Skip to main content

On-demand webinar coming soon...

Blog

3 priorities for the French DPO: 1. Gain visibility

Take control of your organization’s data protection program by following these key priorities. The first? Build a holistic view of your organization's data

Noshin Khan
Senior Compliance Counsel Research | CCEP-I, LPEC, CIPP/E, CIPM, FIP
February 22, 2023


When it comes to managing your organization’s data protection and security obligations, there is a lot for the Data Protection Officer (DPO) to consider. The GDPR places several significant requirements on organizations, from fulfilling data subject access requests (DSARs) to data breach notification obligations, security requirements, and transparency provisions.    

At the foundation of any compliance program is the need to clearly understand your regulatory obligations and your organization’s data. DPOs must also have visibility into what other teams are doing and must work closely with the CISO to help direct organizational processes toward data protection and security best practices. 

Gaining visibility is the first priority DPOs will need to address in 2023. Making sure you have a strong understanding of your compliance program fundamentals before you set up processes, will get you started on the right foot. Begin with incorrect information, and remediating that error could cost valuable time, resources, and money. 

Keep reading to learn more about the importance of building visibility into your organization’s data in the context of incident management and data subject access requests (DSARs), what the CNIL recommends, and case study examples of putting data discovery and mapping into practice. 

The importance of understanding your data for privacy incident management

Incident management is vital to both data protection and security programs, and where many regulatory obligations overlap. When dealing with a security incident, having visibility into organizational data and responsibilities is essential. Data that is unaccounted for will not have the proper security protections in place and is a risk to business – especially in the case of sensitive personal information. If such a risk is exploited, you may not even know about it until it is too late. 

Therefore, it is critical that DPOs and CISOs work together to discover and categorize structured and unstructured data from across the organization to ensure effective incident management processes. This type of discovery exercise can also help uncover gaps in your compliance programs, help to establish the extent and severity of an incident, and aid remediation efforts. 

Download the eBook:  The 3 priorities for DPOs in France: Gain visibility, take action, automate

What does the CNIL say about data breaches and incident management?

The CNIL places an emphasis on the digitalization of daily life within its strategic priorities for 2022-2024, stating that with greater digitalization comes a greater volume of personal data. The CNIL specifically calls out the part technology plays in “intensive data collection and processing” and “increasingly varied and rapidly evolving uses”. This leaves DPOs responsible for visibility into increasing quantities of data collected and processed by an organization, according to the CNILs Guide on Data Protection Officers

[Monitoring the effectiveness of compliance with the GDPR] must take the form of verifications organized by the DPO (external audit or internal contact), or carried out by the DPO personally, in collaboration with other key functions such as the CISO (Chief Information Security Officer). […] these controls or audits may consist of: 

  • verifications of the accuracy of the information contained in the record of processing operations implemented by the organization (inventory of processing activities, scope of purposes, data subjects, nature of the data processed, recipients and possible transfers outside the European Union, retention periods, security measures);  
  • verifications of the compliance of the most sensitive processing operations, taking into account the impact assessments conducted (particularly with regard to the implementation of measures intended to reduce the likelihood and severity of risks);  
  • the implementation of tools for tracking and monitoring the use of processing (analysis of logs, detection of prohibited data, verification of compliance with retention periods, etc.); 
  • monitoring the effectiveness of the technical and organizational data protection measures that the organization has undertaken to implement.”

Critically, when advising on personal data breaches and the measures to be taken, these audits will give the DPO visibility into organizational data, as well as notify the CNIL and data subjects.

The benefits of putting data discovery and data mapping into practice for incident management

Meet Lois, DPO at ACME Co. Lois has been made aware of a security breach that involves a large volume of personal information. 

To fulfill the requirements of Article 33 of the GDPR, Lois must know:

  • The nature of the incident  
  • The categories of data affected by the incident  
  • The approximate number of people affected by the incident​  
  • Notification requirements per applicable laws

Fortunately, Lois had recently conducted a data discovery exercise in order to populate ACME’s record of processing and data maps. As a result, Lois had visibility into the personal data ACME has collected, the sensitivity of that data, and the purposes for its use and storage. In turn, this discovery and mapping exercise has allowed ACME’s CISO to suggest the appropriate security measures that should be applied in line with the sensitivity of the data. 

