Personal data management: main pain points and challenges
Beyond the sector of the economy in which they conduct business and the countries in which they operate, Organizations are already working seriously on managing personal data.
The objective is not only to adapt its treatment to local and international legislation, but also to Demonstrate an ethical commitment to privacy, security and the correct use of user information.
To develop this article we interviewed Facundo Malaureille Peltzer, co-founder and Privacy Manager of Data Governance Latam.
The expert analyses the main pain points in personal data management and how they can be resolved. He also addresses the legal challenges of adapting data processing to current regulations and refers to the importance of cultural change.
Major pain points in personal data management
Organizations face various challenges in terms of data managementThe most relevant ones are not being able to continue building their architecture due to the lack of a well-established and consolidated base.
In other words, it is not feasible to move forward with the construction of the fourth or fifth floor of a building without having a solid foundation.
In practice, companies often have to rethink questions that they thought had been resolved, but which are not really resolved.
To understand how we got to this point, we have to remember that historically organizations were absolutely analog and paper dominated the processes.
With the technological advances of recent years, that stage is behind us and Progress was made in digitalization and automation.
Faced with the need to manage personal data, in many companies that were not born digital, the need arose to understand how to obtain customer consent and manage their data.
The challenge is that this data may be in old files, or even in boxes in physical warehouses. This means having to solidify the base and ask for customer consent again in order to process their personal data, then govern it and, eventually, move towards customer experiences. artificial intelligence.
Another group are the organizations that have not given importance to being in compliance or compliance with the regulations and current legislation regarding the management of personal data. Regulations that have been changing in recent years, especially from 2018 to today.
In fact, More and more countries have personal data regulations. So, faced with a globalized and connected world, there are Argentine companies or those from other countries in the region that wonder why they have to comply with Brazilian or European regulations.
The answer is that the current legal provisions must be complied withIf you do business with Brazil or Europe, both countries will require companies to have a level of compliance that is probably much higher than what they have locally.
The pains in organizations start there, because they are immersed in a globalized world, wherel 83% of the countries of the world have regulations linked to the management of personal data, which must be complied with.
It is a process that we know when it begins but never ends. Therefore, the sooner it begins, the better.
How can the pains associated with personal data management be resolved?
Understanding that you have pain is already important. It is the first step. The next step is Analyze the importance and magnitude of the problems that the company has to deal with.
With a solid foundation, you can delve deeper and continue to make progress in managing personal data.
What path should be followed to resolve these issues? The most important thing is to take a picture of the organization, with an assessment or audit that focuses on compliance and processing of personal data.
From there, it is necessary to analyze how the company is doing in terms of compliance with local and international regulations.
A company that works only in Argentina is not the same as one that has contact or commercial operations with other countries.
This is especially true if you have contacts with Brazil or Europe, because the regulations in those countries will require more requirements than those you have to comply with locally. These include express consent from the data subject, who has been informed of the purpose for which their data will be used.
Then, have an updated personal data management policy.
At this point it is important to keep in mind that these are not procedures and documents written in stone. Every time a new treatment model emerges as a result of new regulations in force, Policies and their associated documents must be modified.
Next, the applications and the website must be reviewed to identify whether any type of update should be made. For example, incorporating a checkbox or work on issues related to cookies.
When the organization decides to carry out new data processing, You will probably also need to go through a risk and impact analysis process..
Its aim is to determine how new procedures may affect personal data.
On the other hand, every time an organization makes an international transfer of data, it must be checked where that personal data goes. Even more so, taking into account that all companies do it, since both the servers and the clouds are usually located abroad.
Once the organization has these processes underway and resolved, it is time to ask itself if it has made the necessary progress to hire a personal data compliance officer or Data Protection Officer (DPO).
A Data Protection Officer or Data Privacy Officer is a professional who has a fundamental role in compliance with the protection and management of personal data.
The position may be part of the organisation's structure or outsourced. All modern regulations allow this.
This is the person who will be in contact with all areas of the organization, with the enforcement authority, and with the data owners.
Legal challenges facing organizations in data processing
The challenges related to the protection and management of personal data are solved first by identifying them, and from there making the decision to start working on them.
We know that these types of processes are of continuous improvement.
You can say that you want to get to a certain point and when you get to that point, something new can happen: for example, a regulation or a recent process.
This means, as we discussed before, that In the management of personal data, you know when it starts, but the process never ends..
Along this path, the organization is inundated with a cultural change. And you are working with that accountability or demonstrated responsibility. A key principle, which has been used since the entry into force of the General Data Protection Regulation in Europe (GDPR).
It consists of a legal and ethical obligation that falls on organizations that process personal data, and which aims to assume responsibility for the protection of such data and compliance with applicable regulations and standards.
Today, an organization is distinguished from another, regardless of an office, a brand or the rich coffee that can be served in a meeting room, by the ethical treatment of your personal dataThat is, regardless of whether there is a law requiring the processing of personal data, or whether there are internal policies that protect it.
There are many examples of companies that have been working very well on this issue and are absolutely convinced of doing so, even though the countries in which they operate do not have legislation that requires them or imposes fines.
These companies gain in competitiveness and stand out, making personal data management one of their greatest assets.
Various studies have shown that consumers increasingly value companies that care about their data, that are concerned and that take action on it.
How can these challenges be resolved?
Organizations need to analyze where they are starting from, through an assessment or small audit, focusing on privacy and personal data management. This will lead to issues that need to be adjusted.
It should not be forgotten that personal data laws seek to ensure that any person, as a data subject, can go to a company and ask what data the company has about them.
The challenge therefore lies in building and reviewing these processes so that when someone comes and exercises any of their rights of access, rectification or portability, an appropriate response can be provided.
If organizations do not have this process coordinated, it must be worked on. Because if a company does not respond within the legal deadlines (which vary between 5, 10, 15 or 30 days, depending on the country), it will be in breach of contract.
Conclusion
It is essential to keep in mind that these processes linked to the management of personal data are linked and deeply connected with the processes of cultural transformation. Definitely, This is the biggest challenge for those working in the sector..
You can have a good privacy policy and transfer agreements, but if the organization does not think in terms of protecting and managing personal data, it still has important issues to resolve.
Cultural change is essential and at this point the word we mentioned a few moments ago becomes relevant again: accountability. A very important word, present in the most modern regulations, which can be translated as demonstrated or proactive responsibility.
Through our Data Innovation Studio, we accompany organizations in their process of Transformation into a Data Privacy Compliance company, with a team specialized in creating data governance programs, verifying regulatory compliance, designing data governance strategies and implementing global frameworks. Contact one of our experts now.
