For businesses looking to set up or operate in the UK market, a comprehensive privacy governance programme is vital to ensure compliance with data protection regulations and to enable the effective collection and use of personal data.
A privacy governance programme is important for many reasons. If a data breach occurs the consequences can be serious, including investigations by the Information Commissioner (the UK data protection regulator), fines of up to £500,000, claims for compensation, and major reputational damage. Having a privacy governance programme in place mitigates these risks by creating data protection policies and procedures to ensure that the business has clear guidance on how to deal with personal data in compliance with the Data Protection Act. It also develops a data protection culture throughout the business, ensuring that all employees are aware of data protection obligations, policies and procedures and why they exist.
Three governance models
In the local governance model, local employees take responsibility for data protection matters such as training, policy updates and reporting.
In the central model, a single data protection officer is the main point of contact for all data protection-related matters across the business and is solely responsible for dealing with communications from the Information Commissioner and other regulators.
In the hybrid model, a data protection officer is the main point of contract for the whole business but day-to-day compliance is delegated to local employees, similar to the local model.
It is important when setting up a privacy governance programme to identify the key areas of risk across the business. Often this will involve carrying out an initial data mapping exercise to obtain a good understanding of how personal data are obtained, used and shared within and outside the organization.
Key issues to cover
Governance structure and accountability: A clear data protection governance structure should be created with a senior figure in the business who is given ultimate responsibility to ensure compliance.
Polices and guidance: It is advisable to create an overarching data protection policy that sets out the framework within which all employees should deal with and handle personal data. This should include an overview of data protection law and the key requirements of the Data Protection Act.
Employee training: Employees should receive comprehensive training on data protection. Businesses must keep an audit trail of the training completed so that in the event of a breach or an Information Commissioner investigation accurate records can be produced to demonstrate that adequate training has been provided to all employees.
Information security: Keeping personal data secure is one of the key requirements of the Data Protection Act and breaches can result in serious consequences. It is therefore essential to ensure that training, policies and procedures enable employees to understand and minimize risks.
Data management procedures: A business that collects personal data is obligated to keep the data up to date. Procedures and processes should be implemented to periodically review and update personal data and destroy old personal data.
Privacy notices and marketing consents: At the point of data collection, businesses must ensure that they are informing individuals of the purposes for which they will be using their data and to whom it may be disclosed.
Third party data processors: The Data Protection Act imposes certain obligations on businesses when they instruct third parties to process data on their behalf. Businesses need to have procedures in place to ensure that appropriate contracts are put in place when engaging third party data processors.
Transfer of data: As part of a data mapping exercise the business should identify where its data are held and where they are transferred to, as there are restrictions on transfers of data outside the European Economic Area.
Breach management: Businesses should ensure that they have appropriate procedures in place to quickly and effectively deal with data protection breaches. Employees should be informed whom to approach if there is, or they believe there could be, a data protection breach.
Monitoring: Regular monitoring of compliance with policies and procedures and the adequacy of those procedures should be carried out. Audit reports should be analysed thoroughly and any actions to rectify highlighted issues should be implemented as soon as possible.
With a new European Data Protection Regulation expected to be passed in 2015, which will strengthen individual rights and tighten up obligations further, it is more important than ever to ensure that a comprehensive privacy governance programme is in place.
Alison Deighton is a partner and head of data protection and privacy at TLT LLP.
20 Gresham Street
London, EC2V 7JE
Tel: 0333 006 0300
Fax: 0333 006 0311