Privacy by Design and by Default  and how to reap its benefits

Privacy by Design and by Default and how to reap its benefits

The General Data Protection Regulation (GDPR) enhanced  European data privacy rules significantly. The introduction of ‘Privacy by Design’ and ‘Privacy by Default’ make up two of these enhancements . Although new as a legal requirement under the GDPR, these enhancements  are not new by any means. Considering privacy from the start of the development design process is essential to address privacy successfully.


Building efficiency by thinking of privacy proactively,  not reactively. 


Under the previous  Directive, data controllers were required to implement appropriate technical and organisational measures to protect data against unlawful processing. This, however, led to  privacy considerations becoming a afterthought in the development process.

The GDPR requires organisations to consider privacy at the initial design stage. Privacy therefore needs to be a  key ingredient of the successful introduction of a  new product, service, or technology. rather than a element  that is added for decoration at the end.

This could be seen as added  complexity, but it is actually a much simpler exercise than applying privacy considerations after a design is fully developed.

When you give thought  to what personal data is to be used, for what purpose and under what lawful basis, it reduces the  risks that you  discover at a later stage, that attempting to embed privacy is technologically demanding , expensive or even not possible at all.

The application of Privacy by Design  actually increases the efficiency of the development process. Knowing what data you want to use, and giving data subjects consideration on how their data is used by applying Privacy by Default, will also create more transparency for the data subjects. The inclusion of privacy as the bedrock of development helps builds trust with data subjects in collecting data in the first place.

In other words: applying Privacy by Design and Privacy by Default is an essential ingredient of good privacy practice. Many organisations are  already introducing these ideas in to their development processes and are reaping the rewards.


Embedding privacy in the design process, where to start?


In order to embed privacy in the design process four key areas must be taken into consideration.


  1. Keep within legal boundaries and be accountable

Under the GDPR organisations must be able to demonstrate their adherence and compliance to the privacy principles. Having a clear data privacy strategy where early privacy decisions are taken when introducing new technologies certainly helps organisations stay on track.

When assessing a concept or idea keep top of mind if it can be introduced whilst remaining within the principles of privacy . Performing a Data Privacy Impact Assessment (DPIA) is a great way to highlight any risk of non compliance that would put your development  at risk . Also remember to keep records of completed DPIA’s as this will demonstrate your decision taking at a later point in time.

  1. Ethical Transparency

The ethical aspect of your approach  must also be taken into discussions early on. An organisation should actuate how transparent it intends to be  on its data processing and how much detail it wants to know about  the data subjects involved. A helpful questions is: would you be  happy to use the product or service yourself?

  1. Importance of clear Communication

Clear Communications to data subjects is very important to address at all stages of the  development process. Communication channels must be clear and easily understood, also when something goes wrong. For data subjects it must be clear who to contact if they want to exercise their rights or find out more about how their data is being used.

  1. Data security, quality and retirement

Finally it is vitally important to ensure that adequate security measures are put in place, how the integrity of the  data can be maintained, and how its availability can be guaranteed and how the data will be disposed of when the product or service retires.




Successful implementation of both Privacy by Design and Privacy by Default requires that employees – especially those involved in the development of new products and services – have a good understanding of data privacy awareness. Clear policies, training and work instructions related to data protection should be put in place and a privacy advisory specialist should be available to assist in applying these requirements. Whichever  development methodology is used beit agile, waterfall etc.) privacy should be at the heart of the development lifecycle. This will enable the development teams to apply appropriate measures in the relevant phases.

GDPR Data Controller vs. Data Processor Explained

GDPR Data Controller vs. Data Processor Explained

Defining data processing roles within a controller / processor contract requires a deep understanding  of its obligations and liabilities if you  are to make it a success remain compliant.


There is many a conversation taking place  over the responsibilities and accountability of  data controllers and data processors. Both have responsibilities under the GDPR, but their obligations to the regulation  differs. Predominantly, data controllers have more accountability and liability, but processors have new responsibilities and new added layers of liability written into their roles.

I often hear the term “are you a controller or processor”, It’s not as simple of that of course. Although you cannot hold  the controller and processor roles in a single data processing activity, you can if you are a service organisation  hold  the controller role in one process activity and be the processor in another processing activity. Organisations should look at their Data Processing Addendums and SCC Agreements and ensure that they are clear what role in that agreement they hold.

