At this point, either your Law Firm or Corporate Counsel are at different stages of planning for GDPR (Directive 95/46/EC) readiness (effective May 2018). For most, this starts with a company wide internal assessment to identify the critical data each business unit holds, workflows, data retention policies, PIPEDA, and any applicable gaps for GDPR requirements.
If your business unit has been requested to assist in providing data for an assessment; remember the legal team does hold the weight and responsibility to ensure compliance of applicable Privacy Laws. However, they typically must first gather and map their organization's unique processes, types of data held, with whom, type, location and how it can be used. After identifying all of these items, it is only then that the legal team can begin to analyze any potential gaps and finally start to map any necessary changes.
However, changes that are put in place are only as good as the information that has been received. So, what does this mean to you? This means it is critical to take extra care when responding to your legal team regarding your business unit's data and procedures.
- Don't rush it..... ensure your answers are accurate
- Offer backup and include contact information if further clarification is necessary
- Disclose everything, even archived information. The legal team will determine relevance.
Remember, This isn't just a survey monkey on how you liked the last town-hall. This is serious.
Internal assessments and purpose vary at each organization ranging from preparing for GDPR and/or potential PIPEDA gaps in workflows, Privacy Risk Assessments and Impact audits. Some considerations to better help you respond to your legal team when asked about your business unit's data and practices are:
- Create a living document of what personal data your department holds, where it came from and who it is being shared with.
- Designate responsibility for data protection compliance to a suitable individual as a point of contact for management or your in-house counsel
- Request support for the appointed individual through provision of appropriate training
- Ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management
- Organize an ongoing scheduled information audit across the organization and within each business unit that list types of data, data flow and systems used
- Develop policies and procedures in order to ensure the accuracy of the living document, detailing the information you hold and how it is secured on an on-going basis.
- Ensure the appropriate Digital Rights Management and appropriate handling is applied across documents containing Personal Identifiable Information (PII)*
Items to be mindful of that may be applicable specifically to GDPR may include:
- Consent forms for EU residents - determine if amendments are necessary to comply with the GDPR
- Contracts with Data Processors, as well as the organization’s selection process for Data Processors, to ensure compliance with the specific GDPR requirements
Consideration of All Departments and Databases
If you are at a large corporation, you may already be aware of the pain of referencing multiple databases and legacy systems for the information you need. But, by now, if you have been called upon by senior management to provide your data process information, it is likely because you are a leader in your business unit and your answers are expected to be accurate, reliable and ready to submit to the legal team for review.
If you have been asked to map your data flows, another consideration may be to also look at the "non-traditional methods" of an individual's data that you may be holding.
Unlike traditional methods of personal data obtained by the individual containing their own private information (i.e. self registered on-line forms). A few Non-traditional methods may include:
- Observed - by tracking people online or by smart devices;
- Derived - from combining other data sets; or
- Inferred - by algorithms used to analyze a variety of data, such as social media, location data and records of purchases in order to profile people
Information Systems contacts may also be within:
- Marketing - with access to Customer Relationship Management Systems
- Operations - with access to Business Intelligence Systems
- Knowledge Management - with information on combined data sets across multiple platforms and how they are used
- Analytic Teams - use technology to track various sources and produce internal reports
Unfortunately, the reality for many corporations is having a lot of data, people have come and gone without proper documentation of data inventory and processes, coupled with the hesitation to delete anything, so it is backed up and archived. There are limitations to intelligently filter and purge the information, let alone to determine compliance of these documents.
Start the Technology Conversation
One thing common to both Law Firms and Corporate Legal Departments alike, regardless of where you are in GDPR readiness or the continuous improvement of your organization's living Privacy Policies is to start the Technology Conversation between senior leadership and your organization's true Technology Partners.
Your true Technology Partners do not want to sell you the next widget, but will truly understand the beautiful relationship that data has with the law and governance. They will walk with you to passionately innovate the automation of "Privacy by design" in your workflows, effortless "Data Portability" and empower the transformation of a secure digital workplace, agile and prepared to take on change.
Are you ready for the conversation?
*If you are unsure of how to treat PII, contact your in-house legal team