The ODPi Data Privacy Pack

The ODPi Data Privacy Pack provides best practices and related content to assist an organization in creating a data privacy program and implementing it across its operations. The contents are written for the organization’s privacy officer. This is the person responsible for defining the privacy policies and ensuring they are implemented and followed.

Why is a data privacy program important?

Data privacy is being written into law in many regions today and this legislation/regulation is both broadening the scope of data covered and increasing the penalties for non-compliance. Being able to manage your organization so people’s rights relating to their data is a basic capability for doing business in many places.

More importantly, but often forgotten, is that an organization’s attitude to the wishes of its customers, employees and business partners over the processing of their data shows clearly in the way the organization operates. The actions taken to ensure data privacy lead to higher levels of customer service, better internal efficiency and a more respectful working environment for employees by creating transparency in the way the organization operates and eliminating unnecessary processing and storing of data.

The role of the privacy officer

The appointment of the privacy officer is the first step in acknowledging the importance of data privacy to the business. The privacy officer provides focus on the privacy challenge and assesses how well the organization is meeting that challenge, making adjustments as necessary. For it is indeed a challenge. Respecting privacy is likely to impact all aspects of the business, which means many of the roles within the organization will change.

What does having a data privacy program entail?

A data privacy program ensures that an organization processes data about an individual (or data that may identify an individual) with respect to that individual’s wishes, whilst ensuring that minimal data is used and retained for this processing and it is properly protected so an unauthorized third party can not access it for their own purposes.

At a high level, it entails:

Getting started

An important place to start is to document and understand the digital services operated by your organization.

These digital services may be:

These digital services are likely to identify the principle uses of personal data and where it is stored.

The effort required to build this inventory is going to be proportional to the size and complexity of the organization. This means it needs prioritization and can not be left to the sole effort of the data privacy officer.

The data privacy officer needs to appoint owners of digital services for each business area and have them create the inventory of their digital services since they will be responsible for the correct operation of the services.

Digital service lifecycle

Each digital service will follow a lifecycle for how it is developed from an initial idea, to a working service and then operated and improved until it is decommissioned. Every organization will have its own definition of the lifecycle, but for purposes of illustration, the ODPi Egeria community PMC has developed a simple lifecycle that can be used to show how data privacy controls can be introduced.

Figure 1 shows this simple lifecycle with the data privacy controls overlaid. Details of these controls are described below the figure. the aim is to gather information about the data use in a digital service to demonstrate compliance as the digital service is developed in the most cost effective manner and use the associated processes to design, develop, deploy and operate the digital service in a way that ensures data privacy is respected.

Figure 1

Figure 1: The additional steps needed to manage data privacy throughout the digital service’s lifecycle

Return to Guidance on Governance.

License: CC BY 4.0, Copyright Contributors to the ODPi Egeria project.