We will  attempt to guide you through the descending mist on the subject in this article.

Stay with us  to find out what areas  of the regulation are relevant and apply  to your operations most and how you need to work together with your partner / vendor to reach and  maintain GDPR compliance.



Definitions of Controller and Processor


A data controller is: “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”

Data processors process personal data on behalf of the controller in the way instructed by the controller.and that extends to any sub- processor used by the processor..

Here’s an example:

Your online store  captures email addresses and other personal data provided by both store visitors  and store members for sales and marketing purposes. All the data collected is then sent on to Jon Doe  Global Marketing Ltd for the purpose of utilising the information for email marketing, SEO, and social media campaigns.

By providing  both the data and the processing activity instructions, then you are the data controller in the relationship  and Jon Doe Global Marketing Ltd is the data processor.

If you were to  provide the data but delegate to Jon Doe  Global Marketing Ltd the means of processing the data , then you are both data controllers and Jon Doe  Global Marketing Ltd is also the processor.

Why is there so much importance  who provides the “purposes and means of processing?”

The GDPR differentiates  between these roles for compliance purposes. The European Commission’s guidance holds the data controller to be the accountable party responsible for collecting, managing, and providing access to data.

For example, if a data subject exercised their right  to request their data, the controller would access it from their servers or from the processor they contracted to handle the data.


Differing Roles for Controllers and Processors


The GDPR Regulations  distinguishes between controllers and processors for  the purpose of responsibility and accountability. As a result, each receives different assigned roles for GDPR  compliance.

Let’s take more detailed look into  each party’s role according to legislative requirements.


Data Collection


Only data controllers collect personal data from data subjects. As a result of this, data controllers are also responsible for determining their lawful basis to obtain that data.

Data controllers need to establish a lawful basis  for collecting the data using one of the six bases for data collection featured in the GDPR and if the data includes special category data data controllers must also establish a basis for collecting and processing that data using one of  one of the ten basis also featured in the GDPR.

Organisations must also  ensure their process is transparent by creating and publishing  a Privacy Policy on their website that outlines:

  • What data they collect
  • How they store the information
  • How they use the information
  • Whom they share the data with
  • Whether they share the data with third parties
  • When and how they dispose of  the data

As soon as  a data processor becomes involved in  the collection of data, they become a data controller and all of the above responsibilities apply.




Controllers are held  accountable  to only use data processors who follow the legislation. There should be detailed due diligence in the selection process of data processors. This usually takes the form of  a due diligence questionnaire, and could include a data privacy audit. Where there is high risk involved then a DPIA must be carried out as part of the process.

Furthermore , at all times  a data controller and data processor agree to work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.

Include the following stipulated  GDPR- information in each contract:

  • Nature, purpose, subject, and full timeline of processing plan
  • Controller rights and obligations
  • Categories of data include
  • Categories of data subjects
  • Agreement to adhere to instructions
  • Confidentiality issues
  • Commitment to security and Article 32
  • Terms of hiring sub-processors
  • Evidence of compliance with Article 28
  • Return and disposal of data

The design and  introduction  of a contract is the responsibility of the data controller. Data processors are accountable  by law to follow the instructions provided by the controller.

If the controller fails to outline the required data processing activities  and leaves the methods and means up to the processor, then the processor becomes a  controller in the eyes of the law.

Data processors are not only accountable  to uphold the terms of the contract. They must also inform the controller if something in the terms of the contract contravenes  on any of the GDPR or other legislations.


Codes of Conduct or Certifications


In addition to having a contract, both controllers and processors must agree to a code of conduct or a recognized certification process that specifies how the agreement meets GDPR standards.

Read more about Codes of Conduct in Article 40




The GDPR holds data controllers accountable and responsible  for the collection, use, and disposal of personal data in most cases.

However,  previously  data controllers were already liable under both European legislation and national law.

What’s new in GDPR is the added accountability and liability for data processors.

Under the GDPR , individuals whose data you hold may send queries or complaints to either the data controller or the data processor.

Data processors are liable when they work outside of instructions provided to them by the controller or when they violate the terms of the GDPR.

Both the controller and processor must ensure through sound   security practices that they achieve and maintain  compliance with the GDPR. Each party involved in the contract has an obligation to protect data from:

  • Unauthorized access (both internal and external)
  • Loss of Availability of the data
  • Destruction
  • Accidental loss
  • Disclosure

The GDPR outlines the measures in Article 32 and applies them to both controllers and processors equally.

