Data Privacy Newsletter: ORGANISATIONAL STRATEGIES FOR DATA PRIVACY Aug-2021

Every organisation has accessto personally identifiable information in its day-to-day activities. Personal information can be defined as any information by virtue of which one can identify or relate an individual (a natural person) such as names, phone numbers, email addresses, financial information, postal addresses, identity numbers, etc, (“Personal Data”).

Why an organisation needs to formulate an organisational vide strategy for Data Privacy?

Data Privacy landscape across the globe is unprecedently evolving and there has been an increased awareness amongst the individuals about their data privacy rights. With the rapid growth in the technology space, there is an increasing need to protect privacy rights of the individuals and the lawmakers across the globe are creating new privacy laws to address such a need. The said reasons compel an organisation to implement a robust organisational vide data privacy strategy.

Organisations that do not factor in safety of Personal Data, as well as implement the requirements of applicable data protection laws into their services or solutions, are exposed to an enhanced risk of regulatory fines and penalties and other risks related to operational inefficiency, loss of customers and employee trust, competitive edge and intervention by regulators. Thus, it is inevitable for an organisation to implement a well-defined data privacy strategy.

In this newsletter, we have designed a simple self-assessment questionnaire that will enable an organisation to get a bird’s eye view of an organisational level steps that are required to be taken to formulate and implement an organisational level data privacy strategy.

PRELIMINARY SELF-ASSESSMENT QUESTIONNAIRE

1. As a part of your operations, do you “Process” (i.e., collect, store, handle, use, or have access to) any information that can be categorised as Personal Data?

2. What are your sources of receiving Personal Data?

The common sources of receiving Personal Data are data collected from employees, visitors of organisation’s website, customers, vendors or service providers or collection of Personal Data as a part of an organisation’s core product and service offerings such as outsource processing, maintenance of client’s production servers etc.

3. What kind of Personal Data is being processed by you? Broadly, the Personal Data can be further categorised into financial data, healthcare data, biometrics, users’ data including children’s data etc.

4. Do you share/disclose the Personal Data within your group companies, affiliates or with third parties?

5. In which territories does your organisation operate? Does the Personal Data flow across international boundaries? Data protection laws of various jurisdiction govern cross border/international transfer of Personal Data and require certain compliances to be adhered with.

6. Do you come across data processing addendums or standard clauses for data transfers? Are you meeting the contractual requirements?

7. What are the measures taken by your organisation on the data privacy aspects?

• Who is responsible for managing data privacy?

• What is the data security measure in place?

• Do you have internal policies governing data privacy?

• Whether the contracts you sign with your vendors or service providers reflect adequate data protection obligations for maintaining the privacy of Personal Data?

KEY ASPECTS TO CONSIDER FOR FORMULATING AN ORGANISATIONAL VIDE DATA PRIVACY STRATEGY

On a broad level, an organisational privacy strategy can comprise two different strategies

(i) the operational strategy and

(ii) the legal strategy.

A. THE OPERATIONAL STRATEGY

1. Top-Down Approach: The privacy journey should start from the decision-makers and must ensure that data privacy rights of every individual in the organisation have been protected.

2. Data Mapping: Data mapping exercises must be undertaken, the key objective behind such exercises is that it provides visibility over the inflow and outflow of Personal Data and thus provides an effective control over such data.

3. Internal Policies and Processes: Following are some of the key internal policies and processes required at an organisational level: a. Information Security Policy: A policy that sets forth controls around information security, confidentiality, integrity, and availability. b. Data Retention Policy: It determines for how long the Personal Data should be stored and at when it must be deleted. c. Internal Data Protection Policy: It is a blueprint for handling the Personal Data in an organisation, addressing security incidents and data breach responsibilities. d. Employee Privacy Policy: A specific policy that governs employee Personal Data. e. Data Processing Records: A record that helps to identify the flow of Personal Data. f. External Privacy Documents: Privacy notice/ privacy policies must be carefully drafted to align with the internal privacy practices and be displayed at appropriate locations.

4. Dedicated stakeholders to manage data privacy activities: Appointing a Data Protection Officer (“DPO”) is a requirement under various data protection laws, but even otherwise, it is critical for every organisation to identify a dedicated stakeholder responsible for managing data privacy internally.

5. Data Security: Technical and organisational measures must be implemented to safeguard Personal Data.

6. Data Subject Requests: Data privacy laws have empowered individuals with certain rights over their Personal Data. Individuals can exercise their rights through data subject requests, the organisation must be equipped to handle such requests.

7. Data Breach Response: Data breaches have the potential to adversely affect an organisation’s reputation in addition to attracting legal implications, therefore, a sound data breach response strategy must be in place.

8. Cultivating a culture of privacy: It is necessary to ensure all the members of the organisation are aware of their responsibilities related to data privacy.

9. Privacy by design measures: Encryption, data minimisation, consent and disclosures can be built into new products, processes ensuring security of the Personal Data.

10.Insurance for cyber liability and data privacy: Insurance can play a crucial role in an organisation’s strategy. Various incidents like data breaches, ransom attacks, loss of data, incident response notification costs can be covered in cyber liability insurances.

B. THE LEGAL STRATEGY

Adhering to the applicable data privacy compliances prescribed under the data protection laws, robust contractual framework around privacy with your customers and service providers, operationalising the contractual commitments on the ground by implementation of commercial and technical safeguards will go a long way in proactively mitigating any undesired exposure towards potential legal and regulatory risks.