Data Privacy Regulations - Some Key Practices

Given that there is no escaping from data privacy regulations it is important to understand some of the key practices that an organization should implement.

Following list provides some of the key data privacy practices that an organization needs to put in place and in practice to ensure compliance with data privacy regulations:

Identification of operational/functional business units in the organization that need to be made owners of data privacy compliance
  • Since activities of each and every employee should be covered under data privacy regulation, at times, logical entities may have to be identified and treated as operational/functional business units so that all employees are brought under the purview of data privacy regulation.
Identification of business processes in different business units that handle personal data
  • This is a crucial step in ensuring no business process gets missed out, even by chance.
  • The owner of the respective business units need to be made accountable to ensure that all relevant business processes in that area get identified
Identification of personal data in the applicable business processes
  • Even if there is one element of personal data involved, data privacy regulations apply and need to be taken care of adequately and appropriately.
  • Identification of personal data being handled across the multitude of processes and transactions across the various business units in an organization is the most important and crucial step in ensuring 100% compliance to data privacy laws.
  • The key outcome in this case is the setting up of a personally identifiable information inventory (PII inventory).
Handing of personal data across the entire life-cycle of a data element
  • Data collection
  • Data storage
  • Data access or view
  • Data processing which involves active use of data for agreed, declared and specific purposes
  • Data transfer including cross-border
  • Data deletion, archival, de-identification
Retention strategy for personal data
  • How long to retain the data for active use? The duration of retention should be in consonance with both the purpose for which that data was collected and the fact that minimum necessary data should only get collected.
  • What to do at the end of retention period? This includes clarity whether data would need to be deleted or whether data would be de-identified or masked and kept for a longer duration.
  • How to ensure data is not stored in any media beyond the specified retention period? Clarity with respect to where all a certain personal data would get stored in the PII inventory would greatly facilitate this.
Determination and declaration of basis of processing data that makes it lawful
  • The best thing is to obtain data subject consent or have a contract that would govern the processing of personal data.
  • If not, legitimate interest analysis needs to be performed. This is a risky option to choose and needs to be well supported by a strong and logically formulated business rationale.
  • For any business organization, typically the public interest and vital interest would not be a valid basis in most situations.
Risk assessment around data privacy
  • The first step here is to do screening
  • And as as needed perform detailed data privacy impact analysis (DPIA) and identify risks and mitigating controls and actions that would be required.