BEING PREPARED FOR DATA SECURITY BREACHES
Ensuring that you have put in place clear policies and procedures that ensure that you can react quickly to any data breach and notify in accordance with the obligations of the relevant jurisdictions legislation.
EMBRACING PRIVACY BY DESIGN
Ensure that steps to ensure adherence to privacy obligations are embedded into any new data processing or product deployment. Ensuring that appropriate consideration is given early in any process to enable a appropriate assessment and systematic and periodic validation of data used by the process or product.
CLARITY OF POLICIES AND NOTIFICATIONS
Defining and reviewing your data policies, standards and notifications are written in clear and plain language and are transparent and easily accessible.
MANAGE OBLIGATIONS AS A PROCESSOR OF DATA
If you are a supplier of data and data services to other organisations you must adequately consider your obligations as a processor of data. You will need to understand and build into your policies, procedures and contracts appropriate controls to ensure you remain compliant with your customers jurisdictions data protection and privacy obligations. Self assessment must ensure your contractual documentation is always up to date and adequate and clearly defines your respective responsibilities including who will bear the cost of making changes to the services as a result of the amendments to laws or regulations.
ESTABLISHING A FRAMEWORK FOR ACCOUNTABILITY
Helping you to ensure that the policies, procedures and culture of monitoring, reviewing and assessing your data management practices with the specific aim of minimising data processing and retention whilst building in appropriate safeguards. Ensuring your staff are and remain trained to understand their obligations. Implementing easily auditable data protection and privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.
ENSURING THE LEGAL USE OF PERSONAL DATA
Ensuring that you always adequately consider what data processing you are undertaking and ensuring any processing is not overridden by the interests of the person providing the data. Ensuring you have either documentary evidence of the data subjects informed consent, given freely for the specific purpose and not subsequently withdrawn or you can prove that you have a legitimate interest in processing that data.
ABILITY TO COMPLY WITH AN INDIVIDUAL'S DATA RIGHTS
Within certain jurisdictions individuals can exercise rights that include data portability and the right to erasure. You data management processes must ensure that you are able to meet the demands of these individuals where you store their personal data and your policies and processes must be robust enough to prove that you have legitimate grounds for its retention that override their individual interests.
MANAGE OBLIGATIONS ACROSS BORDERS
Regional Data Protection and Data Privacy are now predominantly data not geographically focused which means though your business may physically reside outside of a particular geography if you manage data of customers within that geography you must comply with that regions Data Protection and Data Privacy legislation. If you transfer data internationally, even intra-business, your data management policies and processes must enable you to demonstrate that you have a legitimate basis for transferring personal data across jurisdictions, including those that are not recognised as having adequate data protection regulation. Failure to adhere to cross border obligations could result in significant fines for your organisation.