Would you like to have a privacy baseline measurement carried out?
The European General Data Protection Regulation (GDPR) has implications for the governance and compliance of the organization. The height of the sanctions is also a reason to place data protection high on the agenda of directors. In order to meet the requirements of these laws and regulations, the organization will need to have insight into its own ‘organizational structure’, including the related parties with which contractual relationships exist.
The central question is, “Do I have a clear overview and understanding of the liability and cost risks arising from personal data protection legislation and the degree to which these risks are controlled?
Meanwhile, a derivative question: ‘do I have an overview and understanding of the liability and cost risks arising from obligations of related legislation (e.g., legislation aimed at applying artificial intelligence) and concluded agreements?’
Maintenance question in response to new legislation and changing business activities and its organization: ‘are the previously established privacy baselines still up to date?’
To obtain this insight, we offer to perform the privacy baseline measurement. The privacy baseline measurement is an exploratory study aimed at gaining insight into compliance with laws and regulations and fulfillment of data protection agreements made. The investigation provides the responsible person, the Executive Board and the Supervisory Board, with insight into the extent to which the risks are covered by measures and the effective operation of these measures.
What is the added value?
An organization must ensure that technical and organizational management, security and compliance measures are in place to adequately cover risks and that these measures are operating effectively. After all, if a measure is missing or has proven to be ineffective and this has led to a data leak, the organization must usually report this data leak to the Dutch Data Protection Authority (AP) and in a number of cases also to the data subject. If the organization is unable to identify a data breach itself – and notification is not made – it can be held accountable by the AP or one or more parties involved. This can lead to fines and claims.
The results of the privacy baseline measurement give the business and management an impression of the effective operation of the measures taken. The organization of business activities with business processes with a high risk profile (a high risk of incidents with a high impact on business operations) become visible and additional and appropriate measures can be taken.
Your partners in the chain also want to know to what extent your organization complies with the legislation. If your organization is a processor, the controller is obliged to check whether your organization complies with the GDPR. The other way around is also true. You as the controller bear responsibility for verifying the level of data protection with your processors.
When conducting a privacy baseline, the focus is on organizing business activities. The professionals use a tailored standards framework, focus on high-risk business activities and assess the business processes by which the business activities are organized. Auditors (internal and external) charged with assessing the effective operation of management, security and compliance measures use privacy baseline measurement reports in their work. Reporting makes the audit effective and cost efficient.
Accountability Obligation
The GDPR has an accountability obligation for companies and institutions. This obligation means that organizations must be able to demonstrate at any time that the measures to protect personal data actually work and that the provisions of the GDPR are being complied with.
The accountability obligation entails, among other things, that there must be an overview and insight into the processing operations, that the data protection policy must be anchored in the organization and that it is complied with and that the effective functioning of information security must be demonstrated. In addition, the accountability obligation also relates to the processing of personal data for which the organization has engaged external parties (processors and sub-processors).
MYOBI, with the help of Duthler Associates, developed accountability for compliance with the TTP policy, as part of the Code of Conduct, in the form of a privacy baseline measurement, see fulfillment of (legal) accountability.
The summary from the data protection baseline report can be included in the Directors’ Report making the organization compliant with a governance obligation in terms of protecting data.
What is our approach?
The study has a practical approach: together with you, we inventory the business activities and compile a company-specific standards framework from generally accepted standards. During the research, available policy documents are assessed and interviews are held with employees and/or stakeholders. The insights obtained are compared to the requirements for the processing of personal data, the assessment of the extent to which your organization meets the requirements with regard to data protection. This is done on the basis of a framework of standards, which is based on the relevant laws and regulations for the organization.
The investigation results in a report of findings and associated advice. This advice provides, among other things, a global approach for your organization on how to take next steps to take data protection and safeguarding privacy to a higher level and to become compliant. We use a maturity model with 5 levels.
Activities during the research:
- Establish standards framework focused on the organization’s business activities;
- Inventory of key processes/processes by which business activities are organized;
- Testing against the standards framework: interviews, documentation and own research;
- Prepare report of findings, action plan and presentation; and
- Coordination and unforeseen work.
The depth of the data protection baseline and detail of the report are determined by the desired scope and scope of the study and the time available.
It may be practical and necessary for the employees involved to be aware or trained on the importance of adequately protecting (personal) data. In consultation, professionals set up a company-specific learning environment and make awareness and training programs available.
It may be practical and cost-effective for professionals to support the privacy baseline work with tooling. Deriving standards frameworks, mapping business activities and business processes that incorporate management, security and compliance measures, supporting interviews and recording findings provides an integrated picture and effective investigation.
Latest news
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.