Agreed security measures must be detailed  in the contract, but the guidance also requires both parties to go one step further.

In addition to using adequate and appropriate security measures, both controllers and processors must adhere to the approved code of conduct or certification mechanism agreed upon.

The code of conduct is outlined in Article 40(2).


Data Protection Impact Assessments


Controllers must use data protection impact assessments whenever they instruct a processor to carry out a high-risk data processing   activity. Each member states Supervisory Authority outlines what it considers to be high-risk activities.

Each Data Protection Impact Assessment (DPIA) must include a minimum of four essential elements:

  1. Description of the purpose of the process and the process itself
  2. Assessment of need for processing
  3. Evaluation of risks
  4. Measures applied to address and minimize risks

When should controllers carry out a data protect impact assessment?

Here are a few instances:

  • Trying out new technologies
  • Carrying out large scale profiling
  • Extensive and systematic profiling
  • Large scale processing of special category data
  • Mixing or matching data from multiple sources
  • Processing children’s data for marketing purposes
  • Processing data that might cause physical harm if breached




Transparency is a crucial goal of the GDPR

Article 5.2 says that data controllers “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.

Transparency should  continue throughout the life of the data from collection to deletion.

Processors aren’t explicitly mentioned within in the text in the article.


Records of Processing Activities


Under Article 30 Data controllers are now required to keep records when the following criteria is met

  • the processing is likely to result in a risk to the rights of affected employees (e.g. scoring, comprehensive monitoring, high risk resulting out of unauthorized disclosure or access, use of new technologies),
  • the processing is not occasional or
  • the processing includes special categories of data as referred to in Article 9 (1) (e.g. health data, biometric data, data related to political or philosophical beliefs) or personal data relating to criminal convictions and offences referred to in Article 10.

These records outline the basis for your data collection and include the details related to:

  • Details of the controller
  • Processing purposes
  • Description of types of data collected
  • Categories of data recipients
  • Data transfers including data transferred to third countries
  • Erasure details
  • Overview of data security measures


Data processors also obligated to  now keep records. Their records relate to the processes controllers ask them to carry out and include:

  • Name and details of processor(s) and controller(s) and Data Protection Officer (if applicable)
  • Categories of processing
  • Data transfers to third countries or international organizations
  • General description of security measures according to Article 32

All records must be both in writing and electronic form and should be ready to present to the Supervisory Authority if and when  requested.


Reporting Data Breaches


Controllers must notify the Supervisory Authority and the data subject whenever a data breach results in the  rights and freedoms of data subjects being put at risk. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach. Minor data breaches that do not require reporting to the Supervisory Authority must be documented in a data breach record.

If a processor finds a security breach, they must notify the relevant controllers impacted by the breach.


Appointing a Data Protection Officer


Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data and meet one or more of the following criteria:

  • Are a public body
  • Process large scale data requiring regular monitoring
  • Hold special categories of data (including criminal conviction or offense data)


If appointed, a DPO’s role is to:

  • Advise the organization about its role in data protection
  • Monitor compliance with relevant legislation
  • Help with impact assessments
  • Work with relevant Supervisory Authorities

The DPO can be an internally appointed of outsourced to a DPO service provider.




Both data controllers and data processors have different obligations under the GDPR, but you’ll also find that their roles complement each other  in reaching the goals of transparency and accountability.

Data controllers perform much of the regulatory resource intensive duties , while processors play a more prescriptive role. However, they both have new liabilities under the law that makes it essential  for each to uphold their end of the contract . Working together promotes compliance and helps both parties avoid the new, hefty fines that come with violating the rules.

Relentless Data Privacy provide a full range of services and our new soon to be launched GDPR 24/7 platform where all of the above can be achieved in one place.


Data Privacy Impact Assessments ( DPIA) A key element of privacy by design

Data Privacy Impact Assessments ( DPIA) A key element of privacy by design

Data Protection Impact Assessments

Data protection impact assessments (DPIAs)assist  organisations to identify, assess and alleviate or diminish  privacy risks with personal data processing activities. They’re particularly needed  when new data processing process, platform or system is being introduced.

DPIAs also defines the accountability and responsibility principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.

Failure to conduct a DPIA where it is needed  is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.


When should a DPIA be conducted?


