In an increasingly AI-enabled business environment, a robust privacy programme extending beyond basic legal compliance and governance is critical for organisations to remain competitive in their respective sectors. Building and implementing a privacy programme can be challenging in itself, but maintaining and continuously maturing one amid the complexities of evolving personal data and privacy regulations can seem overwhelming.
In the final instalment of our three-part series on how a Data Protection Officer (DPO) supports organisations to drive and mature privacy programmes, we look at the processes and importance of auditing established systems, particularly as technological innovation rapidly gathers pace globally.
Keeping track of changes in regulations in relevant jurisdictions
For companies operating in multiple jurisdictions, a privacy programme implemented 12-18 months prior should be reviewed to benchmark the organisation’s current compliance with regulations in the jurisdictions in which it operates. A key responsibility of a DPO is to stay informed on any emerging regulations and legislative amendments to ensure all the pieces are connected between the markets the business operates in and their privacy operations. Here are some of the ways your DPO can support you to stay off the regulator’s radar and retain an advanced, globally compliant privacy programme.
In the US for example, where organisations must navigate a fragmented regulatory landscape, it is essential to stay on top of updates to the relevant State laws. For example, organisations in Iowa that process data of at least 100,000 residents must be well-equipped to address the Iowa Consumer Data Protection Act (ICDPA), an act that is less strict than its counterparts like the CCPA. When new laws are introduced or existing ones are amended, the DPO can ensure that the organisation’s privacy policies and procedures align with both regional and international standards.
Organisations operating in the EU have the evolving EU AI Act and the EU Cyber Resilience Act (CRA) to which they should ensure their operations comply, if applicable. Your DPO should bring a deep insight into emerging regulations and updates to existing regulations, understanding what to change or implement to ensure compliance.
Continually evaluating third-party vendor assessments
An often-overlooked aspect of maintaining a privacy programme is introducing new third-party vendors or replacing outdated systems. Businesses often conduct an initial vendor assessment but fail to revisit it when circumstances change. This oversight can lead to risks such as outdated contracts and non-compliant data processing vulnerabilities that businesses disregard, despite third-party practices directly impacting a business’s data protection posture.
One of many ways the DPO can mitigate risks is through regular reviews of existing and pending vendor contracts, ensuring Data Processing Agreements (DPAs) are current and aligned with the relevant regulations and tracking vendor changes. By acknowledging these steps as ongoing processes rather than a “tick-box” compliance mindset, a DPO can help a business’s privacy programme adapt to evolving partnerships and regulatory requirements.
Closing outstanding items from initial gap analysis
While it is a necessary first step for a DPO to review a company's current level of privacy compliance, regular maturity assessments help to advance the organisation’s privacy programme. As business activities evolve, collaborating with key departments, such as HR and IT, helps to address outstanding privacy measures identified in the initial data mapping process. Continuous conversations with key stakeholders and the DPO help to prioritise which outstanding items should be completed (whether documentation, templates, the setting up of privacy champions or steering groups).
As regulations continue to evolve, and in some cases emerge, having the right experts beside you whatever market you operate in is more important than ever. HewardMills’ experienced team of DPOs located in numerous jurisdictions globally are on hand to help manage the intricacies of the successful maturation of a privacy programme.
