In the first two installments in this blog series, we took a closer look at the first two priorities that DPOs in France should consider – gaining visibility and taking action. In the final part we will look at the third priority: automation. We tackled the discovery and mapping of personal data and then developed the appropriate processes to help ensure you are meeting the most highly enforceable elements of GDPR compliance. Now, you should turn to automation to add a level of efficiency to these processes.
Automation can help your data protection team free up valuable time and resources that can then be dedicated to other areas of your compliance program – for example, where gaps in compliance have been highlighted. Automation can also help with overall program maturity by removing the possibility of human error.
Giving your organization greater insight into its processing activities and creating an accurate and detailed audit trail, automation can help to generate more detailed reports. When we look at the central point of each priority, we can see that priority one is being prepared, priority two is executing your program’s goals, and priority three is focused on program maturity.
When a security incident occurs, you need to act fast. Start with assessing and investigating the incident. Gaining holistic insight into what has happened and what data is involved, automation can help pull all the key information that your incident management team needs.
Through an understanding of the sensitivity of the data involved and the regulatory obligations for notification involved, your data map can help you automate the notification process. Automating notification assessments can take much of the manual guesswork out of when breach notifications should take place and who should receive them, as well as actually sending the notification.
Automation can also help generate audit trails and maintain records of incidents ready for when the regulators come knocking.
How OneTrust helps with incident management automation
OneTrust Privacy Incident Management helps organizations manage the incident lifecycle and comply with global breach notification requirements. Privacy Incident Management can also help the incident response team streamline investigations and automate key tasks including:
Data protection teams can also link incidents to their data map and vendor inventory to aggregate critical information, including contractual obligations, data stored, and potential risks.
Learn more about OneTrust Privacy Incident Management here.
In the final act for Lois at ACME Co., automation becomes a key part of managing the incident.
Having strong insight into ACME’s data, Lois was able to determine the nature and sensitivity of the breach. Based on this, Lois was able to take the appropriate action to remain compliant with data breach notification obligations under the GDPR.
However, performing the task manually took time, and Lois nearly exceeded the maximum timeframe for the data breach notification. Having prepared ACME’s evergreen data map helped reduce the time burden involved, but automation would have helped to mature this process as well as speeding up investigation and response times.
Lois’ next step will be to implement automated processes for incident management to help alert their data protection team to potential incidents, flag compliance and security gaps, and suggest remediation actions. Automation will streamline Lois’ incident management process – including assessing whether a notification needs to be made to individuals, regulators, or both – and will give ACME’s incident management response team more time to assess, investigate, and notify when a data breach occurs.
DSARs are time consuming. Each stage of fulfilling a DSAR involves a number of processes that, when performed manually, can become almost impossible to complete within the GDPR’s specified timeframes for responding to a DSAR. However, a large proportion of the steps required to fulfil a DSAR process can be automated.
From intake to fulfilment, DSAR automation can reduce time to respond from weeks to minutes. Automation tools such as data discovery and automated data mapping capabilities can remove the need for manually finding all types of personal data across data sources. This is particularly useful in the case of unstructured personal data, where information relating to an individual may be found in emails, video, or audio files. Automated data discovery tools can scan multiple formats across a range of on-prem and cloud-based data sources in seconds. Automation in this instance also removes much of the human error that can be associated with DSAR, including missed or co-mingled examples of personal data.
Once found, automated redaction tools have the capability of removing and redacting personal information related to others – speeding up the review process.
Even sending a final response to the requestor can be automated.
How OneTrust helps with DSAR automation
The OneTrust Privacy Rights Automation tool contains automated capabilities to allow you implement a scalable, automated data privacy rights fulfillment process.
Privacy Rights Automation helps you to comply with data protection laws such as GDPR, LGPD, and CPRA in one platform. Using OneTrust’s DSAR tool can help to eliminate manual tasks by fully automating data discovery, ID verification, redaction, and response. OneTrust Privacy Rights Automation can give you peace of mind by being able to satisfy all request types from either a data subject or an employee as well as requests for access, deletion, and other individuals’ rights.
With OneTrust Privacy Rights Automation you can:
Learn more about OneTrust Privacy Rights Automation here.
The final piece to Clark’s DSAR process puzzle is turning to automation. Clark has already overcome the challenges of gaining visibility into personal data through data discovery and mapping exercises as well as taking action on DSAR fulfillment through ID verification processes, discovery, and redaction. But when done manually, these processes present potentially the biggest challenge for Clark’s data protection team.
Dealing with just one DSAR manually can drain the time and resources of the data protection office but multiply this by 10 or even 100 times and the challenge becomes apparent. This is the case for Clark at Daily Planet. Since the number of DSARs received by Daily Planet is becoming unmanageable, Clark is aware that the risk of breaching DSAR response time requirements is a reality. Therefore, Clark must turn to automation at every step of the fulfillment process.
Now, not only can Clark and their team respond to DSARs more quickly than ever before, but they can also make a record of each request and gain insight into the type, volume, and regularity of requests. Additionally, automation has allowed Clark’s team to be more accurate with their responses and cut out human error.