The past year, we have witnessed a general increase in people’s awareness of privacy and rights under data protection regimes. Even though we think this is a great evolution, it is most likely a temporary trend due to the measures induced by the current pandemic. In the past, privacy has all too often had to take a back seat in times of crisis: Just think of the cold war era or the 2001 Twin Tower bombing; When the scare is on, there are often more pressing matters than your ‘right to privacy’, right? Luckily, most organisations (rightfully) still believe in privacy as a basic human right. That doesn’t mean recent regulatory outcomes are making it easy for us to ‘follow the rules’… If you’re a DPO or Privacy Officer reading this, you’ll understand exactly what I mean: Data Protection Impact Assessments (DPIA) are an important part of your commitment to ensuring the privacy and integrity of data in your organisation. But, as 2021 brings a host of changes in technology and regulation, your DPIA’s are bound to become increasingly more complex. Don’t worry, you’re not alone. As a ballpark estimate, we’d expect that:
Over 85% of organizations are facing serious concerns, when executing DPIA’s’
What’s more is that since the inception of the requirement, we’re noticing an increasingly lower number of DPIA’s executed with our client’s year-on-year. This evolution is even more profound when compared against the number and scope of the projects involved. So, what’s going on?
Is it impossible to fulfil all DPIA requirements?
Nowadays, most of the challenges we see in organisations include either:
- Tremendous efforts in DPIA executions, leading to a very time-consuming process and DPIA backlog
- Too little effort put into the DPIA’s, resulting in low-quality and incorrect results.
The following issues are also repeatedly observed:
- User Frustration: The DPIA process is often seen as a real inconvenience. Completing complex and time-consuming forms on top of your regular work only make matters worse. While the process is there to help, it is often seen as a burden.
- Scattered Approach: Because the approach is loosely held together, it soon becomes impossible to manage across all involved departments. A lack of integration with standard project methodologies and change processes doesn’t make things better either.
- Poor Reporting: Due to unstructured data, reports, required by senior managers or regulators, rely on manual data collection. Apart from being inaccurate, this is a strenuous and time-consuming task.
- Inconsistent Reference Data: Lack of consistent reference data across departments decreases the quality of DPIA’s. Different teams and users make their own assumptions, further increasing the time delays and complexity of reporting across the business.
- Lack of knowledge: We often witness a lack of training and low awareness towards DPIA’s within organizations. Having several DPIA-specific teams and departmental coaches (or Privacy Ambassadors) can be a major help here.
- Unclear Risks and mitigations: In many organisations, there is little understanding of the risks (inherent and residual) for the data subjects as a result of a new project, process, technology or change. This makes it very hard to mitigate said risks in a consistent manner.
2021 will not make it easier as the data privacy landscape will continue to evolve, change and become more advanced and complex.
More regulation is coming your way!
As privacy legislation slowly matures, more and more countries are imposing restrictions on firms worldwide:
- China, for example, recently published the first draft of its Personal Information Protection Law (PIPL) to protect the personal data of their citizens (the irony, right?).
- Australia is currently consulting on changes to its privacy regulation. India’s Personal Data Protection (PDP) Bill is on its way to approval after a Covid-induced delay.
- In the US, both the state of California as well as New York are introducing tough restrictions on the sale of personal data.
These are all individual examples of a larger trend, and they illustrate how countries, states and regulators are taking data privacy and data protection increasingly more seriously.
For organisations operating internationally, including cross border transfers of personal data, the need to understand and consider multiple regulatory frameworks will continue into 2021 and beyond.
According to us, GDPR will most probably be leading the dance, influencing other Data Protection legislation on the way.
That means that if your organisation is already subject to regulations like GDPR or CCPA and offers services outside of the jurisdictions currently covered, you can give yourself a head-start by rolling out data protection organization-wide.
Persisting uncertainty on international data transfers
Uncertainty over international data transfers dominated the news in 2020:
The Schrems II decision, eliminating the Privacy Shield as a valid legal ground for data transfer between the EU and US, will continue to show its impact well into 2021.
Transfers of personal data to third countries under the Standard Contractual Clauses (SCC’s) mechanism must ensure a level of protection that is equal to the level guaranteed by the GDPR. Organizations should consider executing pre-transfer impact assessments to assess whether the data transfers meet the “essential equivalence” test and whether extra technical and organisational measures are needed. This means that a lot of vendor relationships will need to be revisited and new relationships will be subject to closer investigation going forward. It will be key for organisations to map out their data transfers so they can identify in minutes (rather than days) which processes depend on SCC’s and Privacy Shield. If done right, you might even find out that some international transfers can be avoided! Want to learn more? Have a look at this video to see how data governance plays an important role in this process.
The potential of automation in privacy
Many organisations are still struggling to outline a robust DPIA process; one that covers all requirements for data privacy and data protection. But what if you could automate:
…the completion of your DPIA by reusing data from the Register of Processing Activities (RPA)?
…your risk assessment and mitigations, adjusted to your standards?
…the completion of transfer impact assessment, using data entered in the DPIA? The automation of Data Protection practices is still in its infancy, but we believe it holds massive potential.
Our data protection automation solutions allow you to increase the quality and efficiency of the DPIAs, it decreases the lead time from days to mere hours and optimizes resource-usage (more on that here).
At DTA, we see a lot of opportunities for you to take advantage of.
So, don’t fall behind, get started today!
Want to learn more about automation in Data Privacy and Data Protection?
Send us a message and find out how we can help your organisation move forward: