Data Privacy Risks and Mitigants
Mitigants – Data Controller Obligations
Lawful processing: There is consent from the data subject, or processing is necessary for
- a contract.
- a legal requirement.
- to protect vital interests of data subject or controller.
Transparent information: Clear information provided to data subject about purposes and sources of collection, types of information to be collected, to whom it may be disclosed, contact details for data controller, and data subject’s rights.
Requests for consent: Consent requests are to be presented separately from other information, to be specific and to be freely given and informed.
Fairness requirement: Data processors are required to treat data subjects “fairly” which may be defined through specific policy or regulatory guidance.
Purpose limitation: Personal data can only be processed for the primary or specific purpose of collection unless an exception applies (such as consent).
Data minimization: Data processed should be adequate, relevant, and limited to the minimum necessary for processing.
Mitigants – Data Subject Rights
Right to information: Data subject has the right to clear, simple information about processing activities and entities involved.
Right to be forgotten: Data subject has the right to ask for their personal information to be erased after it is no longer necessary for the purpose for which it was processed.
Right to restrict processing: Data subject may ask for processing to be restricted in certain circumstances, such as when accuracy is contested, or the processing is unlawful.
Right to portability: Data subject can ask for personal data, which has been automatically processed to be provided to them in a structured, commonly used, machine readable form.
Right to withdraw consent: Data subject may withdraw consent at any time.
Mitigants – Data Controller Obligations
Express consent: Require that prior, express consent be obtained to the processing of “sensitive” information.
Mitigants – Data Controller Obligations
Data quality: The data controller is obliged to take reasonable steps to ensure data which is processed is accurate and up to date.
Time limit on retention: Personal data can only be retained for the period necessary to satisfy the purpose of processing.
Mitigants – Data Subject Rights
Right to correction: Data subject has the right to ask that their information be corrected.
Right to access: Data subject is entitled to have access to their information on request and to details of any processing activities and who has undertaken them.
Mitigants – Data Controller Obligations
Information about automated processing: Provide data subject with important information about automated decision-making process and its possible consequences.
Mitigants – Data Subject Rights
Right to object: Data subject has right to object to making of decisions based solely on automated processing of their personal data.
Mitigants – Data Controller Obligations
Identity information as ‘sensitive information’: Identity information should require express consent for processing. Further mitigants may be in laws establishing national ID systems and more generally in security requirements applicable to personal data processing systems and in criminal laws.
Mitigants – Data Subject Rights
Consumer awareness: Require that data subjects be educated as to how to best secure their identity information, including their security credentials.
Mitigants – Data Controller Obligations
Accountability: Data controller should be responsible for their own actions and those of any processor who acts on their behalf.
Complaints systems: Require data controllers to have a transparent, effective, free systems in place to process complaints about misuse of personal data.
Appeals: Ensure that there is an External Dispute Resolutionscheme to mediate on disputes between a data subject and a data controller and make appropriate orders (e.g., as to compensation or data correction).
Limits on cross border transfers of data: Require that cross-border transfers of data only be made to jurisdictions that have equivalent privacy protections to those in the transferee jurisdiction, and/or that there are appropriate contractual safeguards. There may also be data localization rules in place.
Registration of data controllers: There may also be requirements for data controllers to be registered by relevant authority. This obligation may only apply to the more significant data controllers.
Mitigants – Data Subject Rights
Awareness of complaints processing systems and External Dispute Resolution scheme: Data subjects should be informed about their rights and relevant complaints and appeals avenues by the data controller when data is provided and when making a complaint.
Mitigants – Data Controller Obligations
Governance arrangements: Require data controllers to have in place detailed policies and procedures designed to ensure compliance with the relevant data privacy principles and rules, together with related technological and organizational resources.
Privacy Impact Assessments (PIAs): Require that high risk processing operations be the subject of proactive PIAs, which cover issues such as the proposed processing activities and the related privacy risks and mitigants.
Publicity: Require privacy policies and PIAs to be made public (e.g., on the data processor’s website).
Data Protection Officers (DPOs): Require that data controllers appoint a DPO with functions, such as overseeing compliance with any data privacy rules and being a contact point for data subjects and any DPA. This obligation may only apply to more significant data controllers.