Working together, Lois and ACME’s CISO can easily understand: 

  • The likely consequences of the data breach ​  
  • The steps that should be taken to prevent a recurrence of this incident or to mitigate any negative consequences

Without initial visibility into ACME’s data through discovery and mapping, both Lois and the CISO may not know that a breach has occurred or respond to the breach inappropriately, creating the potential for unwanted regulator attention. 

Fulfilling access requests under the GDPR

In order to fulfill the regulatory obligations relating to DSARs, it is critical for organizations to have a holistic understanding of their organizational data and the regulatory obligations that are attached to it. Having an up-to-date or evergreen data map is critically important when viewed through the lens of DSARs for several reasons. 

First, having visibility into all of your organization’s data allows you to fulfill access requests without missing items of information that are stored in unknown sources or unstructured formats. This leads to a more straightforward fulfillment process and helps to ensure that regulatory requirements are being met. 

Second, visibility helps to reduce the risk of personal data relating to individuals, other than the requestors being included in any DSAR responses. Knowing where this data exists gives organizations the opportunity to remove or redact it before returning it to the requestor. 

It should be noted that these steps can also be helpful for other types of data subject rights requests, such as the request to erase personal data, object to certain types of processing, or requests for data portability.  

Download the eBook:  The 3 priorities for DPOs in France: Gain visibility, take action, automate

What is the CNIL’s position on fulfilling DSARs?  

The CNIL cites the protection of the rights of data subjects over their personal data as one of their key missions.  It aims to continue building on its previous strategic plan and continue to promote individuals exercising their subject rights

The CNIL declared its commitment to build this promotion into its strategic plans for 2022-2024 by publicizing information and tools that enable individuals to understand and exercise their rights.

While public awareness is high on the CNIL’s agenda, it also plans to maintain its level of enforcement to ensure that subject rights remain an effective tool for individuals. This is outlined in “Axe 1” of its strategic plan – Promoting control and respect for the rights of people on the ground – and it is broken into four steps:

  1. Strengthening information and awareness to promote the exercise of rights 
  2. Increasing the effectiveness of enforcement actions 
  3. Strengthen the role of the CNIL in Europe and the effectiveness of the European collective 
  4. Prioritize actions to protect the everyday use of data

In Sheet no3: Prepare for the exercise of people’s rights, the CNIL reaffirms the need for DPOs to gain visibility into their organization’s data, stating, “[Organizations must] provide in your computer systems the technical tools that will allow [individuals’] rights to be properly taken into account. Preparing in advance how they will contact you and how you will deal with their requests will enable you to manage the exercise of these rights effectively.” The guide goes on to state organizations must also trace, “all operations that have an impact on [the individual’s] personal data.”

Data discovery for DSAR fulfillment in practice

Meet Clark, DPO at Daily Planet Inc. In recent months, the number of DSARs that Clark has received has doubled owing to a security incident that was made public. 

Clark now faces two main challenges. First, Daily Planet is based in Europe, but its business has a global reach and Clark is now receiving DSARs from around the world, meaning that the requirements of several laws come into play. Second, manually fulfilling each request is likely to take too much time and Clark risks exceeding the maximum response times under laws such as the GDPR or the CPRA. 

Fortunately, Clark had included some foundational steps when building Daily Planet’s data protection program, which included a data mapping exercise. This allowed Clark to build an inventory of personal data and have regulatory context applied to it. Clark has also deployed an automated data discovery tool to help keep his data map up to date. 

As a result, Clark has full visibility into Daily Planet’s data, who it belongs to, and what requirements it needs to be held under. Clark’s data map also serves as the groundwork for DSAR fulfillment and enables him to easily find and consolidate personal data and fulfill requests in a timely manner. 

OneTrust Data Discovery and Data Mapping Automation

Data discovery and mapping are the core elements of gaining centralized visibility into personal data, which is foundational in fulfilling many of the GDPR’s requirements. OneTrust Data Discovery allows organizations to leverage Artificial Intelligence to find and classify your personal data against a range of global privacy laws and standards. By scanning multiple source types including unstructured file shares, structured databases, Big Data storage, SaaS applications, and other cloud solutions, OneTrust Data Discovery helps you to develop a holistic view of personal data. 

The OneTrust Data Mapping Automation solution seamlessly connects to the Data Discovery tool to quickly populate data maps and records of processing activities. Through the application of regulatory intelligence from OneTrust DataGuidance, you can automatically apply data classification and regulatory requirements to personal data. This helps to flag gaps in your compliance program, respond to incidents and subject rights requests more efficiently, and serve as an evergreen foundation to your data protection programs. 


