Published on May 28, 2021
In our last article, we discussed creating a privacy framework that provides the basic structure and offers guidance about how to integrate any compliance requirements applicable to your organisation. A robust privacy framework will ensure you have the right compliance policies and procedures in place whilst providing flexibility to adapt processes to align with organisational needs and requirements.
Investing in the best privacy technology for your organisation will make a significant difference to the effectiveness of your privacy framework. One challenging compliance requirement that privacy technology can help manage effectively, which even large public bodies are known to have difficulty dealing with, are Subject Access Requests (SAR’s).
In December 2020, it was reported that the Metropolitan Police had a backlog of 662 subject access requests, 280 of which were overdue, over a year on from being issued an official enforcement notice by the ICO for its “sustained failures” in dealing with people seeking to discover what personal information the police holds on them.
To effectively deal with a data request within the strict time limits, you have to be able to find the information. For commercial organisations, personal information is often used for several functions, including marketing, business intelligence, and product development, to name just a few.
Safi Raza, director of cyber-security at Fusion Risk Management told Compliance Week that privacy software:
In addition to managing SARs, privacy technology can be used for a range of purposes to automate different functions of a privacy program. These include data mapping, data discovery, consent management, incident response, and website scanning (cookie notices).
To establish what type and the scope of privacy technology your organisation needs, answer the following questions: What type of personal information does my organisation collect, what is it used for, and where is it stored?
Once these questions have been answered (and this may be done by a Data Protection Officer (DPO)) you can start considering what type of privacy technology will address any weaknesses in your current systems and help build your privacy framework.
Privacy technologies are split into three categories:
These provide a framework for workflow management and readiness assessments that allow you to establish the current status of where, when, what, why, and how personal data is held within your organisation. From there, policies, procedures, and workflows can be created and communicated to employees and other relevant stakeholders (such as any processors) to achieve compliance.
Using machine learning, data discovery systems allow you to swiftly identify the location of personal data held by your organisation and who has access to it. However, as with all AI and machine learning, the process is not foolproof. Manual checks need to be conducted to ensure all relevant data relating to a compliance matter is captured.
Compliance requirements such as responding to a SAR take time. Multiply this by the amount of SARs received annually, and the total resource requirements can amount to a significant cost. For multinational corporations, the volume of data involved can run into millions of documents. In such cases, compliance management tools are essential for meeting SAR obligations.
The privacy technology space has grown increasingly competitive over the past five years, with the number of vendors growing from 44 to 356 according to the latest IAPP Privacy Tech Vendor Report. Given the cost of investing in such technology, you must take the time to establish what tools your organisation requires to support your privacy framework and create a strong privacy culture.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS