As the next in our series of “back to privacy basics”, we look at the rules regarding privacy governance.
As we will do throughout this series, we take a look at the current position and what is best practice for an organisation. We will also briefly consider what the new Data Protection Regulation may mean in this area.
While the UK Data Protection Act does not mention governance as such, good governance will assist with – and demonstrate – a data controller’s adherence to the eight principles, and also provide an established process to respond to incidents and subject access requests.
Some other EU countries are more prescriptive, for example imposing formal requirements for data protection officers.
Best practice in the UK would be a compliance programme including:
- Auditing and reviewing the collection and use of personal data and the legal basis of the processing
- Having written policies for data protection (covering such matters as subject access rights, data retention, data export, monitoring, surveilllance and disclosure), security and retention which, if applicable, should be global with regional variations. Reviewing the policies regularly
- Having a Data Breach Incident Management Policy to address security breaches and procedures to address data subject requests and complaints
- Designating an Data Protection Officer to manage compliance
- Training staff and ensuring awareness of the policies
- Incorporating “privacy by design“ into significant new projects and systems; carrying out privacy impact assessments
- Reviewing the provision and contents of privacy notices
- Using template clauses for supplier contracts and having written contracts for data sharing
Although only data controllers, and not data processors (who process data on behalf of the controller), are regulated by the Data Protection Act, it is also best practice for processors to adopt compliance programmes.
Position under draft Data Protection Regulation
The Regulation introduces a principle of accountability and, essentially, legislates for best practice. Processors too would have direct responsibility to comply with certain regulations. Specific requirements include that:
- Controllers must have appropriate policies and measures to show compliance
- Privacy by design applies to processing operations from their outset
- Joint controllers must establish their respective compliance obligations by arrangements between them
- Controllers and processors above a certain threshold must maintain documentation showing compliance. The documentation must name any joint controllers, processors and compliance officers, and also controllers to whom the data are disclosed
- Processors have a direct obligation to comply with the security principle
- Controllers must notify breaches to the DP authority (processors must notify controllers), fix the problem and document the breach and the remedy. In some cases, controllers must also notify the data subject
- Controllers must carry out privacy impact assessments of projects. In high risk cases, they must consult with the DP authority
- Controllers and processors above a certain threshold must appoint a Data Protection Officer
Several of these provisions are under debate, in particular, the thresholds for appointing compliance offers and maintaining documentation, and aspects of the breach notification duty and contents of privacy impact assessments. Whatever the end result, businesses will need to review and likely adjust their DP governance.
Next up and last in this series is the topic of individual rights.