You may also like

Webinar

Data Discovery & Security

The new data landscape: Navigating the shift to AI-ready data

This webinar will explore the how AI is affecting the data landscape, focusing on how data teams can extend common data practices to support AI’s unique use of data.

November 12, 2024

Learn more

White Paper

AI Governance

How the EU AI Act and recent FTC enforcements for AI shape data governance

Download this white paper to learn how to adapt your data governance program, by defining AI-specific policies, monitoring data usage, and centralizing enforcement.

October 30, 2024

Learn more

eBook

AI Governance

Data and AI governance for responsible use of data

Learn why discovering, classifying, and using data responsibly is the only way to ensure your AI is governed properly.

September 12, 2024

Learn more

eBook

Privacy & Data Governance

Data governance across industries: Leveraging your organization's most valuable asset

Download our new eBook and learn how to leverage the value of data governance across industries, including financial services, healthcare, retail, and manufacturing.

April 17, 2024

Learn more

Infographic

Data Discovery & Classification

Data governance in manufacturing: Challenges and use cases

Learn the impact a data governance program has in manufacturing and how it enables greater efficiency across your supply chain

February 26, 2024

Learn more

Infographic

Data Discovery & Classification

What to look for in a data discovery solution

Make sure you choose the right data discovery solution for your organization with our comprehensive breakdown of key benefits and features to look for.

February 20, 2024

Learn more

Infographic

Data Discovery & Classification

Data governance in retail: Challenges and use cases

Learn how data governance can help manage the high volume and sensitivity of data that runs through your retail operations.

February 12, 2024

Learn more

Infographic

Data Discovery & Classification

Data governance in healthcare: Challenges and use cases

Learn how data governance can help your healthcare organization effectively manage its protected health information (PHI) and other sensitive data.

February 08, 2024

Learn more

Infographic

Data Discovery & Classification

Data governance in financial services: Challenges and use cases

Learn how data governance can help address common challenges in the financial services industry and protect your most critical information.

January 12, 2024

Learn more

Webinar

Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more

Webinar

Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more

Webinar

Data Discovery & Security

Data Discovery Dispelled: Unmasking the mysteries of data

Join us for a journey into the heart of data management as we explore the depths of data within organizations and shed light on how technology can enhance data security, privacy, and compliance.

October 12, 2023

Learn more

Webinar

Data Discovery & Security

Data Discovery Dispelled: Data's dark corners

Join the first part of our Data Discovery Dispelled webinar series where we will discuss the hidden sensitive information that could pose risks for your organization.

October 12, 2023

Learn more

Report

Data Discovery & Security

OneTrust named a strong performer in 2023 Forrester Data Governance Wave​

Download The Forrester WaveTM: Data Governance Solutions, Q3 2023 report to see why OneTrust was named a strong performer.

September 26, 2023

Learn more

Data Sheet

Data Discovery & Security

Data Discovery and Security

Explore our OneTrust Data Discovery and Security data sheet to learn how you can discover and control your data while enabling your teams.

September 18, 2023

Learn more

eBook

Data Discovery & Classification

Ultimate guide to building a data governance program

Download this eBook and learn practical methods in building a flexible data governance program that aligns with your business.

August 14, 2023

Learn more

Webinar

Data Discovery & Classification

Live demo: OneTrust Data Discovery

See how OneTrust Data Discovery can help your organization achieve complete data visibility to empower your security program and reduce risk.

June 23, 2023

Learn more

Webinar

Data Discovery & Classification

Data responsibility: The information security professional’s higher purpose

Join OneTrust and KPMG for a dialogue with Information Security leaders on managing the balance between risk and reward when handling sensitive customer information.

June 20, 2023

Learn more

Webinar

Data Discovery & Classification

OneTrust Data Discovery Day: A deep dive into automating data discovery and classification

Join us for a two-hour deep dive into data discovery and how OneTrust helps privacy, IT, and security teams understaind their data and achieve risk reduction goals.

June 13, 2023

Learn more

Infographic

Data Discovery & Classification

How OneTrust Data Discovery integrates with Microsoft 365

Explore three key integration capabilities of OneTrust Data Discovery and Microsoft 365.

June 13, 2023 3 min read

Learn more

Report

Privacy & Data Governance

Gartner® Innovation Insights: Data Security Posture Management (DSPM)

Read this report from Gartner® that highlights some of the key capabilities needed in a DSPM.

