A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.
A Privacy Program Manager is responsible for managing and operationalizing a corporate privacy program across the company. Their most important responsibility is to be ACCOUNTABLE for the safekeeping and responsible use of personal information - not just to investors and regulators but to the everyday consumer, vendors, partners and employees.
4 key responsibilities include;
Identify privacy obligations for the company
Identify business, employee and customer privacy risks
Identify existing documentation, policies and procedures.
Create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program that is aligned with corporate strategy. Dont forget that your corporate policies have a lifecycle -
Draft - inward facing policies, aligned and consistent across the organization
Approved - from decision makers and stakeholders
Disseminate and train all employees
Review and revise policies regularly. In all our clients this process is done in a quarterly basis or immediately after a breach or the business changes for example a merger or acquisition.
Continuously maintain and improve the privacy program
5 Goals of a Privacy Program
A successful privacy program will integrate privacy requirements and procedures into the functional areas across and organization.
Demonstrate compliance with applicable laws and regulations
Promote customer trust and confidence
Enhance an organization’s reputation
Facilitate privacy program awareness with employees, customers, partners and service providers.
Respond to privacy breaches
As compared to Directive 95/46/EC (the “Data Protection Directive”) which it replaces, the new General Data Protection Regulation seeks to extend the reach of EU data protection law. − An EU based data controller and processor falls into its scope where GDPR personal data is processed “in the context of its activities” - a broadly interpreted test.
Sophia software provides discovery analytics that helps with the first step of implementing the GDPR compliance process by reporting on what personal data is in your landscape and where it is stored.
If you are using a SAP CRM system and its email marketing system with prospects and customers from the European Union, then the GDPR legislation is very important for you and your organization. You will need explicit permission to store records and email addresses of prospects and customers to follow GDPR compliance requirements. Pseudonymization can reduce the risk with these data protection processes.
Data Protection Marketing (Target Marketing): The GDPR restricts “profiling” and sets significant GDPR data subject rights to avoid profiling-based decisions.
Advancements in technology have expedited methods for data controllers to gather, analyze, and process personal data for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions in data protection marketing such as target marketing or price differentiation. This is called "profiling."
Under Article 4(4), data processing may be characterized as “profiling” when it involves
- automated processing of GDPR personal data and
- using that personal data to evaluate certain personal aspects relating to a natural person.
Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
"Profiling” requires some sort of an outcome or action resulting from the data processing, and is underscored by the GDPR data subject rights in which the data subject is informed about the “consequences” of profiling decisions.
Articles 13 and 15 cover the GDPR data subject rights and addresses the information to be provided to data subject upon personal data collection and--upon the GDPR data subject's request--both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
When we analyzed Natuvion customer’s current processing times to meet these GDPR requirements that cover GDPR data subject rights, to produce such report (in a useful format for a data subject) on this data, across heterogeneous landscapes, it takes a minimum of two months, and sometimes much longer. GDPR requires a response in one month.
This is where SAP Information Retrieval Framework helps. Schedule your one-day GDPR workshop so the Natuvion team can share how hundreds of other SAP customers use free SAP tools to meet these GDPR reporting requirements.
Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.
What is a data processing inventory?
A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage.
The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.
The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR fines.
With the new regulations taking place in May, the GDPR requires a Data Protection impact assessment (DPIA). A data protection impact assessment helps identify the risks when handling personal data and provides a structured process for your company. This assessment increases the transparency and provides a structure for unknown processes that involve dealing with personal data that reduces the risk of non-compliance with GDPR.
One of the most impactful rights defined by the GDPR is the blocking and deletion of personal data that is no longer required within the purpose defined for the processing. According to the data retention GDPR rule, personal data must be deleted after the primary purpose of the processing has ended.
The best way to eliminate your risk is to anonymize the data in secondary systems. Anonymizing the data removes the need for data privacy consent and (with proof) removes the systems from GDPR compliance processing, while still providing the data for analysis or testing.