Following the disruption of the last couple of years, 2023 has seen a return to more steady working practices as markets are able to put the pandemic and the havoc it created into the rear-view mirror.
As organisations have moved back into a 'business as usual' working environment, notwithstanding geo-political and economic headwinds across Europe, there remains an emphasis on leveraging data to identify operational efficiencies and for delivering commercialisation opportunities. The relevance of the privacy function within organisations, as well as effective management of its resources and workload, is increasingly critical to ensuring senior management are balancing their privacy and data handling activities appropriately.
A mainstay of privacy compliance and operations in the post-GDPR environment is, amongst other things, assessing risks to personal data through privacy impact assessments, data transfer impact assessments, vendor risk reviews and the handling of individual rights requests. These may not have the same profile as other aspects of the privacy team, such as providing privacy advice and guidance to the business, dealing with inquiries from regulators, supporting contractual negotiations and addressing issues around cross-border data transfers and use of AI. Nonetheless, they are often key, if not mandatory activities of an effective privacy function.
Ensuring Consistency in Approach to Risk Assessments
From the perspective of efficiency, effectiveness, and consistency, it is essential for operational privacy processes to be well designed and implemented, including clearly defined and communicated 'Service Level Agreements' or Key Performance Indicators detailing the target lead times for successfully handling these activities.
With respect to a privacy impact assessment, it will often have been initiated by a business area or corporate function responsible for the activity or initiative involving personal data, such as the Marketing or Human Resources function. Depending on how well socialised the process is within the organisation, it would not be uncommon for the privacy impact assessment to have been submitted shortly before the project is scheduled to be implemented or 'go live'. This can sometimes lead to an expectation on the part of the business that there will be an immediate turnaround by the privacy office, resulting in tension if this is not possible due to resourcing constraints and/or a backlog of other operational requests which need to be handled. Such events are not uncommon and can have the unfortunate consequence of the privacy office being perceived as a 'blocker' or delaying the launch of a major project.
As such, it is essential that the privacy office not only has adequate resourcing in place to handle its workload, but it should also have clearly defined processes and procedures for handling assessments to ensure there is consistency in approach, stakeholders within the organisation are supported within defined timescales and there are clearly communicated outcomes including risk flagging, and expectations around mitigation of such risks. From a resourcing perspective, we also recommend adopting a triage approach where assessments can be classified up front in terms of risk and complexity, with the business only required to provide responses to questions and additional information relevant to the nature of the privacy risk. Likewise, more experienced staff should be focussed on supporting the more challenging reviews where there may be significant impact for the company, or which involve often unique or new data processing activities or risks. Where there are significant or increasing volumes of assessments, periodic process improvement and trend analysis can improve efficiency and quality, but also identify emerging threats or changes in risk factors relevant to wider privacy compliance strategy and corporate risk appetite.
The Importance of Focusing on Individual Rights Requests
Individual rights requests, such as data subject access and deletion requests, can also be time-consuming and complex to deal with. Failure to appropriately process the request within the required timeframe often results in complaints being lodged with the relevant data protection authority. Therefore it is particularly important organisations have clearly understood, well-defined and adequate resources focused on this area.
Again, early classification and triaging of requests can allow for better use of experienced and specialist resources, and the effective distribution of responsibility between business functions, legal counsel, and the privacy office in terms of assessment and processing of the requests.
Depending on the nature and volume of requests, it may be the case that the majority of requests are straightforward in nature and can be undertaken directly by customer service or complaints handling teams, or in the case of employee request, HR support teams. This would allow the privacy office to expend its resources in handling those requests which are more complex or potentially contentious. In some instances technology may be used to deliver self service automation functionality to the individual, typically where the information required or available is centralised and limited in nature. Consideration still needs to be given to whether specific exemptions are applicable and the extent to which data may need to be reviewed and redacted, including measures to prevent inappropriate disclosure of personal data of other individuals.
In reality, corporate resources across both the privacy team and other functions may still not have the capacity to deal with all of the requests in a timely fashion. This is often the case where there is a surge in requests linked to events such as report data breaches, adverse media stories, regulatory enforcement, or legal action. Data protection authorities rarely provide discretion to organisations purely on the basis of the number of requests or resource limitations. Care should be taken when looking to address such resourcing gaps by using agency staff or contractors who often do not have sufficient understanding of the organisation nor necessary subject matter experience. This can lead to additional costs and regulatory exposure due to failures to properly address the request or where failure to properly manage personal data involved in the process leads to unauthorised disclosures or misuse of the data. However, done correctly, outsourcing to a credible provider can often provide timely support and the ability to free up privacy resources needed to deal with other types of inquiries or privacy compliance activities.
The unintended consequence of the privacy office not having well-organised risk assessment processes and SLAs (service level agreements) in place is that some areas of the organisation, if they do not believe they are adequately supported, may disengage with the processes altogether. This presents the dual risks of the privacy office potentially not having visibility of business initiatives involving the collection and use of personal data, and increasing the exposure of the organisation to regulatory risk.
Organisations should consider the following takeaways when establishing the key operational activities of the privacy office:
- There should be a well-defined process with clear SLAs (service level agreements) around key aspects of the process – consider whether someone in the organisation could pick up the procedure and follow the process without support.
- Awareness-raising of the process is key – it should be well-socialised across the organisation so that business stakeholders see this as a fundamental risk management step which needs to be cleared internally before implementation.
- Consider linking the process to other wider change activities in the organisation, such as software development lifecycle and product approvals, so that there is upfront awareness amongst stakeholders that privacy related risks will need to be 'cleared' before implementation.
- The privacy office should be sufficiently resourced to handle the requests within the defined turnaround times – if resourcing is limited, or a problematic area, consider whether certain aspects of the assessment review could be delegated to other control disciplines in the organisation, such as Compliance, Risk or Information Security.
- Process lead times and SLAs should take account of potential delays from the assessment submitter in sourcing any further information or documentary evidence requested by the privacy office – ensure these are clearly communicated upfront to stakeholders so that they are aware of the need to provide supporting information.
- Use of technology and automation of privacy operational activities may help to streamline the workflow of the process. However, whilst this will help to reduce the reliance on spreadsheets, this will not be a panacea, as the assessments will still need to be subject to an appropriate level of scrutiny by a privacy subject matter expert. Automation would almost certainly make the process of searching for datasets across multiple applications more seamless in the context of DSAR handling, but would require upfront investment in the technology to support it.
- Outsourcing of privacy operations support activities to an external provider may be an advantageous option for some organisations, however, there would need to be very clear SLAs in place, adequate resourcing and a support team with a sufficient skill-set and experience to support the assessments.
March 15, 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.