Editor’s note: Cat Coode, founder of Binary Tattoo and an expert in global privacy regulation compliance, recently participated in a privacy-themed Ask Me Anything thread on ISACA’s Engage platform. The following is an excerpt from the Q&A thread. Participate in our next Ask Me Anything with blockchain expert Raneem Rashid on Engage from 21-25 February.
Ask Me Anything questions from Ejona Preci: 1) Should Data Protection team perform a (separate) periodic risk assessment dedicated to PI/PII or it can be part of the Enterprise Risk Assessment (ERM)/IT Risk Assessment? 2) Who should the DPO ideally report to? Should it be any conflict if DPO reports to Information Security Officer?
Cat Coode: Great questions!
- In an ideal world, we should have both assessments for privacy AND assessments for security but sadly that is not always practical. It will depend on the size of your team and the breadth of data your company collects. That said, at least once I would hope to see the following:
- Data map of external customer data (Record of Processing Activities) showing the sources of data, the full list of elements collected, third parties involved, retention period, etc. This list should be reviewed and any excess data that is not strictly necessary should be removed from processing. The less you have the easier it is to protect.
- Data inventory of internal data showing the various tools used by the company and the types of data collected. You can further classify this data which will help in managing retention, access, transfer rules. Typical classification is public, private, confidential, restricted.
- Retention schedule that includes specific customer product/service data AND internal tools. There are some excellent tools now that will scour your end points and locate PI that may be stored on laptops where they shouldn't be – copies of customer DBs, employee credit card numbers, etc. These can be set up to run continuously or could be part of your audit.
- The GDPR states that the DPO, Data Protection Officer, should report to the “highest level of management.” There is no specifications beyond that. There are people who argue that should be the Board. Agreed though, that reporting in via your CISO or CTO is a conflict of interest. The DPO is supposed to be independent.
To be clear, non-GDPR entities may have a Data Privacy Officer, which is a common title and does NOT have specifications. In this case you can have a Data Privacy Officer report anywhere.