A DPIA should be conducted at the earliest  point within any new project lifecycle, so that its findings and guidance  can be immersed into the design of the processing operation.

When the  embedding of data privacy features  Privacy by Design, is placed into the design of projects can  result in but not limited to the following benefits:

  • Potential problems are identified at an early stage and can be remediated.
  • Eliminating  problems early into the project will often reduce costs .
  • An better understanding of privacy and data protection across the organisation.
  • Organisations will be less susceptible to data breaches.
  • Project delivery will have a less detrimental effect on data subjects .


Key pillars of a successful DPIA


The GDPR data regulation does not specify a certain DPIA  process to be followed, but alternatively allows for organisations to design a framework that supplements  their existing working practices.

(DPIAs) are an integral part of taking a Privacy by Design approach.

A DPIA will typically consist of the following key steps:

  1. Assess  the need for a DPIA.
  2. Delineate  the information flow.
  3. Identify personal data protection and related risks.
  4. Design data protection solutions to mitigate or eliminate the risks.
  5. The DPO signs off on the outcomes of the DPIA.
  6. Integrate data protection solutions into the project.



In addition to the reduction in data privacy risks within a project,  Data Privacy Impact Assessments (DPIAs) will enhance the protection of data subjects data which in turn decreases  risks of damage to individuals through the misuse of their personal information. It can also lead to improved data handling processes, less load on resources and better awareness within the organisation

DPIA’s should not be seen as a stand alone process as it can be easily  embedded into your existing project and risk management framework. This will reduce the workload on the resources needed  to conduct the assessment.


What is “privacy by design”?


Privacy by design as outlined in article 25 of the GDPR  is an approach that promotes privacy and data protection compliance from the start. Regrettably , they are often implemented late or as an afterthought or not started at all.

Data protection by design and default is a requirement of the GDPR Data Protection Act, and will assist  organisations comply with their obligations under the legislation.


Benefits of taking a “privacy by design” approach


The advantage of taking the above approach can be rewarded with the following,

  • Potential issues  are identified at an early stage, when addressing them will often be simpler and decrease any costly reworking of project elements.
  • Increased awareness of privacy and data protection across an organisation.
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.


Who should be involved in conducting a DPIA?


As an organisation that is collecting  and storing personal identifiable information, you are responsible for ensuring that a DPIA is carried out.

The DPIA should be driven by resources  with appropriate expertise and knowledge of the project being proposed normally the project team. If your organisation does not possess sufficient expertise and experience internally, you should consider bringing in external specialists to consult on or to carry out the DPIA.

Under the GDPR it is necessary for any organisation with a designated data protection officer (DPO) to seek the appropriate advice. This advice and the decisions taken should be documented as a part of the DPIA process.

Relentless Data Privacy has expertise and broad industry knowledge of leading DPIA assessments for internal project teams. Launching in late April the Relentless GDPR 24/7 platform incorporates the DPIA workflow.


SAAS & GDPR: Why Your Business Needs a Data Protection Impact Assessment When Migrating to the Cloud

SAAS & GDPR: Why Your Business Needs a Data Protection Impact Assessment When Migrating to the Cloud

That new cloud app may help your business work smarter, but did you know that it could be impacting your GDPR compliance? Relentless Privacy & Compliance explain how.


From accounting to marketing, managing day-to-day office functionality to making those all-important sales, there isn’t a single aspect of modern business that hasn’t in some way been improved by the evolution of cloud-based Software-as-a-Service (SAAS platforms.

Not only do the likes of Salesforce, Sage, ADP and Microsoft Office 365 help businesses to reduce costs by eliminating the need for expensive software licenses, they also help to significantly improve performance, efficiency and all-round collaboration.

So it’s no wonder that more and more businesses are turning to the cloud than ever before, with around 77% of organisations using at least one cloud-based SAAS solution.


Yet if you’re thinking about joining that 77% and migrating more of your office functionality to the cloud, there’s something you should know:

Using a SAAS platform could affect how compliant you are with current data protection laws such as GDPR.


Today, the data protection specialists at Relentless Privacy and Compliance explain how carrying out a comprehensive Data Protection Impact Assessment (DPIA) can ensure you continue to enjoy frictionless GDPR compliance when working in the cloud.


First, however, let’s look at the threat to your compliance posed by modern SAAS platforms.