 

May 30, 2023

Learn more

Webinar

Trust Intelligence

How the Onetrust platform is innovating to unlock the value of trust

Join this webinar to learn how OneTrust is enhancing its privacy management, data governance, and consent and preferences solutions to help organizations tackle data sprawl and enable regulatory agility.

May 24, 2023

Learn more

Data Sheet

Data Discovery & Security

Employee onboarding and offboarding management

Download our onboarding and offboarding management data sheet and learn how OneTrust Certification Automation can help reduce your risk exposure and improve compliance.

May 17, 2023

Learn more

White Paper

AI Governance

Navigating responsible AI: A privacy professional's guide

Download our white paper and learn how privacy teams help organizations establish and implement polices that ensure AI applications are responsible and ethical. 

May 03, 2023

Learn more

Infographic

Data Discovery & Classification

The CISO challenge: Data. Threats. Regulations.

Unstructured data poses risks due to its open access and lack of governance, and CISOs need to implement measures to track, de-risk, and protect it.

March 03, 2023

Learn more

Webinar

Data Discovery & Security

Insights & analytics: Digging into the data to measure and accelerate trust programs webinar

See how OneTrust Insights and Analytics empowers privacy, marketing, data, and security teams with reporting functionality using solution-based dashboards.

August 02, 2022

Learn more

Webinar

Data Discovery & Security

Rethinking trusted data

Join us for a discussion on the latest trends in trusted data and how you can take critical steps to build trust in data practices

May 24, 2022

Learn more

Webinar

Data Discovery & Security

Optimizing data usage through integrated data privacy and governance

Join us for a discussion on driving better business use and outcomes from data while ensuring regulatory requirements are met.

May 24, 2022

Learn more

Webinar

Data Discovery & Security

Build your foundation through data discovery & mapping

In this webinar we cover how data discover and mapping helps you streamline compliance with US privacy laws such as the CPRA, the CDPA, and Colorado's Privacy Act.

March 24, 2022

Learn more

Webinar

Data Discovery & Security

UK DSAR Automation: How Data Discovery enhances your DSAR workflow

Learn how OneTrust Data Discovery enhances DSAR workflow and automates the DSAR lifecycle in this webinar.

March 18, 2022

Learn more

Webinar

Data Discovery & Security

Data Discovery South Africa: How to create value and demonstrate trust through your data?

Watch this webinar and discover how automated data discovery is helping clients in South Africa create value and demonstrate trust. 

March 10, 2022

Learn more

Webinar

Data Discovery & Security

Data Discovery Türkiye: How to create value and demonstrate trust through your data?

Watch this webinar and discover how automated data discovery is helping clients in Türkiye create value and demonstrate trust. 

March 09, 2022

Learn more

Webinar

Data Discovery & Security

Data Discovery Hungary: How to create value and demonstrate trust through your data? | Resources | OneTrust

Watch this webinar and discover how automated data discovery is helping clients in Hungary create value and demonstrate trust.

March 08, 2022

Learn more

Webinar

Data Discovery & Security

Data Discovery Romania: How to create value and demonstrate trust through your data?

Watch this webinar and discover how automated data discovery is helping clients in Romania create value and demonstrate trust. 

March 08, 2022

Learn more

Webinar

Data Discovery & Security

Data Discovery Israel: How to create value and demonstrate trust through your data?

Watch this webinar and discover how automated data discovery is helping clients in Israel create value and demonstrate trust. 

March 05, 2022

Learn more

Webinar

Data Discovery & Security

Privacy automation: bridging the gap between compliance & data governance to deliver trusted public services

Learn how you can take the first steps towards data intelligence and advance your privacy program to the next phase of automation and maturity.

January 18, 2022

Learn more

Webinar

Data Discovery & Security

Automating the classification and mapping of sensitive data​

In this free webinar, learn how to automate the classification and mapping of sensitive data and speed compliance.

January 10, 2022

Learn more

Webinar

Data Discovery & Security

3 keys to a unified data governance program

Learn how properly governed data leads to better data quality, increased data intelligence and more trusted data. 

August 27, 2021

Learn more

Infographic

Data Discovery & Security

The 4 pillars of data intelligence

Learn the Four Pillars of Data Intelligence and discover how to develop an effective data program.

August 02, 2021

Learn more

Webinar

Data Discovery & Security

Data intelligence: Using and improving your data

In the final webinar in the series, we explore the final step on the path towards data intelligence - using and improving your data.

July 19, 2021

Learn more