy is updated will be alerted via email.Each business unit will have the responsible officer listed as well as the key personnel in the businessunit responsible for the operations related to privacy and data protection. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 9. Privacy impact assessment across business units and 3rd partiesAll projects and business changes once approved will be able to submit their projects/changes viathe portal to the Data Protection/Privacy team for Privacy impact assessment (PIA). Initial survey PIA PIA PIA PIA PIA PIAThe process below depicts how your business units are able to submits projects and changes to yourprivacy or Data protection team for privacy impact assessment. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 10. Privacy audit of suppliersThe portal contains an organisational chart that also includes suppliers, the diagram below listssuppliers and the number of information Assets your are sharing with them as well as any associatedincidents recorded against the assets.This single interface simplifies the supplier engagement process and compliance management.Each asset associated with the supplier is listed and can be audited, non compliances can beregistered against each asset. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 11. Operational support of businessesThe operation support is perhaps the most likely to suffer from a resource deduction and to addressthe problem we have simplified the engagement process making it possible to maintain the samelevel of service to the business.Our initial approach is the automated privacy impact assessment which determines the level ofprivacy impact the project has an automatically scores the project.The initial survey is part of the Privacy impact assessment and is designed to weed out project thatdo not have any privacy impact thereby focusing only on projects with privacy risks.This process is adequate for limited resourced teams by streamlining the end to end process andfocusing on privacy impacting projects and changes. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 12. Privacy standard enforcementOur strategy in this area is to automate as much of the technology based provisions available; all ITsystems that contain information assets will be automatically protected from build in order toensure that inherent compliance. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 13. Managing subject Access request (SAR) and responsesSubject Access request can arrive from numerous ingress points in your organisation; thewww.dataprotectionofficer.com solution captures all your various ingress points as well as variousbusiness units and integrates them into a single dashboard.Every time a SAR is registered is there is an automatic tracking process that captures the request,alerts the team and places the request on the SAR dashboard. The role of the Data Protection teamwill be to ensure all requests have a response with the 40 day limit, in order to achieve this task wehave an automatic countdown that tracks the request from day zero till a response is made.The dashboard automatically assigns a SAR ID to the SAR and allows the Data Protection/Privacyteam to carry out the admin checks and validity checks as well as be able to assign the request to anofficer for a response whilst still having overall visibility.At 5 days left, the dashboard entry changes to Amber and sends an alert to team that a SAR has 5days to go and has had no activity allowing the team to act on the SAR prior to breach. www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 14. Privacy audit of business units, projects and suppliersThe www.dataprotectionofficer.com solution automates the essential elements of a privacy auditsby automatically tracking the key audit requirements, the key audit metrics captured automaticallycaptured allowing remote audit and allows the focus on high level non compliances.The key elements for our audit module include: 1. Business units 2. Policies and procedures www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 15. 3. Suppliers4. Key performance indicators www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 16. 5. Privacy process audit6. Projects and changes www.dataprotectionofficer.com info@dataprotectionofficer.com
  • 17. 7. Information Asset register --------------The end ---------------------- www.dataprotectionofficer.com info@dataprotectionofficer.com