Your Personal Data Inventory Top Tips & Brexit Impact 161220

Privacy Kitchen

17 Dec 202042:23

Summary

TLDRIn this engaging Privacy Kitchen session, experts Tash Whitaker and David Clarke join host Robert Bohr to dissect the complexities of data mapping for privacy governance. They explore the nuances of GDPR compliance, the impact of Brexit on data protection strategies, and share practical advice and war stories from the field. The conversation delves into the importance of understanding data maps, the challenges of maintaining accurate records of processing activities, and the implications of Brexit for cross-border data transfers and marketing practices.

Takeaways

🗺️ The importance of a data map as a cornerstone of privacy governance was highlighted, emphasizing its role in understanding data flows and impacts on privacy.
🤝 Introductions of the panelists, Robert Bohr, Tash Whitaker, and David Clarke, who are experts in privacy management, consultancy, and cyber and data protection, set the stage for a deep-dive discussion.
🔍 The distinction between a data map and an asset register was explored, with the former being a broader concept that includes the latter, which is more about the security and inventory of data assets.
📝 The GDPR's record of processing activities was discussed as a subset of a data map, which is crucial for understanding data processing activities and responding to data subject requests.
🚫 The challenges of questionnaires for data mapping were noted, with panelists preferring interviews to get accurate insights into data processing activities.
🔑 The role of the Data Protection Officer (DPO) in maintaining the record of processing activities was emphasized, as they need a comprehensive understanding of the business to fulfill their role effectively.
📈 The impact of Brexit on data maps was anticipated, with the potential need to revisit and adjust data transfer agreements and the possible requirement for UK companies to appoint EU representatives.
🛑 The potential increase in data subject rights requests due to the removal of PEC Regulation (ePrivacy Directive) was flagged, necessitating a detailed data map to manage these effectively.
📉 The low adoption rate of ISO 27001 was mentioned, with GDPR and other privacy regulations driving a need for more comprehensive data governance practices.
🔄 The dynamic nature of data mapping was underscored, as it needs to evolve with the business and be part of ongoing risk management and compliance activities.
📚 The complexity of managing large-scale data maps was discussed, with the need for robust systems and processes to maintain and update the data map in line with business operations.

Q & A

What is the main focus of the 'Privacy Kitchen Session on Data Maps'?
-The session focuses on understanding data maps as the foundation of privacy governance, discussing what constitutes a data map, the impacts of Brexit on data privacy, and sharing practical advice and war stories related to data privacy management.
Who are the hosts and guests of the Privacy Kitchen Session?
-The session is hosted by Robert Bohr, the founder and CEO of Keepable, and the guests are Tash Whitaker from Whitaker Solutions Limited and David Clarke, who has a background in cyber and data protection.
What is the importance of a data map in the context of GDPR?
-A data map is crucial for GDPR compliance as it helps in creating a personal data inventory, understanding data flows, and ensuring that organizations can fulfill data subject rights and manage data breaches effectively.
What is the difference between a data map and an asset register according to Tash Whitaker?
-Tash Whitaker explains that an asset register is like a map of the street with details of buildings, security, and contents, whereas a data map encompasses everything, including the asset register, record of processing, security measures, and business usage of data.
Why might a company start with an asset register for their data mapping?
-Companies might start with an asset register if they have previously pursued ISO 27001, as it helps them understand what assets they have, including databases and filing cabinets, which is a foundational step in data mapping.
What are some common pitfalls in creating a data map according to David Clarke?
-David Clarke mentions that a common pitfall is confusing a data process map with a business process map, and another is not specifying where the data lives, which is crucial for understanding data flows and security.
How does Brexit impact data maps and the need for a UK GDPR?
-Brexit necessitates the creation of a UK GDPR to replace the EU GDPR for data processing within the UK, and it may require companies to revisit their data maps to account for new data transfer rules and the potential need for EU representatives.
What is the significance of the number of entries in a record of processing activities (ROPA)?
-The number of entries in a ROPA should be substantial enough to provide a clear understanding of data processing activities, but not so overwhelming that it becomes unmanageable. The right balance helps in responding to data subject requests and managing data breaches.
What is the impact of Brexit on marketing practices and how should companies prepare?
-Brexit may require companies to adhere to local data protection laws in EU countries rather than relying on UK regulations. Companies should review their marketing databases to understand the geographic distribution of their data subjects and ensure compliance with local laws.
What are some top tips for managing a data map effectively?
-Some top tips include starting with a basic understanding of data processing activities, verifying information through interviews rather than relying solely on questionnaires, and ensuring that the data map is part of ongoing business as usual rather than a one-time exercise.