Compliance and data protection: integration and governance
Properly managing the protection of personal data within an organization is of vital importance today. We are constantly witnessing administrative sanctions and reputational judgments to which those organizations that do not comply with the regulations in this area and/or have not adapted their activities to the minimum standards provided by the regulations are exposed.
Therefore, incardinating within our Compliance System the provisions of Regulation (EU) 2016/679 of April 27, 2016, the Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights, as well as the guidelines developed by the Spanish Data Protection Agency and the guidelines issued by the European Data Protection Committee, is to assume a proactive stance in the adoption of what such regulations foresee and call Privacy by design and Privacy by default.
Starting from what we know as Compliance System, having in mind from the design of the same or incorporating in our already developed system the regulation on data protection, will allow us to integrate the obligations, requirements and recommendations that the regulation, guidelines and directives in this area affect us, with the ultimate purpose of strengthening our ethical and compliance culture, extending it to those areas in which we can also be affected by unforeseen compliance risks.
Returning to the concepts of Privacy by design and Privacy by default, on the one hand, whenever we plan to carry out a new activity in our organization, one of the first questions we should ask ourselves is whether we are going to process personal data in such activity, in order to take into account the minimum requirements and recommendations and to adapt and implement the necessary technical and organizational measures, and thus avoid compliance and reputational risks from the outset, from the design of the activity.
On the other hand, if we take into account in the development of our activity, in which we plan to process personal data, privacy by default, this will lead us to apply from the beginning the principles of data minimization and purpose limitation, thus ensuring that we can guarantee compliance in this area.
In this sense, it is not enough to have a privacy Policy, a cookies Policy, an activity log and various policies that we often do not know we have or how they can help us manage our business, but it is necessary to conduct an internal review of the activities we perform to know in which of them we actually treat personal data and under what premises and with what security measures we are doing it. Based on this evaluation, we will be able to determine those aspects that we have to adapt, adequate and/or update to ensure an effective compliance that guarantees that we are applying the technical and organizational measures required by the regulation.
By including data protection regulations within our Compliance System, we will be able to assess the risks to which our organization may be exposed following the governance model used for the incorporation of the other regulations that affect us, and develop proactive, preventive and reactive responses through policies, protocols and procedures that serve as a guide and reference in the way of developing the ethical and compliance culture that the members of the organization must also observe with respect to privacy and personal data protection.
The constant development of the activities that an organization can carry out, as well as the use of personal data and the processing activities that are carried out on them, have made the regulation on the protection of personal data to be transversally applicable to the organization and therefore, this is linked to the compliance function, being therefore one more regulation as indicated above – as relevant as the others – to be taken into account within our Compliance System.
Thus, the regulatory evolution in the area of personal data protection that we have witnessed in recent years arises from the need to have a technologically resistant regulation that allows us to safeguard the rights and freedoms of individuals from the processing of personal data that is carried out in the new digital society, as a result of the development and evolution of technology.
Therefore, it is necessary to know how we are managing our personal data processing activities, in terms of the technical and organizational measures we have implemented, as well as to verify the use we make of technology in accordance with what the regulation provides and in particular, to be able to demonstrate that the measures we have adopted at any given time, continue to be robust enough to ensure at least the confidentiality, integrity and availability of the personal data we process.
We cannot lose sight of the fact that, for the vast majority of organizations, the processing of personal data is an essential asset, and the fact of being able to guarantee that they use it securely and correctly reinforces their reputation and the trust of the public and their business partners.
In short, as tasks to be carried out to ensure compliance with data protection and the involvement of the entire organization in order to internalize this ethical and compliance culture, we can list the following, without being exhaustive:
- Determining the governance and appointment of the Data Protection Officer (in the cases provided for by the regulation, and/or on a voluntary basis).
- Risk assessment of personal data processing activities.
- Inventory of processing and analysis of the basis of lawfulness.
- Risk analysis and impact assessments.
- Register of processing activities.
- Privacy Policy and corporate privacy Policy.
- Review of informative clauses and data processor Contracts.
- Procedures for exercising rights, security breaches, data preservation, etc.
- Manage the relevant security measures, involving all members of the organization.
- Training and awareness of the members of the organization.
- Follow-up and continuous monitoring.
Compliance Department of Molins Criminal Defense.