Considerations for choosing the right privacy tech vendor

Some organizations and SAP users choose to use a privacy tech vendor like Natuvion’s CIO-competence-center to help them achieve compliance. Five areas of support include;

  1. Privacy Assessment Management and Privacy Program Management Creation

  2. Data Search and Mapping

  3. De-identification or pseudonymization

  4. DSR (Data Subject Rights Processing

  5. Consent Management

The International Association of Privacy Professionals is policy neutral and they are the world’s largest information privacy organization. Below is a list of four items they recommend you consider when selecting the right privacy tech vendor;

  1. Working in partnership with law firms

  2. Privacy office budget

  3. Involvement of IT/CIO in decision making and implementation

  4. Ability to keep up with a rapidly changing legal regulations AND rapidly changing SAP technology

Typically privacy tech vendors are broken into two categories; The first is privacy program management (focused on privacy processes) and the second is enterprise program management (focused on technical items).

Natuvion is the the only SAP privacy tech vendor that consolidates both suites of privacy management into one competence center. To learn more contact us here.

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

GDPR Data Protection Officer | Do organizations have to appoint a Data Protection Officer (DPO)?

A data protection officer, DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organizations comply with their legal obligations and for GDPR manage the security of personal data.

Do you have a privacy governance model?

To manage privacy in your company you need a team. Obviously this varies by organizational size, however there is flexibility around this team structure depending on your organization structure and goals. Regardless of size, an organization MUST have a contact for privacy and designated “first responders” to privacy incidents.

While there is no perfect privacy governance model, these are the three most popular ways to organize such a team;

1) Hybrid

This model combines a centralized and decentralized (local) team. We have seen this work well. Generally there is one organization responsible for privacy, usually a Data Protection and Privacy Office [DPPO] owns all the privacy processes in a company (heavily supported by a legal team). Each functional organization then has a person or sub-team responsible for that function and that has a dotted reporting line into the DPPO. In our experience for a large organization this is the best way to structure your teams for optimal compliance and communication as long as your employees are empowered to make decisions. Even in a smaller organization where one person is assigned to lead privacy in addition to their other responsibilities - we have see this scenario work well.

2) Localized/Decentralized

Privacy decision making is delegated to the lower levels of an organization.

3) Centralized

Just one team is responsible for all privacy related actions. In our experience this one comes with significant issues. In large organizations where we saw this in practice, many of the functions felt isolated and unaware of what contribution they were supposed to make and when to the privacy program, it caused a significant amount of confusion and inability to plan.

The DPO Role

EU-GDPR requires all public authorities in the EU and many private organizations to appoint a Data Protection Officer. Private organizations that must hire a DPO are ones that process personal data in high volumes or consistently process highly sensitive data. Article 29 working party state that companies should err on the side of caution.

We previously wrote a blog on the topic of the DPO and you can read more here.

6 elements to include in your Privacy Program Scope and Charter

  1. Business teams and their requirements

  2. Global and local laws, regulations and standards driving compliance

  3. Risk tolerance levels, cultural expectations and perspectives - values regarding privacy

  4. Types of personal information collected, stored and processed

  5. Regulatory changes that need to be observed (for example in USA, this would be state law changes)

  6. Privacy challenges

Now you have a Privacy Program Scope, next create a Privacy Strategy

A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.

Generally this strategy crossed multiple functions in your company therefore it is important to consider;

  1. Business alignment of goals

  2. Data governance of personal information

Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **

Now you have a Privacy Strategy, next create a Privacy Framework

A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.

3 elements of a privacy framework are;

  1. Laws, legal policies, regulations and programs. Laws you need to be aware of are;

    • PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.

    • APPs - Australian Privacy Principles

    • EU-GDPR - European General Data Protection Regulation

    • EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).

    • HIPAA - Health Insurance Portability and Accountability Act.

    • Example of a local legal framework is CNIL, France’s Commission.

  2. Principles, standards and guidelines. Examples of principles and standards you need to know about are;

    • Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.

    • The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.

    • The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.

    • The Canadian Standards Association [CSA].

    • The APEC Privacy Framework, enables Asia-Pacific data transfers.

    • Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.

  3. Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;

    • Privacy By Design - ensures privacy protection at every stage of product development

    • The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.

    • AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.

    • Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.

  4. Organization communication plan to ensure continuous alignment to laws and regulations

The benefits of a privacy framework are;

  1. Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.

  2. Helps to sustain market value and reputation of your company

  3. Provides measurements/metrics for compliance to the law, regulation and standards.

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

GDPR | Are there GDPR solutions and templates for Article 30 (records of processing activities)?

What is a data processing inventory?

A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose.  A data processing inventory is aligned with how the business works, making it is easy for the business to engage.

The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.

Meet The Experts | Our Data Protection Lawyer

Where do we find an experienced Data Protection Lawyer for GDPR?

For all GDPR work, our preferred lawyer is Benjamin Spies.  Benjamin is an IT Lawyer and a partner, at SKW Schwarz.

Benjamin advises national and international companies mainly in the IT sector with the focus on data protection (GDPR), e-commerce, domain law, telecommunications and telemedia law.

The reasons we work with Benjamin are;

  1. Benjamin is located in Germany, however he is very familiar with the US, he graduated from a US high school and used to work for the award winning US law firm WilmerHale, he is also member of TerraLex and other large law firm networks with a US focus.
  2. Benjamin was the co-author on one of the first legal commentaries for the Federal German Data Protection Act.
  3. Benjamin has more than 10 years experience in IT law with a focus on Data Privacy & Security.
  4. A small sample of his clients are: Netflix, Expedia, Bosch, Addidas, Diamler , MediaSaturn Europes largest IT retailer.
Data Protection Lawyer, Benjamin Spies

Data Protection Lawyer, Benjamin Spies