Distributed privacy governance in a state agency

Challenge

A state body with a very extensive hierarchical structureconsisting of thousands of nodes and organisational units (central services, territorial delegations, specialised centres, dependent bodies, etc.), needed to effectively manage compliance with personal data protection.

The map of responsible and co-responsible for treatment was particularly complex and capillarised, with each unit managing its own processing, databases, applications and procedures.

The main challenge consisted of:

Implementing a central management model privacy policy led from the corporate headquarters.
Maintaining, at the same time, the operational autonomy of each unit to manage their processing, contracts, incidents and specific obligations.
Avoiding the dispersion of excels, templates and local tools, guaranteeing homogeneous criteria The following are some of the most important aspects of compliance, but are adaptable to the reality of each node of the organisation.

Approach

ECIX Tech implemented the solution ePrivacy as a single platform for agency-wide privacy management. The focus was on reconciling central control and local autonomy:

Multi-level governance model
- Definition of a role and permissions scheme in ePrivacy adapted to the hierarchical structure:
  - Level central (DPD and corporate team), with global vision and supervisory capacity.
  - Levels intermediary Intermediates (directorates general, territorial units) with an aggregated vision of their area.
  - Level local (services, centres, units) with the capacity to manage their own treatment and obligations.
ePrivacy configuration for individual unit management
- Parameterisation of ePrivacy so that each node in the structure could:
  - Maintain its Register of Treatment Activities.
  - Manage their data processors and contracts.
  - Recording and processing incidents and possible security breaches.
  - Collaborate in impact assessments (IAIAs) related to their processes.
- Use of templates, catalogues and common criteria defined by the corporation, guaranteeing homogeneity of approach without limiting the particularities of each unit.
Deployment support
- Accompaniment in the implementation and training of the network of data controllers and local privacy contacts.
- Continuous support to resolve doubts, adjust workflows and consolidate a stable and sustainable operating model.

Results

Thanks to the implementation of ePrivacy and the deployment model designed by ECIX Tech, the state agency succeeded:

To have a centralised and real-time vision of the privacy situation in thousands of units, without having to intervene in the day-to-day management of each one.
Enable each unit to manage in a way that individualised their treatments, contracts and registers, but within a common frameworkwith rules and compliance criteria defined at corporate level.
Drastically reduce the fragmentation of information and toolsThe new system replaces scattered templates with a single platform that integrates all privacy management.
Improve the capacity to respond to audits and requirements of control authoritiesthanks to full traceability and data consolidation in ePrivacy.
To convert the network of data controllers into a coordinated and efficient structurewhere the corporation sets the standard and each unit applies it autonomously, but without losing overall control.

In short, ePrivacy made it possible to transform a highly complex, distributed environment into a governable, measurable and aligned privacy ecosystemappropriate to the size and institutional impact of the body.