Home » Priorities for the French DPO

Priorities for the French DPO

by delta
0 comment

Data protection officers (DPOs) have a lot to consider when it comes to managing their organization’s data protection and security obligations. The GDPR imposes several key requirements on organizations, from fulfilling Data Subject Access Requests (DSARs), to data breach notification obligations, security requirements, and transparency provisions.

The foundation of any compliance program should be a clear understanding of regulatory obligations and organizational data. The DPO should also know what other teams are doing and work closely with the CISO to help align the organization’s processes with data protection and security best practices.

The number one priority DPOs must address in 2023 is increasing visibility. Before you set up your process, make sure you have a good understanding of the basics of a compliance program so you can start on the right foot. Starting with incorrect information and correcting that error can cost valuable time, resources, and money.

Read on for the importance of building visibility into your organization’s data in the context of incident management and data subject access requests (DSARs), CNIL recommendations, and case study examples that put data discovery and mapping into practice. 

The Importance of Understanding Data for Privacy Incident Management

Incident management is essential for both data protection and security programs, and where many regulatory obligations overlap. Visibility into organizational data and responsibilities is essential when dealing with security incidents. Unexplained data is not properly secured and poses a risk to your business, especially when it comes to sensitive personal information. Such risks, if exploited, may go unnoticed until it’s too late.

Therefore, it is critical that DPOs and CISOs work together to discover and classify structured and unstructured data across the organization to ensure an effective incident management process. This type of discovery activity also helps uncover gaps in your compliance program, establish the scope and severity of incidents, and assist in remediation efforts.

What does the CNIL say about data breaches and incident management?

CNIL Emphasis on digitization of daily life among them Strategic priorities for 2022-2024, says that the amount of personal data will increase with increasing digitization. CNIL explicitly calls out the role of technology in “intensive data collection and processing” and “increasingly diverse and rapidly evolving applications”. This puts the DPO in charge of gaining visibility into the growing amount of data collected and processed by the organization. CNIL Guide to Data Protection Officers.

[Monitoring the effectiveness of compliance with the GDPR] Must take the form of verification organized by or personally performed by the DPO (external audit or internal contact) in collaboration with other critical functions such as the CISO (Chief Information Security Officer) there is. […] These controls or audits consist of:

  • Verification of the accuracy of the information contained in the record of the processing operations carried out by the organization (list of processing activities, scope of purposes, data subjects, nature of data processed, recipients and possibility of transfer outside the European Union; , retention period, security measures);
  • Verification of the compliance of the most sensitive processing operations, taking into account the impact assessments carried out (in particular with respect to the implementation of measures aimed at reducing the likelihood and severity of risks);
  • Implement tools to track and monitor the use of processing (analyzing logs, detecting prohibited data, verifying compliance with retention periods, etc.);
  • Monitor the effectiveness of the technical and organizational data protection measures that the organization has committed to implement. ”

Importantly, these audits allow DPOs to gain visibility into their organization’s data and notify the CNIL and data subjects when advising on personal data breaches and actions to be taken.

Benefits of Data Discovery and Data Mapping Practices for Incident Management

Meet Lois, DPO of ACME Co. Lois notices a security breach involving a large amount of personal information.

To meet the requirements of Article 33 of the GDPR, Lois needs to know:

  • The nature of the incident
  • Categories of data affected by the incident
  • The approximate number of people affected by the incident
  • Notification requirements under applicable law

Luckily, Lois recently conducted a data discovery to create ACME’s transaction records and data maps. As a result, Lois now knows the personal data ACME has collected, the sensitivity of that data, and the purposes for which it is used and stored. This discovery and mapping work, in turn, enabled her CISO at ACME to suggest appropriate security measures to apply depending on the sensitivity of the data.

Working together, Lois and ACME’s CISO can easily understand:

  • Potential Consequences of a Data Breach
  • Steps to be taken to prevent a recurrence of this incident or to mitigate any adverse effects

Without first visualizing ACME’s data through discovery and mapping, both Lois and the CISO may not be aware that a violation has occurred, or may respond inappropriately to a violation, drawing unwanted attention from regulators. pulling is possible.

Fulfilling access requests under GDPR

To meet regulatory obligations related to DSAR, it is important for organizations to have a holistic understanding of their data and the regulatory obligations that come with it. When viewed through the lens of a DSAR, having up-to-date or evergreen data maps is very important for several reasons.

