Wednesday 21 October 2015

Where and how to get personal information

The aim of examining your current level of PI governance should be to achieve an effective level of compliance with PDP laws worldwide. However, bear in mind that 100% global compliance is not a realistic target, not only for time and resource-related reasons, but also because these and related laws occasionally conflict with each other. Also, waiting for several months (in some jurisdictions) to secure certain national regulatory approvals is not an option for most businesses. 
Accordingly, the solution needs to be pragmatic. Key points that are simple and easy to observe are likely to be more effective at keeping your company out of the headlines than an overly legalistic program that no employee has the time or interest to try to understand and follow.
Whether or not you wish to implement PI governance measures will depend on many factors, including:
  • The level of budget and resources available.
  • The size, nature and geographical coverage of your organization.
  • Your organisation's appetite for risk.
Setting realistic goals is key. Irrespective of the scale and degree of rigour you wish to apply, ensure you record an outline of your goals at the outset during this process. As well as being a handy internal document, it may prove useful if any regulatory authority takes an interest in your organisation while your project is in progress. 
Overall, you need to review your commercial business needs and analyse the scope of data that needs to be collected to operate effectively, and thereby optimise thescope of the PI that you need to collect and process. The ideal outcome would be to process only anonymized data. Try to identify unnecessary "data elements" (for exampleScience Articles, does the business really need to know about an individual's medical history in a particular context?). You should also seek to eliminate or minimise the collection of sensitive PI in all relevant jurisdictions.

No comments:

Post a Comment