Risk-based data protection advisory from the sanctions perspective
A number of issues must be considered when structuring and guiding the legal and operational demands of data protection, encompassing the processing register, competencies and responsibilities, third-party processing rules, cross-border transfers, the rights of data subjects, technical and organisational measures and many other concerns.
IT and data protection law in the risk and information society have long since been interdisciplinary issues. The exploitation of information technology and the processing of personal data intersect with various areas of law and other disciplines. Prioritising specified modules of a data management system, especially from the perspective of the sanctions risks, has been a sensible measure even before implementation of the GDPR. Such an approach optimises the exploitation of resources. For example, and given the contested exploitability, data breach notifications under Art. 33 GDPR must be considered from the outset in light of the compliance risks.
Also of increasing relevance is the interaction of compliance and data protection in the context of new cyber crime phenomena. A reliable assessment of the risks to the rights and freedoms of natural persons can be made by adopting a multidisciplinary advisory approach incorporating IT forensics.
Legal design forestalling legal dilemma
Numerous Legal Tech applications can be successfully exploited in the area of compliance if the data protection law implications are taken into consideration through impact assessments and privacy by design.
Tailor-made to individual needs, a work product taking the form of an interactive software application or automated decision-making system can be more effective than a multi-page memo. Findings management enables the results of individual audits to be exploited in the context of a comprehensive risk assessment approach. Up to and including the interaction of individual red flags, they can also be exploited operationally for future compliance activities.
Advisory concepts borrowed from the field of software development, such as (legal) design sprint, can also help to establish the correct priorities. Even with the best of intentions in terms of compliance, the wide range of potentially applicable circumstances frequently leads to implementational paralysis typified by dilemmas relating to (prima facie) conflicting obligations. Design thinking and agile methods can offer new solutions in this area.
Focus on data protection law
- Implementation and development of data protection management systems
- Concepts covering appropriate consideration given to data subject rights
- Data breach notification
- Data transfers to third countries
- Data protection impact assessment
- Technical and organisational measures
- Privacy by design and privacy by default