First, with visibility into all of your organization’s data, you can fulfill access requests without missing items of information from unknown sources or stored in unstructured formats. This makes the fulfillment process easier and ensures that regulatory requirements are met.

Second, visibility helps mitigate the risk that personal data about individuals other than the requester will be included in the DSAR response. Knowing where this data resides gives organizations the opportunity to remove or redact the data before returning it to the requestor.

Please note that these procedures may also help with other types of data subject rights requests, such as personal data erasure requests, objections to certain types of processing, and data portability requests.

What is the CNIL’s position on the implementation of the DSAR?

CNIL lists the protection of data subject rights to personal data as one of its key mandates. It aims to continue building on previous strategic plans and to continue to encourage individuals to exercise their subject rights.

CNIL has declared its commitment to incorporate this promotion into its strategic plan for 2022-2024 by publishing information and tools that enable individuals to understand and exercise their rights.

While public awareness has increased on the CNIL agenda, the CNIL also plans to maintain enforcement levels to ensure that subject rights remain an effective tool for individuals. This is outlined in “Axe 1” of our strategic plan. Promoting management and respect for the rights of people on the ground – and is divided into four steps:

  1. Enhancing Information and Awareness to Facilitate Enforcement
  2. Increasing the effectiveness of enforcement actions
  3. Strengthening the role of the CNIL in Europe and the effectiveness of the European Community
  4. Prioritizing actions to protect the everyday use of data

Sheet no3: Preparing to exercise the rights of citizens, CNIL reaffirms the need for DPOs to have visibility into their organization’s data, stating: “[Organizations must] By providing technical tools for computer systems, [individuals’] Right to be properly considered. By preparing in advance how they will contact you and how you will respond to their requests, you can effectively manage the exercise of these rights. ” This guide indicates that state organizations should also be traced. “All operations that affect [the individual’s] personal data. “

Data Discovery for Real DSAR Fulfillment

Meet Clark, DPO of Daily Planet Inc. In recent months, public security incidents have doubled the number of DSARs Clark has received.

Clark currently faces two major challenges. First, the Daily Planet is based in Europe, but its operations are global, and Clark now receives his DSARs from all over the world. This means that some legal requirements apply. Second, performing each request manually could take too long and Clark risks exceeding the maximum response times under his GDPR, CPRA and other laws.

Luckily, Clark included some basic steps when building Daily Planet’s data protection program, including a data mapping exercise. This allowed Clark to create an inventory of personal data and apply it to the regulatory context. Clark also implemented automated data discovery tools to keep the data maps up-to-date.

As a result, Clerk has complete visibility into Daily Planet’s data, who owns that data, and the requirements under which the data must be retained. Clark’s data maps also serve as the foundation for DSAR fulfillment, making it easy to find and consolidate personal data to ensure the timely fulfillment of requests.

OneTrust data discovery and data mapping automation

Data discovery and mapping are core elements for centralized visibility into personal data, which is fundamental to meeting many of the GDPR requirements. OneTrust data discovery enables organizations to leverage artificial intelligence to find and classify personal data against various global privacy laws and standards. OneTrust Data Discovery helps build a complete picture of personal data by scanning multiple source types, including unstructured file shares, structured databases, big data storage, SaaS applications, and other cloud solutions. increase.

of Automate OneTrust data mapping The solution seamlessly connects to data discovery tools to quickly populate data maps and records of the processing activity. By applying regulatory information from OneTrust data guidance, can automatically apply data classification and regulatory requirements to personal data. This allows you to flag gaps in your compliance program, efficiently respond to incidents and subject rights requests, and serve as the evergreen foundation for your data protection program.

You may also like

Leave a Comment


Delta-Compliance.com is a premier news website that provides in-depth coverage of the latest developments in finance, startups, compliance, business, science, and job markets.

Editors' Picks

Latest Posts

This Website is operated by the Company DELTA Data Protection & Compliance, Inc., located in Lewes, DE 19958, Delaware, USA.
All feedback, comments, notices of copyright infringement claims or requests for technical support, and other communications relating to this website should be directed to: info@delta-compliance.com. The imprint also applies to the social media profiles of DELTA Data Protection & Compliance.

Copyright ©️ 2023  Delta Compliance. All Rights Reserved

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest product or an exclusive offer.