UBA Data Protection Guide
How does this guide help you in practical terms?
In this first part you will learn how to lay the groundwork for your consumer data policy.
The guide consists of five parts:
- How to you organise your team?
- How to collect consumer data the right way?
- How to store consumer data efficiently?
- How to use consumer data in a targeted way?
- How to create more transparency and trust? - December 2023
Part 1. How to organise your team?
This chapter delves into the chief organisational topics. Do you take care of all data protection matters internally or call on subcontractors? Who is ultimately legally responsible? How do you install a data culture in your organisation? Which processes streamline efficient data management? How do you work on improvement paths?
Click here to download the first part of the guide in PDF format.
The DPO: the pivotal figure in the organisation
A Data Protection Officer (hereafter DPO) oversees the entire data protection process. The GDPR (General Data Protection Regulation) determines for which organisations a DPO is mandatory. If it is not mandatory in your case it is still a good idea to have a central point of contact because this stimulates clarity and efficiency within the organisation. Naturally your formal or informal DPO must be able to fall back on experts in case of more complicated or technical queries.
Important: management is ultimate responsible for the observance of the Data Protection rules, not the DPO. Naturally management doesn’t need to be involved in every question regarding data protection. However, it is important that transparent (work) arrangements are in place in terms of decision-making power and job description. This makes things clear for everyone: every employee knows who to turn to with questions. |
The following three elements are key for the DPO to be able to work efficiently:
• Independence
It is important that the DPO does not belong to management as this limits the risk of a conflict of interest. The DPA (Data Protection Authority, the supervisory government agency) monitors this very closely and can even intervene .
• Budget
The DPO must have the time and the financial resources to do a thorough job. With external DPOs this can sometimes be an issue. They often work in a context where less budget is made available because there is no room for an internal DPO due to financial constraints.
• Accessibility
A DPO must also be familiar with all aspects of personal data processing. This means that he or she must have access to all relevant information. The communication (structure) with the employees in question must also be effective and therefore the DPO is preferably someone who knows the ins and outs of the organisation.
The DPO is also the point of contact for the DPA so be sure to let them know the identity of your DPO. The internal target groups should also know who the contact is. Explain to them what a DPO is and what he or she does.
And finally: a question or a complaint from a consumer is a signal that something is not clear or transparent. The threshold to react must be as low as possible. Make sure the DPO has the space and resources to make this happen. For every brand a question or complaint about personal data is the perfect opportunity to communicate and improve the relationship.
Expert advice. A DPO, even when it’s not mandatory Data is a complex subject matter and so there is always the risk of (legal) errors. That is why a specialist brings added value, even when he or she is not officially appointed as DPO. An external DPO can be the answer, all the more if that person is familiar with your industry. It is not advisable to use alternating points of contact. Knowledge of your company and data know-how will accelerate the process, especially in a crisis situation. |
Getting and keeping data protection on the radar
In many organisations data protection, data and privacy are often far-off concerns. Especially in the absence of new developments, attention for the applicable legislation dwindles fast.
That is why it is so important to put the topic on the agenda on a regular basis. Not with drab theory but through interactive trainings, exercises on data protection, testing processes such as “What to do in the event of a data breach?” or “What to do if someone wants to consult their personal data?”. Those are familiar situations that many organisations and employees have had to deal with in the past. In other words, testing processes is very useful. For instance, you can test a process by posing a fictitious question submitted by a data subject, by sending everyone a fake phishing email or announcing a data breach.
Another method to keep data protection alive is by storing documents for security policies, processes and process flows, policy decisions, ... in a central location. If those documents are visible and accessible on the intranet your employees will be quicker to consult them.
Expert tip. Organise fast track sessions on Data Protection. Every member of your organisation must posses a basic knowledge of data protection. Making this knowledge relevant to a specific position will only fan the interest of your employees in the subject. A digital marketer needs different knowledge than a manager who has to make decisions on personal data processing. Also provide regular updates because the strength of communication lies in repetition. And test whether the information sticks so you know when to tweak the sessions. |
What to take into account in data protection processes?
Data protection is linked to rules so it is efficient to regularly test your internal processes against regulations. Establish those processes
- for technical and organisational measures when selecting a processor
- in a signed data processing agreement before the actual processing starts
- to guarantee the rights of data subjects
- in case of different types of data leaks
- to keep the data processing register up-to-date
- for audit processes
Internal processes and audits
An audit reveals whether your processes do what they are supposed to. Any shortcomings can be remedied through targeted action.
- Internal audits
Your DPO or an external party checks whether the processes are in compliance with the GDPR rules. Still, it is also useful to test the safety aspect of personal and other data. For this you bring in external specialists, for example for a so-called pen test. Such a test analyses your systems in detail. You can also call on ethical hackers to systematically screen your technical infrastructure. Including mobile apps and SaaS tools.
- Audits of processors
Does your company often use large volumes of personal data from processors? Then it is a good idea to have them audited. This will immediately tell you if your technical protection is still up to par. The data protection rules require that this protection take into account the state of technology. This means that security measures must evolve alongside that technology, even if the data processing agreement explicitly states the content of the minimum security requirements.
It is clear that such audits must be left to specialists so have them carried out by your DPO or an external party.
Part 2. How to collect consumer data the right way?
Parts 2 to 5 of the UBA Data Protection Guide are only available to UBA members. Is your company a member of UBA? Then log in here.
The data catalogue keeps things clear
For their record of processing activities many companies use an Excel or a Word document, but actually these are “metadata”. Metadata are information about data. You can store these metadata in a so-called "data catalogue". That is a specific application with which you centralise the documentation on all your available data and make them accessible - in an easily searchable form - to everyone in the company.
The advantage of a data catalogue? Transparency! When you have a lot of personal data, it’s often a major challenge to keep an overview of the dozens of processing operations, sources and purposes for which your company uses those data. Often such an application can also automatically collect a part of this information. Think, for example, of tracing all reports in which certain data are used. In this way you can efficiently check whether data hasn´t ended up in the wrong places...
The data catalogue: also effective for data classifications
A data classification is a “label” that you attribute to certain data. This label helps you to make quick decisions about the ´GDPR-usability´ of the data. You can classify personal data with an "ordinary" or a "sensitive" personal data label. Your users thus know immediately that they are dealing with personal data and must comply with the GDPR. Another example of classification is the widely-used ISO 27001 classification, which defines whether data are confidential or not.
An easy-to-use metadata classification is a handy tool for a broad range of data management processes.
- It helps to automate retention periods
- It ensures that you can automatically assign user rights
- It allows you to find personal data more quickly, for example when someone exercises his rights within the GDPR framework.