We have been supporting organizations in various sectors with data protection and privacy issues for 20 years. Many baseline measurements were carried out both before and after the introduction of the European General Data Protection Regulation (GDPR). What are the most common findings that emerged during the investigations? We answer that in this blog.
Most important observations
Many organizations use this type of research to determine the extent to which the organization meets the requirements arising from legislation for the protection of personal data, including relevant related sectoral legislation and regulations.
The general impression is that organizations realize that they need to take steps to comply with laws and regulations regarding data protection and privacy. During the investigations it emerged, among other things, that certain essential matters are not sufficiently organized.
Below we list a few that we have noticed at various organizations:
- There is a lack of overview and insight into processing;
- Is the organization a controller or processor?
- Positioning and expertise of data protection officer; and
- Privacy (GDPR) accountability of the organization and unrest of the board.
1. There is a lack of overview and insight into processing
The first thing the Dutch Data Protection Authority (AP) will do when entering an organization is to request the register of processing operations. If that cannot be shown, the organization is already 1-0 behind. After all, the DPA will reason, if there is no overview and insight into processing, how can the organization guarantee that personal data is adequately secured?
If a register of processing cannot be shown, the organization is already 1-0 behind
2. Is the organization a controller or processor?
The Uber decision has made it clear that if a processor acts as a controller, then it is also a controller. Even though other contractual agreements have been made among themselves. The DPA looks at the actual situation.
We found that subsidiaries in the Netherlands were dependent for their IT on their (foreign) parent company, which also determined the information security policy and/or the level of security for the subsidiary. As a result, the parent company is also a controller and therefore also responsible for all data processing and compliance with the associated obligations, such as the (timely) reporting of data leaks.
Even though other contractual agreements have been made among themselves. The DPA looks at the actual situation.
3. Positioning and expertise of the data protection officer
The GDPR has three articles dedicated to the Data Protection Officer (DPO). This officer must represent the interests of those involved within the organization, especially in the event of a tension between the interests of the organization and those involved. In order to perform this task properly, the position of the DPO within the organization is very important. Broad training is also required to properly master all facets of the position.
Too often we see employees who are positioned under a manager who may have a conflicting interest, who have to take on additional DPO tasks and/or who have had very limited training.
4. Privacy (GDPR) accountability of the organization and unrest of the board
The GDPR requires that compliance with this law must be guaranteed and demonstrated. Organizations often do not have the knowledge or skills on how to arrange this. The result is that this makes drivers restless. Because how can you have peace of mind if you do not have the risk and liability risks under control? Fortunately, they often have to deal with an accountant who does not ask questions.
Organizations often do not have the knowledge or skills to organize accountability. The result is that this makes drivers restless.
Conclusion
Based on the results of many baseline measurements, we advise the management of other organizations to also have a baseline measurement carried out. This gives you a good insight into where your organization stands with regard to protecting personal data.
From this basis, you can work on a step-by-step plan that is realistic for your organization to achieve a target maturity level that currently matches the organization’s ability to comply with privacy legislation.
This level can then be achieved according to a phased and systematic approach. Using a model with maturity levels can be helpful.
More information
Do you have any questions or comments after reading this blog? Let us know. We can be reached via +31 0(70) 392 22 09 and info@duthler.nl.
Would you like to have a baseline measurement carried out for your organization? See this page for more information.