Skip to main content
FIND A LAWYER
ARTICLE

How to comply with data privacy law when working agile

Transitioning to an agile operating model is an ambition of many companies in all sectors. That’s understandable: simplifying procedure and infrastructure; lowering formality and reducing the need for physical presence can save costs and increase productivity.

A key obligation under data privacy law is “accountability”. In a nutshell, this means you are required not just to comply with data privacy law, but to be able to prove compliance on regulatory demand. It’s not easy to remain accountable to the standards expected by regulators while working in a truly agile way.

True agility means a working model based on smaller, self-organising teams, made up of cross-functional staff. Those teams are given significant autonomy, including crucially the ability to make meaningful decisions. They tend to achieve incremental results in short “sprint” projects, with their product central in their minds.

Data privacy compliance does not always flourish in these environments:

—  the more frequent and broken-down the tasks, the more often documentary processes and procedures have to be carried out and recorded;

—  people working towards tight time deadlines do not appreciate being delayed by compliance permission control or documentary exercises; and

—  people naturally gravitate to what they see as the more creative or intellectually rewarding substance of the project.

In our view, the best solution is to make your organisational data privacy law compliance a bite size, collective responsibility. We recommend the following steps:

—  Working with your head of data privacy, design a data privacy law compliance “playbook”, which explains in a user-friendly way how data privacy law applies to what the organisation does and sets out the different compliance points to consider.

—  Those compliance points should be categorised as key data privacy law obligations and should provide easy access to the relevant compliance documents, explaining how and when they should be used. Examples would include:

—  A person in each department / at the head of each small team structure should be in charge of, and trained in, either quickly carrying out the compliance requirements, or providing the information required to the data privacy lead/team.

It is important to get this right. If you have compliance measures in place – even if flawed – regulators are much less likely to fine you if something goes wrong.

To talk through any of these issues get in touch with Priya Thapar on +44 (0)20 3691 2063 or email pthapar@greenwoodsgrm.co.uk

This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: mailinglists@greenwoods.co.uk




    By completing and submitting this form, you consent to Greenwoods Legal LLP processing your personal data to provide you with the email update services you have selected and any other materials and information about our services that Greenwoods Legal LLP reasonably believes will be of interest to you. You are free to withdraw your consent at any time by emailing mailinglists@greenwoods.co.uk





      By completing and submitting this form, you consent to Greenwoods Legal LLP processing your personal data to provide you with the email update services you have selected and any other materials and information about our services that Greenwoods Legal LLP reasonably believes will be of interest to you. You are free to withdraw your consent at any time by emailing mailinglists@greenwoods.co.uk