When it comes to managing your organization’s data protection and security obligations, there is a lot for the Data Protection Officer (DPO) to consider. The GDPR places several significant requirements on organizations, from fulfilling data subject access requests (DSARs) to data breach notification obligations, security requirements, and transparency provisions.    

At the foundation of any compliance program is the need to clearly understand your regulatory obligations and your organization’s data. DPOs must also have visibility into what other teams are doing and must work closely with the CISO to help direct organizational processes toward data protection and security best practices. 

Gaining visibility is the first priority DPOs will need to address in 2023. Making sure you have a strong understanding of your compliance program fundamentals before you set up processes, will get you started on the right foot. Begin with incorrect information, and remediating that error could cost valuable time, resources, and money. 

Keep reading to learn more about the importance of building visibility into your organization’s data in the context of incident management and data subject access requests (DSARs), what the CNIL recommends, and case study examples of putting data discovery and mapping into practice. 

The importance of understanding your data for privacy incident management

Incident management is vital to both data protection and security programs, and where many regulatory obligations overlap. When dealing with a security incident, having visibility into organizational data and responsibilities is essential. Data that is unaccounted for will not have the proper security protections in place and is a risk to business – especially in the case of sensitive personal information. If such a risk is exploited, you may not even know about it until it is too late. 

Therefore, it is critical that DPOs and CISOs work together to discover and categorize structured and unstructured data from across the organization to ensure effective incident management processes. This type of discovery exercise can also help uncover gaps in your compliance programs, help to establish the extent and severity of an incident, and aid remediation efforts. 

Download the eBook:  The 3 priorities for DPOs in France: Gain visibility, take action, automate

What does the CNIL say about data breaches and incident management?

The CNIL places an emphasis on the digitalization of daily life within its strategic priorities for 2022-2024, stating that with greater digitalization comes a greater volume of personal data. The CNIL specifically calls out the part technology plays in “intensive data collection and processing” and “increasingly varied and rapidly evolving uses”. This leaves DPOs responsible for visibility into increasing quantities of data collected and processed by an organization, according to the CNILs Guide on Data Protection Officers. 

“[Monitoring the effectiveness of compliance with the GDPR] must take the form of verifications organized by the DPO (external audit or internal contact), or carried out by the DPO personally, in collaboration with other key functions such as the CISO (Chief Information Security Officer). […] these controls or audits may consist of: 

• verifications of the accuracy of the information contained in the record of processing operations implemented by the organization (inventory of processing activities, scope of purposes, data subjects, nature of the data processed, recipients and possible transfers outside the European Union, retention periods, security measures);  
• verifications of the compliance of the most sensitive processing operations, taking into account the impact assessments conducted (particularly with regard to the implementation of measures intended to reduce the likelihood and severity of risks);  
• the implementation of tools for tracking and monitoring the use of processing (analysis of logs, detection of prohibited data, verification of compliance with retention periods, etc.); 
• monitoring the effectiveness of the technical and organizational data protection measures that the organization has undertaken to implement.”

Critically, when advising on personal data breaches and the measures to be taken, these audits will give the DPO visibility into organizational data, as well as notify the CNIL and data subjects.

The benefits of putting data discovery and data mapping into practice for incident management

Meet Lois, DPO at ACME Co. Lois has been made aware of a security breach that involves a large volume of personal information. 

To fulfill the requirements of Article 33 of the GDPR, Lois must know:

• The nature of the incident  
• The categories of data affected by the incident  
• The approximate number of people affected by the incident​  
• Notification requirements per applicable laws

Fortunately, Lois had recently conducted a data discovery exercise in order to populate ACME’s record of processing and data maps. As a result, Lois had visibility into the personal data ACME has collected, the sensitivity of that data, and the purposes for its use and storage. In turn, this discovery and mapping exercise has allowed ACME’s CISO to suggest the appropriate security measures that should be applied in line with the sensitivity of the data. 

Working together, Lois and ACME’s CISO can easily understand: 

• The likely consequences of the data breach ​  
• The steps that should be taken to prevent a recurrence of this incident or to mitigate any negative consequences

Without initial visibility into ACME’s data through discovery and mapping, both Lois and the CISO may not know that a breach has occurred or respond to the breach inappropriately, creating the potential for unwanted regulator attention. 

