After identifying the life-cycle of personal information within the multitude of processes embedded in the organization, we proceed to assess the legal gaps – areas where potential violations of the law may attract civil or even criminal penalties. These risks may lie in the instances where the organization collects personal information whether done through a website; a face-to-face interview; CCTV systems; guest registers; or, third-party information service.  We also examine the organization’s intra- and inter- department transfer of personal information as well as external outflows and inflows of personal information.  Some conglomerates may, for example, already have intra-company data sharing agreements and share infrastructure for the common storage and automated processing of personal information.

Our legal risk assessment begins with identifying personal information – particularly, sensitive personal information, which is entitled to a higher degree of protection.  We then identify the processing done upon such information and assess whether it is lawful.  We determine if the consent of the data subject was properly secured and if not, we consider if exceptional circumstances exist that dispense with such consent. We then examine the organization’s observance of the data subject’s privacy rights outlined in the law and its adherence to the data privacy principles.

We conclude our analysis with a summary of our findings in a final report, where we identify areas where existing processes do not comply with the Data Privacy Act and address them by making specific recommendations. In some instances, the solution might be as simple as placing a padlock on a filing cabinet but in others, multiple options might be available. In those cases, we spell out the legal standard against which compliance will be measured.