Data privacy and related legislation are top of mind for company boards and compliance departments. A veritable stampede of regulations has been introduced, like the European Union’s GDPR (the General Data Protection regulation) and The California Consumer Privacy Act. More are sure to follow. Ensuring compliance with all the individual legislative frameworks is a considerable burden.
Above: The EPI-USE Labs Privacy Comply™ Methodology
When it comes to privacy legislation compliance, it’s easy to feel overwhelmed by the complexities. The Privacy Comply methodology was developed by EPI-USE Labs experts in the information security, risk and compliance fields. It is based on our experience in implementing compliance standards like ISO 27001 and adjusted specifically towards accelerated implementation for data privacy projects.
When it comes to privacy related compliance, there is often uncertainty about who takes responsibility for what. It’s crucial that from the outset the roles for internal compliance, IT, HCM and legal are clarified, with specific individuals being held accountable for implementation of their parts of the project.
Understand what data you have and where it flows:
You can’t manage what you don’t know. As modern business processes touch numerous internal employees, third-party services providers, and many, many information systems, it’s critical to understand the flow of personal information. Only once this data mapping is done can you begin to take the required actions to secure the data privacy under various legislations.
Understand your obligations:
Once you understand the flow of the privacy-related data you can begin to compare it to what is required by various legislative frameworks. A key challenge is to create a superset of privacy legislation under various jurisdictions, to create harmonized global processes.
EPI-USE Labs creates a single privacy baseline for all applicable jurisdictions. Once this baseline is established, privacy impact assessments and data protection impact assessments are performed against the baseline to identify non-compliant areas to be addressed.
Areas of non-compliance need to be addressed. Items are prioritized based on business criticality, and a remediation plan is created that takes this into account.