IP Business Talk: Data Protection in the digital age
A few months ago, I was pleased to participate in the IP Business Talk on the topic Data Protection in the Digital Age, with Prof. Dr. Alexander Wurzer, who asked a set of questions to put Data Protection considerations into the context of manufacturing companies which are undergoing a digital transformation.
In case you are interested in viewing the IP Business Talk, the recording can be found here: LinkedIn
Below you can find a short summary of what was discussed in case you don’t have time to watch the recording.
Companies are undergoing digital transformation and data is becoming a key resource for successful businesses, one that needs to be protected. What data protection capabilities do manufacturing companies need to develop in order to be ready for digital transformation?
Companies and individuals, who are vigilant and understand that it is almost impossible not to process (any) personal data these days, should start viewing personal and other data (along with other types of data) not only as an asset but also as a liability.
As Clive Humby said, “Data is the new oil”. This was developed further, by Peter Sondergaard, to, “Information is the oil of the 21st century, and analytics is the combustion engine.”
As we can see, there is a strong tendency to refer to data as an asset, completely omitting the recognition that data also represents a liability, especially if not properly managed.
In order to address this omission, companies undergoing digital transformation need to establish a Privacy Program which encompasses data protection and privacy, as well as IT Security and Data Governance. Where Privacy and IT Security programs coexist in individual organizations, given the significant overlap between these two areas, they must be deeply interconnected; “There is no Privacy Without Security”, as stressed out in the GDPR, Art. 32.
The key prerequisite of successful Privacy and IT Security programs is executive buy-in. To roll out such programs requires support from top management, with executives perceiving the teams involved in them as value-generating, and not merely the cost burden of meeting applicable legal requirements. Heads of Privacy and IT Security programs should have such standing among top management that they are able to discuss the development of their programs and ensure appropriate resources are allocated. The commitment of top management to these programs (executive buy-in) also needs to be communicated throughout the organization; “Privacy as well as IT Security is a behavior”, – one which should start from the top and be nurtured in the organization as a whole.
Privacy and data protection are skills which need to be understood as critical in every function of the company. How can you reach non-legal staff and transmit the knowledge they need regarding data protection?
Data Privacy and IT Security are two domains in which every worker in an organization (employee or contractor) must be vigilant. Regular tailored training by the Privacy Office and/or a DPO (if designated) or Privacy Manager is necessary, as are less formal meetings about privacy relating to specific events (e.g., Cybersecurity October, International Data Privacy Day, etc.). Privacy and IT Security teams should use plain language so that the program is easily understandable to those who may have little or no knowledge of the domains.
If there is a data breach, organizations are obliged to address its root cause. It is strongly recommended that data breaches are brought to the attention of all workers who deal with personal data, along with retrospective explanations as to:
- What happened?
- Why does it constitute a data breach?
- What caused it?
- How was it managed in order to eliminate the risks to rights and freedoms of individuals?
- What did the organization learn from it?
Privacy and IT Security programs must also support business objectives, hence the Privacy Program must be as closely integrated with other areas of the business as is possible. This can be achieved, for instance, via the establishment of a Privacy Champions network. Privacy Champions are business stakeholders with an interest in privacy who, ideally, become certified in Data Privacy and Data Protection domains, and who become an extended arm of the Privacy Office within the company. These Privacy Champions should be dedicated to the functions they belong to (marketing, HR, finance, etc.), and involve the Privacy Office or Legal Office in the event of new projects in order to ensure that the relevant privacy assessments can be completed in time.
All workers in an organization need to be aware of any situations arising in which the Privacy Office should be consulted. This can be achieved by clearly communicating the following ‘narratives’:
- Onboarding and off-boarding of a vendor – both the Privacy Office and IT Security teams should be consulted on due diligence procedures and measures to be implemented.
- Starting a new project where personal data will be processed – the Privacy Office should be consulted and asked to conduct a Privacy Impact Assessment to advise on how the data can be used, and under what circumstances.
