In past articles, I’ve mentioned Privacy by Design and Standard Operating Procedures. In this post, I will chat about the importance of combining them. GDPR, Europe’s privacy regulation, mandates the need for Privacy by Design and Default. While no set guideline exists in the regulation, there are a number of questions you can ask as part of your SOP design. In my own SOPs, I include 15 questions, however these may change per environment. As such, I’ve included my top 6 questions below.

Top 6 Privacy by Design Questions

1. Does the SOP involve the processing of Personal Information

This question very simply relates to whether any personal information is processed during the course of this procedure.

2. What kind of Personal Information is being processed?

In the event of personal information being processed, what kind of information is it? And, does it fall into any sort of Special Personal Information category?

3. What is the summary of the processing?

At a high level, what occurs during the processing of the information?

4. Is the purpose of the processing covered by our Privacy Policy or Master Service Agreement?

Does the purpose of the processing match what we have said in either our Privacy Policy or Master Service Agreement/Contracts. If it does not match, we need to evaluate whether we are processing lawfully, or whether our policies and contracts need to be updated.

5. Is explicit consent required for any of the information?

Does any of the information fall into a category requiring explicit consent from particular individuals, for example, the processing of information of minors.

6. Has a data flow been identified and documented for this SOP?

Have you mapped out a flow of data within this SOP?

Remaining Questions

The remaining questions I include relate to the practical implementation of protection strategies and requirements from a company governance point of view. For more information on these and what is required, drop us a line or schedule an online service enquiry!

Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection.

Share This

Share this post with your friends!