Data Privacy Assessment
This time we need to focus our attention on the Data Privacy Assessment phase. So far, we’ve been talking about the process of having a solid privacy program. Accordingly, we have analyzed:
- The general concept of the privacy program management;
- The privacy governance; and
- The applicable privacy laws.
Data Assessment: what is that?
It is a catalogue or inventory of all the data processed by the organization. Consequently, the first thing an entity should do is to have an inventory of all the data processed. But how?
In the first place, the entity can use a tool to do the job. The market is pretty mature and there are zillions of technical solutions. These fantastic software can scan your system and catalogue the findings according to the main categories. As an illustration, the categories could be as following:
- IDs and Social Security identifiers;
- Financial data (e.g., credit card numbers);
And a very long list of predefined categories.
As an alternative, you can use a different (and more manual) approach. That means: your entity should ask the different product owners to identify the data they use in their processes. Let’s start the easier way possible and ask the product owners to draw, in a simple data map, the data lifecycle. I like draw.io but I don’t endorse, sponsor nor have any professional/personal interest in this tool. It’s just as simple as that: I like it.
Nevertheless, even drawing the whole data processing can add a lot of work on your already busy colleagues. To that end, you can limit your initial data inventory to the personal data. At the end of the day, we’re only focusing on the privacy program, right?
The elements of the inventory
The list of the elements is clearly inspired in the Book of Knowledge of the CIPM certification. Among other items, the following should be part of the inventory:
- Context and purpose;
- Product owner;
- Where the data are stored (don’t forget to mention the cloud);
- The format (logic & paper);
- Categories of personal data (health, IDs, audio, video, financial data, etc.);
- International transfers (if any).
Feel free to add your own items. And, if you want us to update the list, feel free to drop us an email.
Now that you have completed your own data privacy assessment, you are on the right path to build your Records of Processing Activities, in order to comply the art. 30 of the General Data Protection Regulation (GDPR).