- Reporting an incident – all incidents involving personal data should be reported to the Privacy Office, which can assess whether the incident qualifies as a data breach (if the CIA, which stands for Confidentiality-Integrity-Availability of data were lost), and proceed with notifying the supervisory authority and/or data subjects (people) affected where applicable.
As mentioned above, “Privacy as well as IT Security is a behavior”, to be nurtured by the organization starting with the top management. Communication about Privacy and IT Security program updates should come from the top so that the organization recognizes their importance for the business. Management should encourage an environment of trust in which:
- workers can speak up without fear of repercussions if they make a mistake.
- supply chains (third parties) are required to comply with the organization’s standards, including transparency requirements.
In interactions with other companies and institutions, information often needs to be exchanged. How is this treated from a data protection standpoint?
This question is about third party (vendor) management and transparency to data subjects. Every organization subject to the GDPR is either a so-called Data Controller (determining the ‘what’, ‘why’ and ‘how’ of the data) or a Data Processor (acting on behalf of a Data Controller in accordance with written instructions) and must be able to demonstrate how they control personal data. The starting point for vendor management is fundamentally connected to having a complete and up-to-date Data Inventory (also known as ROPAs – Records of Processing Activities – pursuant to GDPR, Art. 30).
Data Controllers must demonstrate transparency with respect to personal data processing activities by producing a document called Privacy Notice or Privacy Statement (sometimes referred to as Privacy Policy, though this term is not used in EU law). In this Privacy Notice, Data Controllers must state the following:
- who the Data Controller is
- who the data subjects are
- what categories of personal data are processed
- what the purposes (reasons) for processing are
- the legal bases for personal data processing (contract, consent, legitimate Interest, legal obligation, etc.)
- how data subjects can exercise their rights (e.g., data access, data erasure, data portability, objection to marketing, etc.)
- data retention
- who the recipients of personal data are (listing here, at least, the categories of recipients)
- where recipients of personal data are located and how personal data are protected in case of cross-border data transfer (standard contractual clauses, binding corporate rules, etc.)
Data Controllers must be able to demonstrate compliance with the GDPR, as per its Art. 28, and proceed with due diligence regarding data protection and IT security measures prior to starting engagement with a new vendor who will act as a Data Processor (Data Controllers will inherit the infrastructure developed by the Data Processor from the liability standpoint).
If the Data Controller determines, based on due diligence, that engagement with a new vendor can be initiated, a Data Processing Agreement must be executed with the vendor acting as a Data Processor.
If the vendor, or any recipient of personal data (Data Controller, Data Processor) resides in a so-called ‘third country’ (outside of the EEA and outside of the EU Adequacy Decision country list), a Transfer Impact Assessment must be conducted and EU Standard Contractual Clauses (or other permitted mechanism available under Chapter V. GDPR for the so-called ‘cross border data transfer’) executed prior to transfer of the data to the third country. In a nutshell, mechanisms for cross border data transfers should ensure that data recipients residing in third countries will treat the data in accordance with EU standards (will provide an “essentially equivalent level of protection”).
I hope you found this blogpost useful, and please feel free to get in touch with me via LinkedIn in case of any questions.
About the blogpost author:
Nora Reháková is the EU Data Protection Officer at Organon, a global pharmaceutical company focused on women’s health. As DPO, she is responsible for developing and maintaining Organon’s Privacy Program in conformity with the GDPR, ePrivacy and other related regulations. Prior to joining Organon, she worked as a global DPO and Legal Advisor for Showmax, a SVOD company and direct competitor to Netflix. Before joining Showmax, she worked for MSD in Strategy and Planning. She also provides GDPR consultancy services in multiple fields to broaden her experience in building privacy programs across sectors, such as in manufacturing or FMCG.
Nora holds LL.M. in IP Law and IP Management, MBA, and is currently completing an LL.M. program at Maastricht University specializing in Data Privacy, Cybersecurity and Data Management.
She strongly believes that “Privacy is a Behavior” which thrives in the leader-leader operating model, and that, “There is no privacy without IT security”, hence multidisciplinarity is paramount for any effective Privacy Program.