How data privacy is related to compliance

What you need to know, in a nutshell 

• For companies, compliance means the implementation of certain standards to comply with (legal) requirements. Naturally, this also includes data privacy.  
• Data privacy includes the implementation of data protection regulations (GDPR in particular) and therefore the protection of personal data. 
• Data privacy occasionally requires the implementation of suitable governance structures and processes to comply with relevant regulations This is where a data protection officer may benefit from existing compliance management systems.
• In turn, data privacy plays a major role in many other compliance topics, for example when implementing a whistleblowing system. At this point, the compliance manager would depend on the support of the data protection officer (DPO). 
• Thus, the collaboration between DPOs and compliance officers is important as both pursue the same goals: to prevent fines and enhance the company image. 

In this article

• Distinction between data privacy and compliance
• How data privacy and compliance overlap 
  • Technical and organisational measures (TOMs)
  • Introduction of a whistleblowing system
• Who is responsible for maintaining compliance and data privacy?
• How compliance officers and data protection officers can work together 
• Summary 

Distinction between data privacy and compliance

Compliance describes adherence to any guidelines and laws within a company. This means compliance managers must ensure rule-compliant conduct in business divisions – from the recruitment processes in the human resources department and expenses claims submitted by sales staff through to compliance with the General Data Protection Regulation (GDPR) in all departments. 

Data privacy always refers to the protection of personal data. Since May 2018, the EU GDPR, the Data Protection Act 2018 and now, since Brexit the UK GDPR forms the legal basis for data privacy in the UK, making this a compliance matter. 

How companies benefit from professional compliance management  

Structured compliance management provides a competitive edge while ensuring adherence to laws and legislation. Public sector tenders are not offered until an organisation can demonstrate that a suitable management system is in place. 

How data privacy and compliance overlap 

Whilst data protection falls entirely within the scope of compliance, there are interesting overlaps with other compliance matters. For example:

Technical and organisational measures (TOMs) 

The introduction of TOMs is required at many points within a company – including information security (one of the compliance risk areas). Information security aims to protect company assets. In contrast to data privacy, information security is about protecting the company itself, rather than the people behind the data. Although there is no defined legal framework for implementing information security management, there are international standards and guidelines such as  ISO 27001, which define certain requirements. One of these requirements is the implementation of suitable technical and organisational measures for the protection of information.

You already implemented the guidelines of the ISO 27001? That's great! We established an ISO 27001 Readiness assessment where you can test your performance. Otherwise, you can also check our ISO 27001 Implementation Roadmap that supports you to approach the certification. Just submit the form.

GDPR contains a similar requirement (Art. 32 GDPR), TOMs must be implemented and documented with a suitable level of protection, in order to protect personal data.

As a result, if a company has already arranged TOMs for the protection of personal data, these methods can be “recycled” for information security and vice versa. The best way to ensure this is to have compliance managers and data protection officers closely collaborate and exchange information with one another.

Introduction of a whistleblowing system  

The EU Whistleblowing Directive imposes an obligation on the companies based in Europe to implement a whistleblowing system by the end of 2021. However, even before this directive came into force, whistleblower systems had been key compliance pillars that ensured compliance risks and breaches were identified early through anonymous reports from so-called whistleblowers.

Anonymity can only be ensured if the whistleblower’s identity remains confidential. This is where data privacy comes into play. Regardless of how a company implements its whistleblowing system, the whistleblower’s personal data is particularly sensitive and therefore must be well protected. The compliance officer must work with the DPO to develop a workable concept together. This article shows what this could look like.

Who is responsible for maintaining compliance and data privacy?

Typically, compliance is the responsibility of a compliance team headed by a compliance officer who ensures adherence to all pertinent laws, guidelines, directives and voluntary commitments. Normally, the introduction of a compliance management system and suitable software tools (e.g., digital whistleblowing systems, policy manager etc.) will form part of this role. There are no legal requirements for the training of a compliance officer; most of them are graduate lawyers with an optional background in business and economics. In the organisational chart, the compliance officer is directly accountable to the company’s management.

In contrast, the DPO takes on the role of a consultant. They will analyse the current state of the company’s data security and suggests ways to improve it. The DPO focuses on implementing relevant data privacy laws. Although the DPO report to the ‘C’ suite, the role is well suited to be performed by an external body, comprising of independent experts in terms of data protection. Please read this article to find out more about the responsibilities of a DPO.

How compliance officers and data protection officers can work together 

The examples above of the whistleblower system and information security, highlight how data privacy affects nearly all company divisions and has a major impact on the compliance department structure. A conscientious compliance officer will closely collaborate with the DPO at all times. Such collaboration has many benefits:

• The data privacy processes and methods that have already been implemented (key word: TOMs) can be adapted to other compliance matters (such as information security) 
• The compliance management system set up by the compliance officer can help to develop or fully integrate a data privacy management system
• Tough data privacy measures can protect whistleblowers – a legal requirement set out in the Whistleblowing Directive 
• Training materials can be exchanged and supplemented, as necessary
• Compliance with data protection laws is in the interests of both the compliance officer and the DPO – so collaboration here will go a long way 

Summary 

Data protection and compliance can be cleverly combined, by defining and using the similarities in the existing management systems. This will help create comprehensive, legally compliant processes that are evident to the general public. For companies, it will mean a long-term competitive edge, help gain trust from customers and interested parties, and last but not least help prevent fines due to data breaches and failure to adhere to regulations. 

Do you have unanswered questions about data privacy and what your business should be aware of? Don't hesitate to reach out to one of our experts for a free consultation.