Here are our steps for developing your privacy framework
1. Evaluate your current state.
This will allow you to identify the top priority areas and put in place a roadmap for closing gaps.
It should include a detailed document review examining all relevant policies, procedures and notices and assessing them against current best practices and guidance. It should also involve interviews with key stakeholders and [potentially a company-wide survey of employees to assess the data protection culture.
2. Identify your key people.
Vital to any change in an organisation is the people. You need to identify at an early stage the people who you will be relying on to embed and deliver the framework. A common role is that of the data champion/steward. They will assist you in running the framework once established and are key to its success.
It is important to have a senior sponsor, someone at the executive or board level that can champion the framework and provide the necessary support at the early stages.
Depending on the organisation's size, a small project may be required to embed the framework. This may require some project management and/or business analysis expertise. At this point, you should also have identified the high-risk areas in your organisation. These may require additional effort to embed the framework as more controls may be required. It is important to bring in the leaders from those areas early to get buy-in.
3. Establish your tools
Key tools to any data protection framework include a usable record of processing activity, a risk register, data protection events logs, policies, procedures, and reporting templates. These tools need to be managed and maintained to enable ongoing effectiveness. They will allow the DPO to monitor compliance and engage with management in a meaningful manner.
Rolling out these tools will be challenging as they result in a change in how teams operate and some of the steps they may take in their day to day processes. This may require a change agent in each team who can be the data champion, as long as they have been provided with the necessary training and support.
The record of processing activity is perhaps the most challenging tool to get right as it requires input from multiple stakeholders that may take a considerable amount of effort.
There are a few techniques for ensuring the RoPA is accurately completed. This can include sending out a questionnaire, getting people to fill the RoPA directly, or filling it out on their behalf during an interview.
4. Engage and report
One of the tasks of the DPO is to report to senior management and, according to guidance from the EDPB, regularly engage with middle management. As stated in a previous article, the DPO needs to be involved when there are changes to processing or the introduction of the new processing activity. This needs to be built into the framework.
Reporting requires the DPO to report to the Board or to a sub-committee of the Board, usually the Audit and Risk Committee, and this should be done regularly. The cadence of the reporting will depend on the structure of the organisation as well as reporting to senior management.
A data protection committee is also an important cog in the framework, some organisations may already have a data governance committee, and data protection can be incorporated into this.
This committee should be made up of some key members of senior management and should meet every six weeks to two months, ensuring that all data protection risks are dealt with and actions put in place in a timely manner.
5. Monitor and report
Your framework needs to have an element of fluidity to ensure it meets the needs and the culture of the organisation. Meanwhile, it needs to be controlled to ensure effectiveness and overall compliance with data protection legislation, the overall goal.
Recommendation: Get a third party to review or audit your data protection practices
Got a question? Just get in touch