The EU General Data Protection Regulation is obviously a legal act providing a number of rights to data subjects and obligations to companies using the data. It has an impact on technology solutions and requires state-of-the-art security and mechanisms to ensure privacy. What is less often highlighted is that management is of huge importance, and the most profound impact lies within how you manage your operations. A certain level of organizational maturity and business awareness for organizations controlling the data was simply taken for granted by the EU legislators who negotiated the GDPR, it seems.
The answer to this is process management.
There are a number of GDPR provisions and requirements that make understanding the business processes and how they involve personal data, indispensable and not just useful. Apart from that, there are a number of obvious business benefits that will likely follow, stemming mainly from having more understanding of what the company does, as well as what are the goals and data efficient ways to achieve them.Â
What are the practical issues and questions?
As per the most popular definition, a business process or business method is a collection of related, structured activities or tasks by people or equipment that, in a specific sequence, produce a service or product for a particular customer or customers. Such customers can mean internal stakeholders, as well. Sometimes it is also distinguished between operational, management and supporting processes, and in addition to that, the process can be further divided into subprocesses.
From a practical standpoint, it is also very important to identify who is the process owner or process leader so as to have some major contact point and a person with decision-making capability within a reach.
Other crucial issues involve what should be the territorial scope of the process and how it should fit into the organizational hierarchy.
There is still an ongoing debate whether the process should be country-specific and so divided into country subprocesses, or is it better to lean toward global processes being customized by the people applying them locally. This might be of particular relevance for the GDPR. Originally meant to align data protection for the entire EU, we are now seeing many member state peculiarities. Of course, this also stems from the fact that data protection is not an isolated field, and it highly depends on other laws and regulations, such as in labor law, for example.
Any choices being made would naturally need to allow for a smooth interplay between privacy and business models and to provide a manageable solution in which business and privacy people have a real capability to use the same language and implement timely deliverables.
Main GDPR requirements on clearly defining business processes
When it comes to the GDPR, the main provisions and concepts related to business processes involve:
- The very principles of data protection, including, most of all, data minimization, purpose and storage limitation, but also accountability, integrity and confidentiality, as well as lawfulness, fairness and transparency.
- Records of processing activities.
- Agreements, and most of all, data processing agreements, as well as transfers.
- Data protection impact assessments.
- Information provided to the data subjects, including any standard privacy notices.
Starting with the data protection principles, it is practically impossible to apply the principles in a structured and documented manner by using either the enterprise-as-a-whole perspective or applying them for each and every instance of usage of personal data by the business people. They are still important for privacy and the GDPR. We need privacy governance to be endorsed by leadership for the entire enterprise, and we need people using the data being trained and subject to specific requirements and controls when handling the data. However, this is not where the core of privacy framework will be materialized and implemented. What is needed instead is having clearly defined and documented business processes and to apply the data protection principles to each and every of such processes. This allows for understanding of what data is needed, what the purposes are, and the minimum amount of data and retention periods possible.
Naturally, with accountability in the center, it is also inherently tied to the records of processing activities and the data protection impact assessments. With benefits and risks understood and assessed, appropriate documents can be drafted available both to the internal stakeholders and data protection authorities.
This leads us, in turn, to transfers, agreements and also to the privacy notices. First of all, it is with the business process that we experience needs to outsource or transfer certain activities. Also, by being able to have certain standard activities defined as a single process, we can only draft privacy notices that clearly relate to identified purposes and legitimate goals. Such notices are further coined into much more detailed information and explanation once the individual makes an access request and when they are provided with technical capabilities to track usage of their data and adjust preferences. What is important to keep in mind, though, is that such solutions and approaches to means of handling access requests and portability, again, are rarely implemented in the same manner for the entire enterprise and obviously cannot be deployed ad hoc for a specific scenario involving a single instance of personal data usage. There must be a business process defined to use certain methods and techniques, and it must be tied to the tools utilized by the process people and to the inherent risks and requirements.
What are the examples and potential benefits?
Some well-known examples of business processes being discussed for the purpose of GDPR compliance include recruitment, employment, IT support, regulatory compliance, security, marketing and PR. What is paramount is that the context and data subject expectations should be considered in addition to the regulatory requirements. From this perspective it is clear why requirements and data needs for the recruitment process are significantly different than for the employment process. The same way security and compliance have different, even if related, goals and reasons for documenting certain activities and retention periods will vary. With such differences there are also diverging risks and justifications. Whereas much more intrusion is generally accepted for security reasons, in order to protect privacy, the expectation would be that personal data would not be normally used for promotion or PR purposes unless these are data marked public for these reasons specifically.Â
When speaking about requirements and limitations, it is very important to keep your eyes on the benefits, which go far beyond the GDPR.
If you understand business processes and related data needs, effective planning is more likely than ever before. Next up is standardization and resource optimization, aimed at cutting costs and implementing single, integrated solutions across international borders. Using global vendors and software solutions is much easier when they are supporting the same or similar business process versus working with each and every country establishment and identifying their needs from the scratch. This means also a huge bargaining advantage and ability to calculate and compare costs for different entities forming groups of companies.
There seems to be no workaround process management when implementing the GDPR. As a privacy professional, you certainly have a clear need and a strong mandate to investigate the business processes are within your organization and whether they are sufficiently defined. This is basically a prerequisite to any GDPR compliance activities. On the other hand, there are many obvious business benefits for doing this task, and you can demonstrate it to anyone who says that privacy is only about compliance, and there are no benefits to how the organization works and achieves its objectives.