Cloud Services and Your Data Protection Responsibilities


By now, you’ve likely done a lot of work to ensure your GDPR compliance strategies, policies and procedures are absolutely airtight.  That includes ensuring you have both technological and organisational measures in place to protect the private personal information of your customers. Yet when you take any office functions requiring data processing and migrate them to a cloud software solution, you lose some of that airtight control you have over your data.




Because whether you’re using Sage, Salesforce or something else entirely, the minute you input data into those apps, you are technically making them your data processor and entrusting them with the responsibility of protecting your data on their servers.


Does that make those companies solely responsible for data protection?


Not exactly.


Who is Responsible for Personal Data Stored on a Cloud App?


It’s true that any company which processes the data of EU data subjects has to be fully compliant with GDPR, and since any data you input into say, your cloud-based Sage software gets stored on Sage’s servers, that does indeed make them responsible for protecting it.


Yet that doesn’t mean you’re off the hook if something should happen to that data. As a data controller, the ultimate responsibility comes down to you. Since you authorised Sage to process that data, you’re still liable if something goes wrong.


The good news, is that this doesn’t have to be as scary, nor as complicated, as it sounds.


By carrying out a Data Protection Impact Assessment you can be sure that you’re meeting all of your compliance obligations when signing up to a new cloud service and, more importantly, that your customers’ data is well and truly in safe hands.


This, of course, begs one important question:


What is a DPIA?


Also known as a Privacy Impact Assessment, a DPIA is a particular kind o risk assessment used to identify and minimise the potential risks involved in data processing activities.

Article 35 of GDPR states that:


“Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. “


We can count SAAS platforms as “new technologies,” making a DPIA essential.


What should a DPIA include?


According to the Information Commissioner’s Office (ICO) which enforces GDPR in the UK, A DPIA must:

  • Describe the nature, scope, context and purposes of the processing;
  • Assess necessity, proportionality and compliance measures;
  • Identify and assess risks to individuals; and
  • Identify any additional measures to mitigate those risks.


How Does a DPIA help?


At the most basic level, carrying out a DPIA will allow you to pinpoint any potential threats to the safety of your data and outline the measures you need to take to reduce them, including having a solid contract in place with your SAAS provider which covers data protection.


As part of this contract, your SAAS provider must agree to adhere to GDPR and any other international data privacy laws that affect your business.


Meanwhile, the DPIA itself also serves to key purposes.

1: It serves as a plan of action, outlining the practical steps you will take to reduce or eliminate risk.

2: Should the worst happen and you do suffer a data breach, it allows you to prove to the ICO or other relevant authority that you took all the necessary steps to prevent it from happening. This can prove invaluable should the appropriate authority be considering taking action against you for non-compliance.


What is the Best Way to Create a Data Protection Impact Assessment?


Though you can always create an assessment in a way that best suits you, the ICO does have a downloadable template you can use to make things easier.


Alternatively, consider eliminating the hassle and hard work of creating your DPIA by outsourcing the entire process to Relentless Privacy & Compliance.


Our data protection specialists can provide expert advice and hands-on support to help you ensure GDPR compliance while still making the most of the tools and services that help your business to thrive in the 21st century. Contact us online to arrange your free consultation, or call now on +44 (0) 121 582 0192.


Changes to Hong Kong’s Data Privacy Law: What They May Mean For  Your Business

Changes to Hong Kong’s Data Privacy Law: What They May Mean For Your Business

In the wake of a massive data security breach in 2018, Hong Kong is finally carrying out a much needed overview of it’s PDPO data protection regulation. Relentless Privacy & Compliance outline the upcoming changes and the impact on global businesses.


When the European Union first introduced the General Data Protection Regulation (GDPR) back in 2016, many countries, cities and regions around the world were quick to take notice. Seeing how successfully GDPR was implemented two years later, those same areas sprung into action, revising their own data privacy laws to better reflect and cope with the needs of today’s digital, data-driven economy.


Before long, we had The Standard from China, the LGPD from Brazil and Japan’s APPI among others.


Yet while all this was going on, one region once considered a pioneer in the world of data protection law found itself very much lagging behind. Back in 1996, Hong Kong became one of the first countries in Asia to come up with its own regulations around data privacy. Known as the Personal Data Privacy Ordinance (PDPO), the law was largely considered to be ahead of its time when it first came into force. Yet that was 23 years now. Now, almost a quarter of a century later, the world is a very different place and PDPO, according to many of its much staunch critics, simply fails to reflect that.


