During the DPN webinar on 21st February panellists Mark Roebuck, Robert Bond, Louise Garrett-Cox and Simon Blanchard took on a host of topics and questions ranging from “what are data assets and IARs,” to “how do I see the value of a ROPA and gain stakeholder buy-in”.
Here we summarise 5 key takeaways from the event.
1. What is an Information Asset Register (IAR) and who does it benefit?
An IAR is a record of the information that your organisation is storing and using, covering a diverse range of items (electronic and physical) and systems such as CRM, email accounts, HR and backups. The IAR classifies each asset in terms of sensitivity, criticality, risk profile and vulnerabilities, as well as areas such as who has access to the data and data retention periods, all of which illustrate data compliance.
An IAR benefits multiple roles across an organisation:
- Data Protection – an IAR provides understanding of who accesses what data, where it is held, and how long it is retained allowing those in data protection to ensure it is being managed and protected in the required way.
- Data Governance – although there is crossover with the above it also provides those in data governance with insight into back up processes and procedures, enabling them to manage SLAs with 3rd parties as needed.
- Organisation – the wider organisation gains confidence that the required compliance levels are being met, and that they can access the right data they need to undertake activities. In addition, it provides suppliers, partners, staff and customers with confidence in how their data is handled and managed.
2. What are data assets?
‘Data assets’ refer to the various types of data an organisation collects, manages and uses as part of its operations, this can encompass a wide range of information such as customer data, financial records, operational data, research data and more. It also covers both structured and unstructured data both of which need to be identified in the context of a data asset register.
Structured data tends to be highly organised, following a specific format, typically stored in databases or spreadsheets such as a CRM or financial records. Unstructured data doesn’t have a predefined format making it more challenging to organise than structured data, an example of this could be emails and documents.
3. What is a Record of Processing Activities (ROPA) and what is it’s value?
A ROPA may be a compliance requirement for some but it is a valuable tool to any organisation. It provides a central place that collates all processing activities in turn allowing organisations assess these for data protection risks and identify gaps for continuous improvements including:
- Areas where risk mitigation is required
- Compliance with privacy notices
- Ensuring correct contracts/SLAs are in place
These continuous improvements then help build an overall organisation risk profile so that activities can be prioritised, progress monitored and compliance retained.
4. How important is gaining & retaining stakeholder buy-in?
Ensuring that stakeholders are actively involved in managing and updating a ROPA is key to its success and the overall management and mitigation of an organisation’s risk profile. Ways to gain and retain stakeholder buy in include:
- Allocated data champions who take ownership of areas of the ROPA and educate others within their teams.
- Central information page that shares regular updates and answers to FAQs.
- Data champion workshops to encourage the sharing of lessons learnt and insights
- Regular one to ones with data champions to help bring changes and updates to the fore.
If relationships are managed and maintained the overall importance and awareness of a ROPA is understood.
5. What measures and controls can be put in place to mitigate risks?
Measures and controls will vary depending on various factors including the type of risk, volume of data and sensitivity, as well as the organisation’s risk appetite.
A great place to start is to look at the information security, and security and data governance policies, these will cover areas such as MFA, restricted access, file sharing, staff training, procedures, and information privacy and retention. Once ready stakeholder management can then be sought to gain early buy-in to these policies and the importance of contents.
These are just some of the topics covered during the discussion, watch the full webinar recording.
Want to understand more about IAR? Get in touch to discuss this and other data compliance requirements.