As a data protection professional I often get asked what the most important aspects of data protection are. There are many things in the regulation which resonate for me and help me shape my advice to clients but, it is difficult to list which are most important as the answer is reliant on the context.
In this blog I share a summary of my recommendations on what the first 100 days of an engagement should include, outlining what should be planned for, whilst always being ready to change in line with circumstances.
Understand your activities
What activities does your organisation undertake? Without knowing how your organisation uses personal data you cannot begin to understand any data protection risks. Even if you don’t fall under the mandatory requirement to create and maintain a ‘record of processing activities’ (RoPA), it is a good tool to use to evidence how you process personal data.
Understanding your activities means,
- Understand what you do
- Knowing the personal data which is processed
- Understanding the volume of data
- Understand the type(s) of data used
These are the key aspects to begin understanding the potential for high risks. For example, an activity using low volumes of basic personal data does not carry as much risk as higher volumes of sensitive data.
Manage the risks
Whilst a RoPA is not a regulatory requirement for all organisations it provides an excellent insight into your data protection risks. Data protection risks come from many sources though. Consider your findings from data breach and data subjects rights logs, as these will help you to identify recurring incidents, which in turn identify risk. Record these risks and manage them.
If you are responsible for data protection in your organisation, my advice is to involve others in the management of risk. For example if a risk is identified on a HR activity, let HR lead on the solution, after all it is their procedures which will need to be amended. With many years’ experience in managing risk, I can confirm that risks are often left unchecked if there is poor ownership and low accountability. For this reason it is worth establishing regular meetings to review progress and provide advice.
Teaching and Learning
It is the job of a data protection professional to educate others but at the same time we must learn. Understanding the risks allow us to learn how to mitigate them and put plans in place to stop them from happening again
Clear policies and procedures need to be developed and communicated, these should be supported by good data protection training. People cannot be expected to protect personal data and keep it secure if they don’t understand how data protection rules apply.
Employees should complete training in the basics of data protection as a minimum, and we should lead them in how we expect them to behave to empower them to make reasoned decisions.
The knowledge they need will vary depending on their role. Managers, leaders and those who are involved in defining your RoPA should be well informed and able to lead by example and identify gaps in their team’s knowledge.
Data Protection by Design and by Default
By building engagement through the development of the RoPA colleagues will begin to understand that data protection risks can be resolved through good practice and procedure. As such a new project being initiated or a procedure being changed is a great opportunity to consider if data protection can be built in at the point of design.
Relationships with project governance teams are crucial, if your organisation has a project function, get to know your Project Management Office (PMO) and ensure that data protection questions are built in at different project stages. If your organisation uses an agile approach, get to know your Product Owners and ensure that you are involved in planning and retrospectives.
Accountability
One of the key differences between the Data Protection Acts of 2018 and 1998 is the principle of accountability, so your first 100 days should be focussed on this.
Accountability covers many things including:
Senior engagement
Are you engaged with senior levels of management and are they supporting you? A report to the Executive team on a monthly basis should be your minimum goal.
Maintain records
Accountability is about evidencing your compliance with data protection laws including policy, procedure, ROPA, risk logs and more.
Data Champions
Although they may not go by this name in your organisation these individuals are your established network across functions who take accountability for data protection in their department.
Summary
Your first 100 days in your role as a data protection professional should be focussed on learning and coaching. You need to learn what risks your organisation has and teach stakeholders how to manage current risk and reduce future risks.
Building relationships is key, formalise these through regular meetings where data protection is the focus and you will begin to develop a culture which supports your role in the organisation. Manage upwards as well as amongst your colleagues. Not all Executives will take data protection seriously from the start so build close connections with those that do and that will support you.
Finally ensure that you have systems in place to evidence compliance, Excel works for a very small organisation, but ProvePrivacy is an affordable solution designed by data protection professionals.
