Data Protection Management: Regulations to Follow
When building a Data Privacy Management System (DPMS), companies should take into account the minimum basic principles of data protection.
Previously, we have covered PIA and DPIA, ROPA, and TOMs. This time we are going forward with other mandatory regulations for data privacy management, such as Legitimate interest assessment, Processor management, and Schrems II.
In this article we will cover:
Legitimate Interest Assessment
Legitimate interest is one of the six conditions that justify personal data processing according to GDPR. It is considered to be the most flexible reasoning for data processing and applies when the people should expect their data to be used in that way, there’s little risk of data privacy leak. It is reasonable in the following situations, like fraud prevention, information security maintenance in the organization, processing employee or customer data, prevention of possible threats to public security, direct marketing, etc.
If you choose this condition as the basis, it is crucial to carry out a Legitimate Interests Assessment (LIA). You need to show that you’ve done some work to determine that this is the right lawful basis for your purposes.
LIA is carried out in three steps:
- identification of a legitimate interest;
- demonstration of the need of data processing;
- check if it overrides the individual’s interests, rights and freedoms.
Afterwards, it is necessary to document the summary of the test and show that you’ve considered your obligations to keep personal data safe.
Data Processor Management
What is processor management? Data processor is a third-party authorized person or organization who deals with personal data processing as instructed by a controller for specific purposes and services. For example, data processors can be the outsourcing companies of the HR department that work with the candidates and employees personal data, or outstaffed email or social media marketing agencies that use data for campaigns.
Data processors have their duties with regards to customers (controllers) and supervisory authorities, displayed in contractual arrangements. Signing a contract with a data processor means that you both comply with your obligations under GDPR.
Data processors must:
- Appoint a Data Protection Officer
- Create company policies on compliance with GDPR and non-compliance
- Carry out DPIA (Data Protection Impact Assessment)
- Implement appropriate technical and organizational measures (TOMs) before transferring or receiving personal data across borders
- Ensure safety and confidentiality of personal data and process it only to the required extent
- Keep written records of all activities and provide access to them for controller and regulators
- Immediately inform the controller of a data breach incident and provide support
- Get controller’s written permission before involving sub-processors
- Ensure that contracts with sub-processors grant a relevant level of protection
- Delete or return to the controller all personal data when no longer providing services.
Organizations (data exporters) that transfer personal data to other countries outside the EU, must comply with the GDRP’s Schrems II case, otherwise they’ll be fined.
5 steps required from data exporters to align with the Schrems II judgement:
#1. Record your international data transfers. The data exporters must know its transfers to non-EEA countries as well as transfers of their processors.
#2. Know the tools you’re using for transfers. The following 46 GDPR transfer tools are usually used: standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, and ad hoc contractual clauses). To examine your tools, conduct a special assessment, i.e RoPA assessment (the Record of Processing activities), or a dedicated assessment to validate the data transfers tools for international personal data transfers.
#3. Assess legislation in the third country. Before conducting the data export, evaluate the law in the destination country and assess if the data transfer will be safe enough.
#4. Identify and take the supplementary measures and additional steps. These measures are taken to ensure adequate levels of protection to data transfers, they can be technical, contractual, or organizational and can be combined if necessary. Validate if additional formal steps are needed to transfer data to a specific country.
#5. Re-evaluate and monitor regularly. Continuously monitor developments in the third country that could affect the initial assessment. You must also ensure that data transfers can be stopped or terminated at once when needed.
Power up Your Data Processing Management System with the GRC solution
Irrespective of the size of your organization, you still have to comply with GDPR if your activities correlate with EU-citizens data processing. No matter how complicated data privacy implementation may seem, it is necessary to align with the regulation if you want to move forward. A tool-driven approach can ease the pain of trying to be compliant with the regulations. It provides you with all the necessary documentation and a workplace where you can do everything from scratch with professional guidance and high flexibility.
We provide a single platform for all your activities when building a holistic approach to establishing a DPMS. Infopulse SCM supports the multi-standard option allowing you to work simultaneously with several regulations and quickly switch between the projects. With the help of custom fields, you can adjust the system to your needs. Moreover, with our import tool, you can upload any specific requirements and controls.
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.