By Aim's data protection experts

March 2022

 

Recently, the Irish Data Protection Supervisory Authority handed Meta, Facebook’s parent company, a €17m fine for data breach infringements. Specifically, that Meta didn’t have the right measures in place to show it could protect EU users’ data. Meta responded by saying that this was a fine concerning record keeping practices and not a failure to protect people’s information. This approach to sanctions may not come as a surprise to some, but it’s not immediately obvious as it’s continually drummed into everyone that losing data, or handling it inappropriately, are the cardinal sins, and it can feel that simply having working data protection practices in place is the key to a happy life. 

 

However, there is more to it.  The less considered aspect of not only adherence to data protection but also legal and management frameworks, is that it is not enough to just protect data but it is essential to be able to demonstrate that those processes actually exist and work. This could be showing how the principles of data protection are applied, or ensuring that data subjects rights can be carried through in practice.

 

The DPA and GDPR require us to have accountability documents, complete data protection impact assessments, ensure we have data protection by design and default, and even suggest we should test our processes, for example can we fulfil a data subject access request. References to the ability to demonstrate are littered throughout the regulations but are somehow easy to miss.

 

So how should you fulfil this obligation? First, you need to document that the processes exist, because not being able to find something we know is there, somewhere, is a big failure. Secondly, we also need to demonstrate that we know where our data is, that we are able to identify what we need and don’t, that there is a reason for it being there, and that we can locate it and remove it if it’s not needed for the purpose it was originally collected. This second point may seem the same as “protecting our data” but in fact it’s the act of demonstrating that the protection is in place and it’s protecting the right things. After all, we can all have good security, but if we don’t know what it’s protecting, or if what’s it’s protecting should be there, it’s not much use.

 

At Aim Ltd, we have designed dataBelt® to work on multiple levels. Initially it finds and indexes all your data, giving you the ability to fulfil your data protection obligations, for example data subject access requests, data deletion, DPIAs etc. It also can classify data ensuring that it’s held for specified purposes and not for longer than it is required, but in addition to this, it gives you unrivalled visibility of all your data, wherever it’s held, and will allow you to demonstrate that your processes are actionable and not just for show.

 

Remember, don’t just have good processes and policies documented, make sure you can demonstrate they are functional and do what they’re designed to do.

 

More:

• For information about our data protection services, please click here.
• Free GDPR and Data Protection Self-Training Videos - Understand the importance placed on the security of personal data in a technologically complex world with our set of videos accessible here.