5 GDPR/ Data Protection Key Lessons

Published on June 14, 2022 by Taceo Limited

Here are some key lessons companies need to consider when thinking about data privacy/ protection in respect of GDPR. The GDPR legislation has been in force since 2018 and below are some of the key topical lessons learned:

  1. Personal Data – Some businesses assume they know the definition of Personal Data but the reality is different. When you dig into the details, it is clear that beyond knowing that names and contact details are personal data, most businesses do not recognise the fact that a combination of sets of data may amount to Personal Data. Always go back to the basics of definition.
  2. Vendor risk assessment – Do you obtain a copy of your vendor risk assessments and simply file away? You do need to understand how your vendor/ supplier processes personal data. Make sure you grasp the extent of security controls your vendor has in place and find out when these were last tested, updated or even implemented. Remember the Solarwinds attack in December 2021 that penetrated even the cybersecurity firms and keep your supply chain under close review.
  3. Data Protection Impact Assessment (DPIA) – The DPIA tells the story of a company’s attitude to data protection and privacy. You will need to delve into the details and expand on your understanding of what personal data is processed and how, understand whether there are controls in place for each processing activity and what the risks are in practice. Ask the difficult questions no one wants to address and be sure to complete a DPIA for any kind of automated decision making, use of AI algorithm and facial recognition data processing activity.
  4. Records of Processing Activities (ROPA) – This involves painstaking work. Completing ROPAs are dry and not particularly illuminating but the reality is that they are mandatory. The upside is if you analyse all the processing activities listed and which teams use each type of data, with a bit of data analytics (subject to your lawful basis of processing) you may find ways to monetise the data being processed.
  5. Transfer Impact Assessment (TIA) – a relatively recent entrant, courtesy of Schrems II decision back in 2020. In any event, if you are transferring data from the EU/ UK to non-EU territories, you need to conduct one of these. The idea is to assess the laws of the third country to which data is being transferred to, against the personal data being processed in said third country. Take these seriously and put a bit of effort in to save yourselves from the ever-watchful regulator.

If you would like further information on the above or wish to discuss other data privacy matters, you can contact us at [email protected].