Revisions to PDPO


sure, the law has seen the occasional update.


Hong Kong has its own Privacy Commissioner for Personal Data (PCPD), a role currently held by Stephen Wong.  The PCPD has a statutory obligation to review the Hong Kong data privacy law, having last done so in 2012.


The result of that review resulted in new restrictions being placed on direct marketers though many people at the time, and especially now years later, have argued that such changes simply weren’t enough to protect the personal data and privacy rights of individuals in modern society. Last year, Wong finally relented and agreed to carry out another review which many hope will result in the changes needed to bring PDPO in line with GDPR and other modern data privacy


Today, global data protection consultants Relentless Privacy Compliance take a break from helping organisations ensure frictionless compliance with global data privacy laws and take a look at what these changes are likely to be.


Why is the Hong Kong Data Privacy Law Being Reviewed Now?


2018 saw one of Hong Kong’s biggest ever data security breaches as the personal data of some 9.4 million individuals were stolen from airline Cathay Pacific. The privacy breach was the last straw for critics who argued that it served as proof that the current law was no longer fit for purpose. Responding to such criticism, and drawing inspiration from GDPR, Wong admitted that changes were needed and promised to carry out a review.


So far, industry insiders are expecting the review to result in changes to the four main areas in which PDPO fails to hold its own against other international data protection laws.


These four areas are:


1: Data breach notifications


Under GDPR, data processors and controllers are required to report data breaches within 72 hours.

Since updating their privacy laws, many other parts of the world also have similar requirements in place yet so far Hong Kong does not.

Going forward, we should expect to see the rules change so that data subjects affected by a breach will need to be notified within a reasonable timeframe from when the breach occurred.

If your business deals with Hong Kong data subjects then you may want to keep an eye on the Relentless Privacy & Compliance blog or follow us on social media, where we’ll be sure to report on the exact rules that Wong and his team come up with.

In the meantime, consider how your data breach strategies for GDPR can be adapted to PDPO.


2: Non-Compliance Penalties


Incidents such as the Cathay Pacific breach have raised concerns that penalties for non0-compliance are not sufficient enough to motivate organisations into fully protecting the personal data they hold.

At present, if a company fails to protect personal data or falls short of PDPO rules in some other way, then the worst thing that happens is that they receive an enforcement notice ordering them to fix and prevent the issue from happening again.

Only if they fail to act on this notice does the Office of the Privacy Commissioner for Personal Data really hit organisations where it hurts; maximum fines of up to 50,000 HKD (roughly £5,000 GBP) and two years in prison can be issued, though most critics argue that this isn’t enough.

They expect Wong’s team to bring penalties more in line with GDPR, which currently imposes fines of up to 20 million euros or 4% of global turnover depending on which one is higher.


3: Data Processors


Under GDPR, both data processors and controllers have an obligation to comply with the regulations whereas PDPO only currently applies to controllers. Since a large majority of data breaches occur at the processor level many insiders say that this is neither sufficient nor fair.

The upcoming changes are likely to address this by making processors equally accountable.


4: International Data Transfers


Section 33 of PDPO actually prohibits international data transfers except under certain circumstances, which are:

  • The recipient country is included in a “white list” issued by the PCPD
  • The data user reasonably believes that the recipient country has laws substantially similar to, or which serve the same purpose as, the PDPO
  • The data subject has consented to the transfer
  • The data controller has reasonable grounds for believing that the transfer is necessary to avoid or mitigate any adverse action against the data subject, and it is not practicable to obtain the data subject’s consent; but if it were practicable, the data subject would provide their consent
  • The data user has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be used in a manner inconsistent with the provisions of the PDPO

Yet despite being enacted in 1995, Section 33 has never yet come into operation.

The upcoming review by Stephen Wong is likely to address this by first bringing Section 33 in line with GDPR Articles 44 through 49 which deal with data transfers, and then finally putting it into operation for the first time in the long and troubled history of the Personal Data Protection Ordinance.

Need expert advice preparing for changes to Hong Kong’s data privacy law? Looking for a simpler solution to map all of your current international data protection methods?