Fulfilling access requests under the GDPR

In order to fulfill the regulatory obligations relating to DSARs, it is critical for organizations to have a holistic understanding of their organizational data and the regulatory obligations that are attached to it. Having an up-to-date or evergreen data map is critically important when viewed through the lens of DSARs for several reasons. 

First, having visibility into all of your organization’s data allows you to fulfill access requests without missing items of information that are stored in unknown sources or unstructured formats. This leads to a more straightforward fulfillment process and helps to ensure that regulatory requirements are being met. 

Second, visibility helps to reduce the risk of personal data relating to individuals, other than the requestors being included in any DSAR responses. Knowing where this data exists gives organizations the opportunity to remove or redact it before returning it to the requestor. 

It should be noted that these steps can also be helpful for other types of data subject rights requests, such as the request to erase personal data, object to certain types of processing, or requests for data portability.  

Download the eBook:  The 3 priorities for DPOs in France: Gain visibility, take action, automate

What is the CNIL’s position on fulfilling DSARs?  

The CNIL cites the protection of the rights of data subjects over their personal data as one of their key missions.  It aims to continue building on its previous strategic plan and continue to promote individuals exercising their subject rights. 

The CNIL declared its commitment to build this promotion into its strategic plans for 2022-2024 by publicizing information and tools that enable individuals to understand and exercise their rights.

While public awareness is high on the CNIL’s agenda, it also plans to maintain its level of enforcement to ensure that subject rights remain an effective tool for individuals. This is outlined in “Axe 1” of its strategic plan – Promoting control and respect for the rights of people on the ground – and it is broken into four steps:

1. Strengthening information and awareness to promote the exercise of rights 
2. Increasing the effectiveness of enforcement actions 
3. Strengthen the role of the CNIL in Europe and the effectiveness of the European collective 
4. Prioritize actions to protect the everyday use of data

In Sheet no3: Prepare for the exercise of people’s rights, the CNIL reaffirms the need for DPOs to gain visibility into their organization’s data, stating, “[Organizations must] provide in your computer systems the technical tools that will allow [individuals’] rights to be properly taken into account. Preparing in advance how they will contact you and how you will deal with their requests will enable you to manage the exercise of these rights effectively.” The guide goes on to state organizations must also trace, “all operations that have an impact on [the individual’s] personal data.”

Data discovery for DSAR fulfillment in practice

Meet Clark, DPO at Daily Planet Inc. In recent months, the number of DSARs that Clark has received has doubled owing to a security incident that was made public. 

Clark now faces two main challenges. First, Daily Planet is based in Europe, but its business has a global reach and Clark is now receiving DSARs from around the world, meaning that the requirements of several laws come into play. Second, manually fulfilling each request is likely to take too much time and Clark risks exceeding the maximum response times under laws such as the GDPR or the CPRA. 

Fortunately, Clark had included some foundational steps when building Daily Planet’s data protection program, which included a data mapping exercise. This allowed Clark to build an inventory of personal data and have regulatory context applied to it. Clark has also deployed an automated data discovery tool to help keep his data map up to date. 

As a result, Clark has full visibility into Daily Planet’s data, who it belongs to, and what requirements it needs to be held under. Clark’s data map also serves as the groundwork for DSAR fulfillment and enables him to easily find and consolidate personal data and fulfill requests in a timely manner. 

OneTrust Data Discovery and Data Mapping Automation

Data discovery and mapping are the core elements of gaining centralized visibility into personal data, which is foundational in fulfilling many of the GDPR’s requirements. OneTrust Data Discovery allows organizations to leverage Artificial Intelligence to find and classify your personal data against a range of global privacy laws and standards. By scanning multiple source types including unstructured file shares, structured databases, Big Data storage, SaaS applications, and other cloud solutions, OneTrust Data Discovery helps you to develop a holistic view of personal data. 

The OneTrust Data Mapping Automation solution seamlessly connects to the Data Discovery tool to quickly populate data maps and records of processing activities. Through the application of regulatory intelligence from OneTrust DataGuidance, you can automatically apply data classification and regulatory requirements to personal data. This helps to flag gaps in your compliance program, respond to incidents and subject rights requests more efficiently, and serve as an evergreen foundation to your data protection programs.