Back to use cases

Optimise projects' priorities with automated data protection impact assessment

  • Data Protection
  • Data Processing
  • Data Transfer

In this use case, we show how project deliverables can be optimised for global projects when conducting a data protection impact assessment right in the beginning for the requirements in scope

Clients:

Partner:

Coverage
  • 30+ jurisdictions
Scope
  • GDPR (EU)
  • FADP (Switzerland)
  • PDPA (Singapore)
  • many more
Availability
  • App
  • APIs
Territorial Scoping

The company wants to deploy a project in multiple booking centres in Asia. How can we identify the different levels of data protection requirements per country to prioritise the project rollout?

Territorial Scoping

We are reviewing cloud providers from different countries. How can we focus our due diligence process on the providers which cause the least friction with the data protection implications of our business operations?

Local Establishment

Do different data protection restrictions apply when having an Establishment inside Singapore to target local clients versus targeting them from outside Singapore without an Establishment?

Data Subject Location

I want to actively market our investment solutions to Asian clients from Switzerland - which Data Protection rules apply in which jurisdictions?

Data Transfer

We received a request from our US headquarter to access Data about an EEA domiciled client stored at our rep office in Hong Kong. Is GDPR relevant for this setup?

Data Transfer

I am not sure if our marketing operations are impacted by GDPR - how can I check for the triggers that impact us by EEA Data Protection laws?

Clarifying the deployment of projects in different territories

In our digital and ever-connected business environment, the exchange of data happens everywhere. Therefore, Compliance and Data Protection teams are being approached by business units on a daily basis for clarifying data protection restrictions. If it’s the HR teams planning to centralise employee data, the Chief Investment Officer planning to roll out a new portfolio optimisation tool or the marketing team revamping the public website, they all share the same challenge: could my project be impacted by data protection regulations? If yes, how can I obtain a quick assessment that shows me the requirements that apply to my case? And this information is critical since it specifies timing and resource allocation for the specific project.

The worst scenario for project managers of financial institutions is the delay of critical and expensive projects being delayed because of systematic mismanagement of Data Protection principles and requirements. This is why today, Data Protection experts are spending weeks manually reading through multi-page country papers and legal opinions per jurisdiction, checking country-specific data protection restrictions and providing the business with a handmade impact overview.

The challenge of deploying projects in different territories

The main difficulty today is that data protection regulations are different in each jurisdiction. And at the same time, one country may restrict the handling of specific types of data, another asks for specific measures to be put in place, and a third might restrict conducting specific data sharing or storage activities altogether. 

This is just one side of the problem. More complexity comes with different project initiatives and roll-outs on a synchronized global basis which need to be balanced for all the underlying individual country restrictions. This is an ongoing battle when dealing with country-specific data, besides being a time and resource-consuming analysis.

For project managers this complexity can result in situations where everything has been prepared for a project to kick off and suddenly, compliance informs them that his/her project needs to be delayed because the impact on Data Protection requirements is unclear. . Situations like these lead to frustrations on all sides. 

There are some types of solutions for this problem:

Efficiency Risk Minimisation Ease scalability Cost efficiency
Option 1: Business stakeholders conduct an impact assessment based on existing legal information + ++ + ++
Option 2: Compliance and Data Protection officers conducting the impact assessment for the business ++ +++ ++ ++
Option 3: A third-party provider is mandated to conduct the data protection risk assessment +++ ++ + +
Option 4: Enabling the Business to run digital territorial scoping checks ++++ ++++ ++++ ++++

Introducing digital territorial scoping checks

An automated data protection impact assessment could massively simplify the life of both businesses stakeholders and legal and compliance experts by providing clear guidance on where to launch a new service first, which products to prioritise, or which offices not to have in scope for a first project phase.

By using digital territorial scoping checks, business stakeholders units are empowered to easily assess the impact of a project in different jurisdictions in a matter of minutes instead of reaching out to Compliance and Data Protection units for support. Otherwise, they have to screen the Data Protection manuals of certain jurisdictions to check for an impact, which usually takes weeks or months depending on the size of the project scope.

Also, by having a tool that permits faster assessment, the business stakeholders can check in which countries it would be easier to deploy such a project because of the specific data protection restrictions, which can help the business unit to choose the jurisdictions that make more sense even before starting the project. In other words, the business stakeholders are empowered to independently run high-level territorial impact assessments on their own which leads to easier scoping of their projects resulting in quicker deployment. Additionally, as Compliance and Data Protection units are less confronted with questions from the business, they spend less time on checking if countries could or could not be part of the project.

This way, business units can focus on the growth and strategic developments of different projects besides reducing the risk of not being compliant.

To achieve that, one would need the following:

  1. Machine-readable data protection rules: a set of country-specific rules customizable by in-house legal teams;
  2. Dynamic access to data protection answers: a way for IT project managers to quickly access answers on IT system initiatives through an easy-to-use app or via intranet;
  3. Easy integration options: technology empowering developers to scale the use of machine-readable with integration into existing processes or in-house tools.

Benefits of using digital global territorial scoping checks

  • Empower business stakeholder: enabling and supporting them in spending less time on territorial impact assessment checks;
  • Enabling business stakeholders to undergo more checks in the same amount of time;
  • Global risk minimization: Always aware of the global territorial impact assessment check in view of a certain business unit;
  • Growth opportunity: digital rules allow global scalability thanks to the easy addition of new countries or comparison features.