The multi-disciplinary practice to automate compliance with privacy regulations. For responsible custodians of people's data.
With PrivacyOps, multiple teams collaborate and make full use of automation and orchestration to understand privacy posture, eliminate privacy risks and fulfill privacy obligations swiftly. It engenders trust in the organization and makes it easier to have confidence in.
PI Data linking is the process of discovering personal information stored across all systems and linking it to the owner of the personal data. With large amount of structured and structured data across vast variety of systems in an organization, this aspect has to be automated. Static data flow maps collected from stakeholders are not sufficient and must be supplemented with automated data flow mapping. Some data can be linked ahead of time and some can be linked on-demand at the time of building a report or fulfilling a data subject request. In either case, enabling full automation to accomplish this link between the PI data and the owner become the foundation of many other privacy compliance task. PI data linking must be across all systems, including internal systems, third-party systems, SaaS and IaaS infrastructure.
DSR fulfillment is the process of receiving data requests from subjects and taking the necessary steps across all internal and third-party systems used by the organization to comply with the legal request of the subject. As personal data of the subject is spread across any number of data systems managed by different stakeholders, manual ways to fulfill the subject requests are highly inefficient, costly, prone to error.
If the volume of subject requests increases due to internal or external events, manual approaches to fulfilling DSR obligations can bring operational hazards and compliance risks.
DSR fulfillment automation is not simply about capturing subject requests and assigning them manually to different stakeholders, based on some static rules. It is the process of full automation of discovery of systems and objects carrying subjects’ personal data, assisting system and object owners by orchestrating DSR fulfillment on these systems, and providing the completed reports back to the subject after taking necessary approvals from the legal stakeholders.
As privacy regulations give rights to subjects on their personal data that organizations collect either directly or indirectly, the organizations must have a secure way to collect subject requests, verify the identity of the subject, provide personal data securely to the subject and keep compliance records to defend against any legal suits. Providing such a secure privacy portal to the subjects helps build trust, promotes a delightful user experience, and facilitates automation for user identity verification and DSR fulfillment.
Most privacy regulations prohibit processing personal data unless the organization can establish legitimate interests or the data subject has consented to the processing. Furthermore, regulations also specify that consent must be freely given, should be informed and unambiguous. Depending on the scenario, consent collection may be explicit (opt-in) or optional (opt-out) and if the organizations choose to rely on consent for any part of the processing, it must also be prepared to respect that choice and stop that part of the processing if the individual withdraws consent. In other words, if an organization wants to process data lawfully and are relying on consent as the lawful basis for that processing they have to implement a robust consent management system.
To establish lawful basis for processing personal data through consent, organizations must have methods to display unambiguous notification messages and at every consent collection point. Once collected, consent should be linked to unique identities and personal data records within the environment and it should be tracked through its lifecycle so that appropriate remediation steps can be taken when the data subject withdraws consent.
Many privacy regulations require that in case of a data breach or theft of sensitive personal information from an organization, all impacted subjects must be notified in a short amount of time. For example GDPR breach notifications within 72 hours.
To comply with such a short timeline for notifying impacted subjects, organizations must have methods to find PI data stored in a variety of systems, link PI data to its rightful owners, and have a playbook in execute automatically to create a shortlist of impacted subjects and notify them through secure methods.
Privacy regulations require that all internal systems carrying personal information go through an assessment process to understand gaps against the regulations and put controls in place to fill them and comply with the regulations. These assessments must be updated on a regular basis. Multiple stakeholders typically must be involved in understanding gaps and tracking new controls to be put in place.
Performing these assessments over spreadsheets and emails is tedious, time consuming, prone to errors, and is hard to track for the great number of systems and processes involved. Sharing selective assessments with third parties manually over emails is inefficient.
Adopting a system-of-knowledge that provides audit templates for various privacy regulations, a system-of-record to keep all assessments in one place, a system-of-engagement the bring all stakeholders in one place to provide their input and a system-of-sharing to share assessments with external parties, makes the assessment process agile, easier to track, and up to date.
Privacy regulations require that all third parties with whom the personal information is shared go through an assessment process to understand their gaps against the regulation. These assessments must be updated on a regular basis.
Performing these assessments with a large number of vendors over spreadsheets and emails is tedious, time consuming, prone to errors and is hard to track.
Adopting a system-of-knowledge that provides audit templates for various privacy regulations, a system-of-engagement to invite all vendors in one place to complete their assessment and a system-of-record to keep all vendor assessments and proof compliance in one place makes the vendor assessment process agile, easier to track and up to date.
As vendors hold important personal information, it’s important to monitor independent privacy ratings of vendors based on how they collect, store and exchange personal information with others, how they respond to data subject requests, and whether they have had any recent data breaches. These independent privacy ratings of vendors supplement the responses vendors provide as part of vendor assessments audits.
Having a process in place to monitor any decline in independent privacy ratings of a vendor below a certain threshold enables an organization to deal with privacy issues swiftly and responsibly.