The Future of Privacy Compliance - Part 2 of 3
Updated: Nov 21, 2019
As we’ve related in our previous post, Article 5(b) of the GDPR states that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Yet, the “compliance industry” has focused on performing activities, such as data discovery and data mapping, that do not directly produce compliance outcomes; and has placed far less emphasis on defining purpose, which is essential to effective GDPR compliance.
When considering how to “operationalize” the GDPR, we need to consider how compliance can be measured and monitored. One approach is to define a “GDPR Unit of Work” - a key measurement that can directly produce compliance outcomes for the operational aspects of the regulation.
An ideal Unit of Work contains all the components for purpose definition into a single GDPR compliance unit:
Lawful Basis: identifying the legal and fair justification for the processing purpose;
Purpose Limitation: maintaining the context of processing for each purpose and not further processing data beyond that defined and contained purpose;
Purpose scope: among other things, identifying the minimum personal data elements that will be processed for a given context. This can include rich personal profile data, activities, behaviour, relationships and unstructured data (documents, images, voice, video), to name common personal data types that may be subject to GDPR compliance; it also specifies data access and data retention rules.
Purpose Information: GDPR requires that data subjects be provided with extensive information pertaining to the processing of their data. This can range from information about their rights; basic contact information for communicating with the data controller and relevant supervisory authority; parties with whom the data will be released or shared; descriptions, policies and even diagrams explaining the processing purpose; the data types to be processed; and their risk categories;
Purpose risk: the purpose must be evaluated to minimize harm to the data subject that might result from the proposed processing. Many countries and localities publish “blacklists” of activities that will trigger a Data Protection Impact Assessment (DPIA). However, as the EU and the rest of the world evolves towards a contextual privacy ecosystem, virtually all defined purposes should be evaluated for risk of harm to data subjects.
In any event, compliance with any of these regulations is impossible without the array of information that goes into purpose definition. We can now see that this information is also needed to support operations: lawful basis, data scope, data classification, informational support for data subject decision making, purpose limitation and data subject rights are all operational concerns that can be largely satisfied as part of the same Unit of Work.
But this all begs the question: operationalizing the data protection regulations is… operationalizing what, exactly?
This will be the subject of our 3rd and final post.