1. Case study: Data Protection (Privacy)compliance management in economicallydepressing timesBYBen Oguntala, LLB, LLMben.oguntala@dataprotectionofficer.comwww.dataprotectionofficer.comCopyright 2011This paper covers: 1. Policy management and implementation including periodic review 2. Dissemination of policies and procedures to all business units 3. Assessment of business changes that impact 3rd parties 4. Privacy impact assessment across business units 5. Privacy audit of suppliers 6. Operational support of businesses 7. Privacy standard enforcement 8. Managing subject Access request and responses 9. Privacy audit of business unitswww.dataprotectionofficer.com info@dataprotectionofficer.com

2. ContentsIntroduction ............................................................................................................................................ 3The role of the Data Protection Officer .................................................................................................. 4Resource deficiency impact .................................................................................................................... 5Resource responsibilities on key privacy areas....................................................................................... 6Policy management and implementation including periodic review ..................................................... 7Dissemination of policies and procedures to all business units ............................................................. 8Privacy impact assessment across business units and 3rd parties .......................................................... 9Privacy audit of suppliers ...................................................................................................................... 10Operational support of businesses ....................................................................................................... 11Privacy standard enforcement.............................................................................................................. 12Managing subject Access request (SAR) and responses ....................................................................... 13Privacy audit of business units, projects and suppliers ........................................................................ 14www.dataprotectionofficer.com info@dataprotectionofficer.com 3. IntroductionMost countries in Europe and America are faced with an austere period for the next few years andconsequently most organisations within these countries especially Government and private sectorsare going to be faced with the challenges of cost reduction whilst the requirements and obligationsstay the same.Within the Data Protection/Privacy management sector this austere period will manifest itself in theform of reduction of Privacy staff and resources for managing the day to day requirements of a Dataprotection and privacy/compliance management.A reduction in resources increases the likelihood of breaching the EU Data protection directive or UKData protection Act of 1998. The key areas impacted include:1. Policy management and implementation including periodic review2. Dissemination of policies and procedures to all business units3. Assessment of business changes that impact 3rd parties4. Privacy impact assessment across business units5. Privacy audit of suppliers6. Operational support of businesses7. Privacy standard enforcement8. Managing subject Access request and responses9. Privacy audit of business unitsTo address this problem, www.dataprotectionofficer.com has a portal based solution that isdesigned to assist Chief privacy Officers, Data Protection Officers and compliance teams inmaintaining their obligations.The diagram above depicts the areas of control the www.dataprotectionofficer.com provides thedata protection officer, with diminishing resources the obligations toward Data Protectioncompliance can still be achieved. www.dataprotectionofficer.com info@dataprotectionofficer.com 4. The role of the Data Protection OfficerThe diagram below depicts how a typical organisations privacy management structure is organised;it demonstrates the key areas of concerns and the associated obligations related to them. As theresources are reduced, the key areas may be deficient and increase the propensity to breach theData Protection Act.The solution provided by www.dataprotectionofficer.com was designed privacy lawyers andcompliance Consultants; thereby it has an innate compliance capability even when there arediminishing resources.The solution also provides you with the ability to pick and choose areas you wish to automate, forexample, strategy is predominantly handled by senior management and rarely change frequently.Therefore the automation will allow visibility of how effective the strategy is within yourorganisation and where improvements can be made.Operational support, Complaints & resources, Subject Access request, incidents and Audit &compliance are resource intensive, we have tools designed to reduce the resource intensiveness andrequirements allowing your organisation to still maintain the same level of compliance by integratingthe solution into your current environment. www.dataprotectionofficer.com info@dataprotectionofficer.com 5. Resource deficiency impactDepending on the size of your organization, the economic depression may have varying degrees ofimpact, in some of situations, as a Small to medium organisation, you may be left with 1 or 2resources to manage the entire privacy regime and in other larger organisations you may simply beleft with 4 resources.With this in mind, our solution is designed to allow you to operate with minimum resources in orderto achieve optimum efficiency along with key performance indicators.The numbers above may vary depending on size of the organisation. www.dataprotectionofficer.com info@dataprotectionofficer.com 6. Resource responsibilities on key privacy areasThe resources within