Privacy operational compliance framework: a tool to help organisations manage risk

GDPR compliance, is not only the Data Protection Officer’s (DPO) responsibility, but a team-work between various stakeholders within the organisation, including the Board of Directors, Management, Departmental Heads and other key people, depending on the overall governance and organisational structure of the organisation.

Furthermore, GDPR compliance is not an one-off process, but it requires continuous effort for maintenance and enhancement. Maintaining and enhancing GDPR compliance is not an easy process, and this is mainly due to the need of the involvement of various people within an organisation. For this purpose, a need for a compliance tool, is integral part for enforcement of the governance structure, effective collaborations, and management of various GDPR tasks.

To this end, the existence of an operational compliance framework is essential to organisations to allow the delivery upon the Data Protection Legislation requirements. This framework should include the governance, roles and responsibilities, policies and procedures, processes, technologies and tools, which an organisation will maintain in order to fulfil and manage its on-going data protection obligations.

The DPO should monitor the compliance with the processes, policies and procedures, and the use of tools and technology, which incorporate the data protection principles. Compliance metrics should be produced and reported to the senior management.

Compliance with the data protection requirements is not a black-or-white neither a pass-or-fail matter. Although there are some specific requirements (such as the time to notify in the event of data breaches or the maintenance of a Record of Processing Activities (RPA)), compliance requires the data protection function (e.g., DPO, DPO team) to work closely with Departments (e.g. Head of Departments and Directors) across the organisation to sensibly and consciously apply a set of principles to the organisation, rather than meeting a prescriptive list of obligations. By necessity, compliance requires senior management in the organisation to be involved in compliance-related decisions, and that the rationale and basis for such decisions should be documented and available for later review.

The organisation’s strategy towards data protection compliance (in the context of preparing for the Data Protection Legislation to come into effect), includes short-term tactical solutions, and long- term strategic solutions such as IT support tools and potential automation to be adopted at the appropriate juncture as budget and resources allow. The tactical short-term solutions will address the high-risk processing activities undertaken in the organisation. The development of additional compliance measures, increased automation and the embedding of a compliance culture will then be a function of data protection maturity throughout the organisation.

To enable operational compliance framework to work effectively within the organisation, different roles and responsibilities should be assigned to various stakeholders.

For easy reference, these are divided into 6 layers:

• Layer 1: represents the internal governance structure with key data protection stakeholders across the organisation, the various senior management committees where data protection concerns will be reviewed and advised upon: the DPO; and the Departmental Data Protection Champions. Key responsibilities of individuals across the organisation to successfully operate, monitor and ensure adherence to the data protection processes should be clearly defined and communicated.
• Layer 2: represents the overarching Personal Data Protection Policy and the supporting policies in relation to governing data protection across the organisation. The Personal Data Protection Policy sets out the personal data protection principles and the obligations of the organisation concerning the protection of personal data. Supporting policies should be developed, including among others, the Personal Data Retention Policy, the Information Technology Framework, Breach management procedure, etc.
• Layer 3: represents the data protection processes, which are to be operated monitored and adhered to across the organisation. These could include processes related to the management of Subject rights requests, coordination and reporting of breaches, maintenance of the Records of Processing Activities, etc.. Additionally, key procedures and guidelines could be developed, supporting the key processes, indicating a step-by-step process.
• Layer 5: represents the Data Protection tools and Artefacts. Tools may be required to manage data protection processes (e.g. a breach management log to track the management of breaches).
• Layer 6: represents a GDPR Compliance tool, that assists the organisation in maintaining the compliance with the GDPR, and enforces effortless collaboration between the various functions such as departmental heads, DPO, IT, Risk Management, legal and compliance.

To sum up, the key elements of the compliance with the privacy laws and regulations apart from the existence of traditional measures, such as a designated DPO and written policies and procedures, managements and boards involvement is crucial, especially for the decision making, monitoring and enforcement, effective lines of communication between the management and the departments, should be established.

Contact me at anna.papaonisiforou@cy.gt.com or at +35722600000 to guide you through your privacy operational compliance journey or click here to read more about our digital risk services.