The privacy legal landscape is rapidly changing. Many jurisdictions are considering or are about to enforce new legislation for the protection of personal information with varying requirements. Once the laws are enacted, regulatory authorities than interpret the requirements which may impact what organizations must do to comply.
Recognizing the passage and enforcement of a new law is just the beginning for an organization to ensure compliance. Over the coming weeks I will discuss some steps an organization can take to assure Operational Compliance.
What is Operational Compliance?
When I think of compliance with a new law, regulation, or even a contract requirement, I consider two separate aspects: Administrative Compliance and Operational Compliance.
When I refer to Administrative Compliance I include the creation of controls such as policies, procedures, standards, guidelines for use by an organization that provides direction for the organization to become and remain compliant.
Operational Compliance to me refers to the actualization of those Administrative Compliance controls within an organization. This implies that the development or updating of new systems, applications, or business processes actually comply with the Administrative Controls.
There are many frameworks available to help an organization to ensure Operational Compliance most notably Privacy by Design. We will cover framework approaches in a future post.
Do the requirements apply to me?
Before we dive into Operational Compliance, we need to determine what requirements you need to meet. Simplified, this is a three phase process.
The first phase is to establish a data inventory. This will allow you to understand what personal information is being collected and how it is being processed. Your Information Technology department probably has a detailed data inventory getting very specific about where the data lies, how it is protected, how it is processed, etc. at the individual data element level. I suggest that to make privacy decisions you do not need this level of detail.
I recommend establishing your data inventory to meet the requirements of a Record of Processing Activities report, a “ROPA”, as defined in Article 30 in GDPR. This will allow you to make the vast majority of privacy decisions and analysis and, if you need the more detailed information, you can always reach out to IT.
The second phase, which may be run concurrently with the first, is to establish an inventory of applicable laws. This includes not only the name and jurisdiction of the statute, but a breakdown of the requirements of each law. This is a pretty significant undertaking, so Privacy Ref has done this for you in many cases with our Privacy Ref Requirements Frameworks™.
The third phase is a establishing a gap analysis. Here you are comparing the legal, contractual, and other external requirements to the activities the organization is currently undertaking with personal information.
A benefit of the gap analysis is that you may determine that some of the requirements you may have thought applied to your organization do not. Alternatively, from the gap analysis you can determine if there is a need to mitigate the risks identified by the gaps by applying Administrative Compliance controls or adjusting your Operational Compliance activities.
Recognizing that your business will evolve and the requirements from outside of your organization are changing as well, these three phases should be repeated regularly. Optimally, this is a continuous process which will discuss in future entries of this blog series.
If the gap analysis determines that there are some items that require remediation, specifications need to be created that describe the gap and how to approach mitigating the issue. The next installment of this blog series will discuss the impacts of these gaps on your Administrative Compliance.