privacy have specific responsibilities and if reduced may expose the area topotential breaches, our solution is designed to plug each hole in order to ensure adequate coverageshould the resource reduction actually materialise. www.dataprotectionofficer.com info@dataprotectionofficer.com 7. Policy management and implementation including periodic reviewAssuming there is only 1 resource available in this area, the www.dataprotectionofficer.com solutionwill enable your organisations resource(s) to:1. Draft policies and procedures2. Single click dissemination of policies to all business units3. Single interface management of all policies, procedures and processes4. Single dashboard view of all policiesDataProtectionThe diagram above depicts the policy dashboard capturing the essential policies and theircommensurate procedures.www.dataprotectionofficer.com info@dataprotectionofficer.com 8. Dissemination of policies and procedures to all business unitsThe policy dashboard will allow you to:1. Create Data Protection and other privacy related policies2. Create a group or national policy3. Create a local policy if applicable4. Create relevant department policies relating to the main policy5. Assign operational responsibility for procedures to an offer6. The responsibility will then be able to create their procedures to match the policies7. Monitor risks, incidents and auditsAll business units within your entire enterprise will have their key personnel listed on theorganization chart and once policy is updated will be alerted via email.Each business unit will have the responsible officer listed as well as the key personnel in the businessunit responsible for the operations related to privacy and data protection.www.dataprotectionofficer.com info@dataprotectionofficer.com 9. Privacy impact assessment across business units and 3rd partiesAll projects and business changes once approved will be able to submit their projects/changes viathe portal to the Data Protection/Privacy team for Privacy impact assessment (PIA).Initial surveyPIAPIAPIAPIAPIAPIAThe process below depicts how your business units are able to submits projects and changes to yourprivacy or Data protection team for privacy impact assessment. www.dataprotectionofficer.com info@dataprotectionofficer.com 10. Privacy audit of suppliersThe portal contains an organisational chart that also includes suppliers, the diagram below listssuppliers and the number of information Assets your are sharing with them as well as any associatedincidents recorded against the assets.This single interface simplifies the supplier engagement process and compliance management.Each asset associated with the supplier is listed and can be audited, non compliances can beregistered against each asset. www.dataprotectionofficer.com info@dataprotectionofficer.com 11. Operational support of businessesThe operation support is perhaps the most likely to suffer from a resource deduction and to addressthe problem we have simplified the engagement process making it possible to maintain the samelevel of service to the business.Our initial approach is the automated privacy impact assessment which determines the level ofprivacy impact the project has an automatically scores the project.The initial survey is part of the Privacy impact assessment and is designed to weed out project thatdo not have any privacy impact thereby focusing only on projects with privacy risks.This process is adequate for limited resourced teams by streamlining the end to end process andfocusing on privacy impacting projects and changes. www.dataprotectionofficer.com info@dataprotectionofficer.com 12. Privacy standard enforcementOur strategy in this area is to automate as much of the technology based provisions available; all ITsystems that contain information assets will be automatically protected from build in order toensure that inherent compliance. www.dataprotectionofficer.com info@dataprotectionofficer.com 13. Managing subject Access request (SAR) and responsesSubject Access request can arrive from numerous ingress points in your organisation; thewww.dataprotectionofficer.com solution captures all your various ingress points as well as variousbusiness units and integrates them into a single dashboard.Every time a SAR is registered is there is an automatic tracking process that captures the request,alerts the team and places the request on the SAR dashboard. The role of the Data Protection teamwill be to ensure all requests have a response with the 40 day limit, in order to achieve this task wehave an automatic countdown that tracks the request from day zero till a response is made.The dashboard automatically assigns a SAR ID to the SAR and allows the Data Protection/Privacyteam to carry out the admin checks and validity checks as well as be able to assign the request to anofficer for a response whilst still having overall visibility.At 5 days left, the dashboard entry changes to Amber and sends an alert to team that a SAR has 5days to go and has had no activity allowing the team to act on the SAR prior to breach. www.dataprotectionofficer.com info@dataprotectionofficer.com 14. Privacy audit of business units, projects and suppliersThe www.dataprotectionofficer.com solution automates the essential elements of a privacy auditsby automatically tracking the key audit requirements, the key audit metrics captured automaticallycaptured allowing remote audit and allows the focus on high level non compliances.The key elements for our audit module include: 1. Business units 2. Policies and procedures www.dataprotectionofficer.com info@dataprotectionofficer.com 15. 3. Suppliers4. Key performance indicators www.dataprotectionofficer.com info@dataprotectionofficer.com 16. 5. Privacy process audit6. Projects and changeswww.dataprotectionofficer.com info@dataprotectionofficer.com 17. 7. Information Asset register--------------The end ---------------------- www.dataprotectionofficer.com info@dataprotectionofficer.com