Ensuring that an organization maintains compliance with an ABAC-related law and applicable data privacy laws necessitates a working knowledge of the law, which often requires engaging a professional with local, in-depth knowledge, and the ability to engage the company’s data privacy officer and counsel as needed.
Ensuring compliance with ABAC regulations at the expense of data privacy law may increase a company’s exposure to regulatory penalties and fines.
Third-party ABAC due diligence involves gathering data regarding the company’s major shareholders and senior management, which includes the collation and analysis of Personally Identifiable Information (PII).
There are two forms of consent associated with third-party due diligence – general and specific consent.
General consent limits data that can be lawfully collected and processed. Specific consent, on the other hand, allows for the gathering of data relevant to compliance-related due diligence.
Obtaining specific consent from a data subject is the responsibility of the data controller. If a company engages a professional services firm to conduct due diligence, the firm’s role is to function as a data processor that processes data on behalf of and in accordance with the instructions of the data controller.