Talk to Relentless today about how our global privacy service can help your organisation enjoy frictionless compliance in a way that provides long-term added value. Contact us online to arrange your initial consultation or call now on +44 (0) 121 582 0192


Data Mapping and GDPR Compliance – What Your Business Needs to Know

Data Mapping and GDPR Compliance – What Your Business Needs to Know

A comprehensive data map can prove an inavaluable tool in helping you manage your data privacy, but what exactly is a data map and why do you need one? Relentless Data Privacy.


As we approach the one-year anniversary of its arrival, most businesses have a fairly good grip on what GDPR means for them.

They’re well aware of the need for a lawful basis to collect and process data. They understand all the benefits of hiring a Data Protection Officer (DPO), and whether or not they’re legally obligated to appoint one. They’re also well aware of their responsibilities with regards to international data transfers and for International organisations offering services and monitoring EU data subjects the need to appoint an EU Representative.

Yet if there’s one aspect of data protection law that still leaves many of those same businesses scratching their heads, its data discovery and data mapping. If you’re one of them and still find yourself still scrambling to figure out what they are, we’re here to help.

Today, Relentless Data Privacy & Compliance answers your key questions about data mapping and how it can help you achieve frictionless compliance with GDPR.

What Exactly is Data Mapping?


Though it sounds fairly complex, both data discovery and data mapping are pretty simple concepts.

They refer to the process of taking stock of all the data your business collects and processes, then mapping exactly what happens to it and where it goes on its journey through your company and further afield. Relentless GDPR 24/7 launching in late April 2019 takes it one stage forward as it produces a visualisation of your data map.It’s a process that proves invaluable for businesses no matter how much, or how little, data they process, tracking the entire lifecycle of that data from the moment it’s collected to the point at which it’s finally deleted.


How to Create a  Data Map


In most cases, the responsibilities for data mapping typically falls to your Data Protection Officer (DPO) or other designated person with data protection responsibilities. Depending on your circumstances, this person may be an in-house employee or an outsourced data privacy consultant. The extensiveness of your data map will depend on the nature of your business and your data processing activities, but all data maps have a number of things that they should contain.

For complex businesses where multiple departments process personal identifiable data you need to break down the mapping by department. Furthermore for multi entity global organisations the need to have seperate data mapping for each entity within one encompassing portal.

These include:

  • What type of data you collect (email, bank details, address etc.)
  • Why you’re collecting that data
  • Whose data you collect
  • When you collect the data
  • What legal basis you have for processing the data
  • Where you store the data
  • What conditions are in place to protect the data
  • Which, if any, third-parties you share that data with
  • Where those third-parties are located
  • What protocols do you follow to protect data during data transfers to third-parties?


Why is Data Mapping so Important?


At the most basic level, having a solid data map in place can help to minimise the risk of data breaches and privacy threats by ensuring that no data enters or leaves your organisation without being fully accounted for. Yet there’s more to it than just that.


Article 30 of GDPR states that:

“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller

The records…shall be in writing, including in electronic form

The controller or the processor…shall make the record available to the supervisory authority on request.”


In other words, GDPR itself makes it mandatory to map data and make those maps available to supervisory bodies in the 28 member states when requested to do so.

Other useful benefits of data mapping include:


Privacy by Design


While Article 30 may be the most compelling reason for businesses to carry out data mapping, it isn’t the only one. Remember that Article 5 of GDPR establishes the principle of Privacy of Design.

In other words, data protection and privacy should be integrated into the very foundation of your business, rather than bolted on to your activities as an afterthought.

Using data maps from the beginning ensures that you have the proof you need to show that you’ve adopted a culture of Privacy by Design within your business. This can be especially helpful when it comes to creating a Data Protection Impact Assessment DPIA for new projects.

A big part of the process of creating a DPIA involves identifying the flow of data through your organisational, as well as identifying the associated risks.

Having a comprehensive data map in place will make this process so much easier for your DPO or other appointed data protection specialist.

Using your data map, your DPO will also have a much easier time of responding to data subject access requests, as this will allow them to quickly and simply pinpoint all the relevant data requested by a subject.


Launching in April 2019  Relentless GDPR 24/7 portal which brings together 10 modules covering all of the above and more.

Still need more advice or hands-on support with creating a data map for your business? Talk to the data privacy specialists at Relentless. As well as serving as your designated Data Protection Officer, we can help with data discovery, data mapping, and ensuring that your business enjoys frictionless compliance with GDPR and all international data protection laws. Contact us online today to arrange your initial consultation or call now on +44 (0) 121 582 0192.