The Clock Is Ticking – What’s next?
We have the Assessment – So what’s the Action Plan now?
Prepare and prevent, don’t repair and repent – Anonymous
As I mentioned in my last blog on “What do we need to do”, you must identify the right problem to find a solution. And having identified the problem, like it says, you must ‘prepare’. That will help you prevent. You have to make a plan before jumping into action.
So, how should you plan to be gear up to ensure Digital Personal Data Privacy?
In my previous blog I talked about the 5 Critical Areas in the context of Personal Digital Data Privacy. You can do a quick assessment of your readiness in these five areas. And your assessment where you stand on each of these 5 areas, the 5 domains, it gives you a pathway to preparing your plan. Your next steps.
Let’s address each of these areas one by one.
Establish Processes
Justification
You should define the scope of data being collected. You should know why you are collecting the data that you are collecting. The purpose of collection should be clearly defined and documented in the context of your business operations.
You should have clearly identified and addressed privacy, security, or ethical concerns associated with this data.
You should have clearly defined organization wide processes for ongoing assessments of the justification of the data being collected. Anything that cannot be justified should not be collected.
Securing by minimizing.
Consent
A key part ensuring Data Privacy is ensuring that you have a valid, transparent, demonstrable consent from the Data Principal (DP).
Not only should you be able to get consent, but you should also have systems and processes for the DP to effectively exercise their rights throughout the data lifecycle like the ability to address Data Subject Access Requests (DSARs) like Correction Requests, Consent Withdrawals (Full or Partial, Conditional or Unconditional).
You should have internal workflows, systems and processes to capture and record consent, allow for easy withdrawal of consent, and provide notices where required.
Securing by ensuring you have only what are allowed to have.
Inventory
You know by design where you are keeping all the data, but what about all the locations where you do not know you have data. You can secure the locations that you know of, it is when data moves to unplanned locations like laptops, desktops, endpoint devices, unplanned servers that it becomes a problem. This happens more often than we know. Team members download secure data on their devices to “work on it later”. And that creates a weak point.
In order to protect data, you need to know what you have. Therefore, you must have clearly identified processes, tools and techniques to find and create a detailed inventory of all the data that you are collecting, where it is located – including at third-party vendors locations, how it is being processed.
Securing by knowing what you have.
Governance
At the core of ensuring Digital Data Privacy is making sure that you have appropriate processes and safeguards to govern handling of Data being collected and stored. This includes processes for Data Ownership & Access, Security Controls, Collection & Processing Governance, Data Retention & Deletion.
You should have these processes and systems to manage data governance not just with you, but also with Vendors and 3rd parties since you are accountable for data processors that handle data on your behalf.
Securing by doing it right.
Breach and Exception Handling
Finally, exceptions happen, and when they do you should have processes and systems for handling exceptions and data breaches. These include providing for Governance & Accountability, Exception Identification & Handling, Incident & Breach Response, including providing Training & Awareness to the team members, Documentation, Reporting & Improvement.
Execute on the DPDPA plan
Once you have formulated plans for the five domains, you need to operationalize them, execute on the plan.
Get Started
The first task is to Formalize Roles and Responsibilities, including getting designating a Data Privacy Officer if you are a Significant Data Fiduciary – an SDF.
Operationalize Workflows
Once you have assigned Roles and Responsibilities you have to operationalize workflows for each of the five domans, i.e., Data Discovery and Mapping, Consent Mechanisms and Data Principal Rights Management, RoPA and Data inventory, Governance and Third Party Risk Management, Breach and Exception Handling, Audit Preparedness.
Gather evidence
The proof of the pudding. We have to gather evidence of the processes being operational and processes and workflows functioning as intended. The intent is demonstrated by having a complete set of Policies and Procedures Documentation. The execution is demonstrated by collecting and maintaining Logs, Records, Audit Trails; Technical Evidence, Assessments, Training Records and other related documents that provide evidence of planned actions being performed.
This helps us be prepared for DPDPA Audits.
The next steps after assessments and Gap Analysis are to plan and design processes for the 5 domains, execute them and gather evidence of them being performed.
It is wise to prepare today for the needs of tomorrow.
