Typically, the GDPR implementation and execution takes a top-down, legal articles-based, ISO 27001 oriented checklist approach, to ensure that all nooks and corners of the GDPR are covered and addressed. However, if the data- protection, privacy and IT- and cybersecurity issues are not followed up by a bottom-up methodology to customise and tailor the corporate privacy and data protection program, it will result in a limited, superficial privacy stance that delivers little real security.
The bottom-up approach will address the underlying data protection and security needs by utilising data management best practices based on structured top-down guidance. Follow the plan to set up the organisations goal to achieve both regulatory compliance and a healthy privacy posture and streamline processes, centralise the database and a structured IT platform for automation.
A 10-point Bottom-Up Approach to Privacy execution
Under a typical compliance implementation, you take one mandate of the regulation at a time. However, with GDPR solving the underlying security and data problems is the key or the real goal.To implement the bottom-up approach, all stakeholders need to have a common understanding of the methodology:
- Thorough knowledge of the threats and GDPR and IT risks; as they relate to the IT security and management of underlying customer, employee, and other personal data. Look for data and statistics of events that occurred in your organisation and your competitors and industry.
- Data Protection principles that secure privacy data; from the bottom-up requires a robust data security program as a foundation, starting from committee charters, policies, standards, and procedures that align with the tenets of privacy by design.
- Address the GDPR principles; that involves embedding privacy into underlying processes, objectives, operations, and technologies by default and of course, design.
- Develop implementation concepts; through privacy incidents, strategies, and implementation tactics together with the GDPR framework to ensure that the privacy data and processes are applied, and applicable from software and re-engineering perspectives
- Facilitate the identification of crucial privacy use cases; for appropriate program design adjustments, and prioritisation efforts. Focus your efforts on massive databases with business value and critical data for the involved people.
- Use technology as part of a multifaceted program; instead of purchasing an IT tool to deliver compliance and security, look at the many underlying security needs based on the experience and history to comply with privacy regulations.
- Focus on how data is transferred inside and outside your organisation; and how user accesses are periodically reviewed. Review the other components on how to incorporate compliance while still prioritising customers and their data, e.g. understand both the locations and types of data.
- Support bottom-up data protection and process automation as well as document the multiple elements that build an effective privacy program based on privacy by design.
- Adequate privacy by design explicitly serves data subjects, and their privacy needs. It drives both data protection (security re-engineering, pseudonymization) and process automation (data subject access requests, right to be forgotten) efforts
- Process Automation requires privacy programs that are repeatable and auditable. Critical automated processes for data subject access requests and reap the benefits from operationalisation, such as:
- Data classification and mapping
- Data privacy impact assessment
- Third-party data management
- Data incident response
Data knows no boundaries.
Global Data Protection, Data Privacy, IT-and Cybersecurity concerns are the starting point for almost any new application or process in the organisation. The corporate commitment to greater user control and data subject empowerment is stronger than ever.
Data breach prevention & mitigation are critical GDPR components that check if your organisation is meeting all the requirements to avoid data subject complaints, data breaches, and fines and requires continuous evaluation of data flows in and outside the company.
Learn more about these issues at our 3-day GDPR Implementation and execution certification Masterclass events. To ease the 10-point execution plan, all participants are provided with a toolbox of templates to accelerate the implementation and monitoring of controls.