News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to drive effective privacy operations with functional requirements Related reading: Consent-management platforms becoming hot commodities in post-GDPR world

rss_feed

In the run-up to May 25, 2018, many businesses that thought they were well-prepared to meet their new General Data Protection Regulation obligations discovered that operationalizing many components of a GDPR-compliant privacy program requires more than simply drafting a new or updated set of policies and procedures. With GDPR now in full effect, these businesses are quickly realizing that truly effective GDPR compliance is a highly complex undertaking requiring active, cross-functional collaboration between privacy and information technology. In instances where businesses struggle to operationalize key compliance components (e.g., response to data subject rights requests, revocation of consent), they should consider developing “functional requirements” that provide specific, detailed guidance to the privacy and IT teams to fully meet their GDPR obligations.

Functional requirements sit at the intersection of privacy and IT and go deeper than business-oriented standard operating procedures to truly operationalize the regulatory, industry and business requirements reflected in procedures. There are two distinct phases in the functional requirements process:

  • Phase 1: The privacy team must draft the functional requirements to set out the details of specific GDPR and other applicable requirements.
  • Phase 2: The privacy team must work in collaboration with the IT team to gain initial verification of the feasibility of implementing the functional requirements. It is often during this second phase of active and engaged discourse between teams that new solutions and automated processes are developed to enable the organization to meet its GDPR (and other) privacy obligations.

Phase 1: Drafting functional requirements

In order to draft functional requirements that will enable effective compliance, the privacy team must understand and communicate full details of the applicable requirements to the IT team. For example, for an erasure request under GDPR, the privacy team must clearly convey in the functional requirements that erasure is not limited to deletion of an entire record (which may be difficult for some businesses due to system infrastructure). Rather, an erasure request can be fulfilled by anonymizing a record or anonymizing or deleting only those fields that could be used to identify the individual. In addition, the functional requirements should indicate that certain requests, such as erasure or rectification, must be communicated out to third parties processing the requestor’s personal data. 

Functional requirements for fulfilling access requests must be similarly specific. For example, they must consider the extent to which the IT team must search within the company’s systems to find and then provide personal data responsive to the request. The privacy team must then determine what personal data will meet the requester’s expectations, what will be practical to operationalize and what will effectively mitigate regulatory risk. The functional requirements will ultimately indicate whether the response must include every bit of personal data that can be found or whether a core set can be defined that will satisfy requestor expectations and contain regulatory risk. Similarly, the privacy team must consider, in instances of requests such as rectification or erasure, how far out to third parties the changes must be communicated.  While GDPR may not put any limits on this, practical considerations and risk mitigation must be taken into account.

In addition to requests for access, rectification and erasure, functional requirements should be drafted — depending on the business, the nature of processing and the legal basis for processing — to operationalize processes for objection to processing, restriction of processing, data portability and revocation of consent. 

Phase 2: Teaming with IT for operational functional requirements

Once a draft of the functional requirements has been prepared, the privacy team should seek input from the IT team to gain initial verification of the feasibility of implementing the requirements. The IT team will be critical in this phase, contributing potential solutions to automate or otherwise streamline processes to meet applicable obligations, as well as to help make determinations regarding the depth and breadth of the necessary actions (inside and outside of the organization). Some determinations may also need to be made by IT regarding whether specific technologies will be necessary to effectuate the functional requirements. For example, where anonymization is selected as a solution for an erasure request, IT will need to evaluate and recommend a technology solution. They may need to evaluate factors such as whether the anonymization tool can preserve the relational integrity of the data, once applied, as well as ensure the data is rendered truly anonymous.

Revocation of consent provides another example of a GDPR requirement for which IT contributions will be critical, as effectively responding to a consent revocation can pose a significant challenge depending on the nature of the business and the complexity of processing activities.  To effectively prevent the further processing of personal data after receipt of a revocation of consent, privacy and IT teams must work together to place appropriate controls on the personal data in question across all processing activities to which the revocation applies. If an individual revokes consent to processing for marketing activities, for example, that revocation must be effectuated in a manner which will prevent further processing for all current and future marketing activities, potentially across multiple areas of a business. If an organization has a need to keep this individual’s personal data in its systems (e.g., for tax reporting purposes or due to a litigation hold) this may require very finite controls that enable processing for limited purposes, but not for anything that would directly or indirectly lead to their receiving any further direct marketing materials.

While the intent of the functional requirements document is to reflect the requirements of applicable regulatory requirements and internal policies and procedures, the privacy and IT teams, and IT developers in particular, should look at operationalizing the functional requirements as an opportunity to develop new and innovative approaches to meeting GDPR and regulatory obligations. Automation and innovation opportunities may arise, for example, in creating solutions for:

  • Self-service portals for making data subject rights requests and validating identity.
  • Self-service portals for viewing personal data (access) and updating incorrect information (rectification).
  • Automated search and “data pull” functions across databases and applications. 
  • Automated tracking of request responses and documenting of fulfillment.

Process flows for clear steps and common language

The functional requirements should not only include narrative instructions, but also process flows so that team members who will be operationalizing the requirements have a visual map of what must take place to fulfill the obligation. Process flows should indicate key decision points (e.g., whether to erase or anonymize and whether to do so against entire records or only certain fields) and should provide clear direction to the next steps in the process. And while the process flows cannot contain the level of detail included in the narrative description of the requirements, they represent a common language and a guide that can be readily understood by technical and non-technical contributors alike. 

Live runs

Even the most carefully drafted functional requirements should be considered draft until they are put to use against real-life activities, such as data subject rights requests and consent revocations. It should be fully expected by the privacy and IT teams responsible for responding that the functional requirements will be further refined through active application. In fact, these “live runs” are critical for testing the functional requirements and adding even more granularity that cannot be reasonably anticipated by individuals drafting documents on their laptops.  Only after applying the functional requirements to a set of live runs and making appropriate refinements can the requirements be considered final and ready for use on an ongoing basis.

Operationalizing complex regulatory requirements, such as those in the GDPR, is a highly challenging exercise, and businesses are finding that merely training staff on the policies and procedures drafted in anticipation of GDPR is not sufficient to operationalize these procedures.  Functional requirements that are the product of collaboration between privacy and IT teams provide a highly useful tool to accomplish compliance goals.  Not only do they address requirements with the requisite breadth and depth, but — if applied to actual “live” activities such as data subject rights requests — provide the teams an opportunity to apply the functional requirements, determine where adjustments are required, and make those adjustments to create a robust and detailed GDPR compliance roadmap that can be successfully applied going forward.

photo credit: Nicholas_T via photopin

Authors
Headshot Dan Goldstein, CIPP/E, CIPP/US IAPP Member Contributor
Nonmember Contributor
Tags
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
CNIL outlines gathering consent under the GDPR
France’s data protection authority has created a guideline breaking down consent rules within the EU General Data Protection Regulation. The CNIL outlines the definition of consent under the GDPR and whether consent should be collected systematically. The DPA goes over the four criteria organization...
Read More queue Save This
The role of DPAs in incentivizing accountability
If ever there was a potential cure-all for the current trust deficit in the digital society and the many data protection woes facing us, organizational accountability surely is it. It is no surprise, therefore, that in recent years, accountability has garnered broad international support in data pr...
Read More queue Save This
Related Stories
Tags
Privacy Operations Management
Recent Comments