The data privacy and protection landscape is rapidly evolving as technology advances. It is therefore critical for organisations to be aware of changing regulatory requirements, to update their data protection policies and practices, and to inform their employees of the changes, when necessary. To sustain the data protection management programme and to make it effective, these efforts are necessary.
The international framework for data privacy management mentions two cycles:
The information lifecycle describes how personal data is collected, used, disclosed and stored in an organisation. On the other hand, the operations lifecycle describes the process of managing personal data. In other words, it tells us how an organisation should determine the risks related to the handling of personal data within the various processes, protect the data during the handling process, ensure the process is sustained, as well as, respond to stakeholder queries.
The “Sustain” part of the international framework has three components - Monitor, Audit and Communication (MAC).
In data protection, monitoring means keeping track of the data protection management programme (DPMP) amongst the individuals involved. It’s done in two steps - one focused on learning and the other focused on assessment.
Learning is about creating the relevant Data Protection content and making it available to the individuals in the organisation. The mode of delivery can be online through e-learning or face-to-face through classroom sessions. With companies embracing enforced work-from-Home (WFH) these days, delivering the content through an online website or portal has become the norm. The portal should give the ability to the Data Protection Officer (DPO) to push content to the users easily, keep track of their participation and generate dashboards to show accountability.
The next part of “Monitoring” is Assessment. At this stage, the DPO ensures the information that employees have on the Personal Data Protection Policies of the organisation and the country’s data protection regulations can be recalled correctly when needed. This is normally done by conducting tests and quizzes. The DPOinBOX tool aids the DPO in administering the assessments easily. It also keeps track of the individual performances and presents the collected data in a dashboard for easy reference.
Any business entity will conduct an annual audit of its financial statements & processes. Similarly, organisations handling personal data should conduct regular audits of their privacy or data protection programme to stay compliant. As part of the audit process, it reviews the organisation's privacy policies and procedures, taking into account current regulatory requirements.
For instance, Singapore’s Personal Data Protection Act (PDPA) was amended and the 10th obligation on breach notification was added in February 2021. To align themselves with the new PDPA amendments, organisations will have to amend their policies and standard operating procedures (SOPs). It is recommended to perform an audit six months after the review of the process in order to ensure that it is running smoothly.
The audit can be conducted for a process, department or organisation-wide. The auditing process will cover looking at the SOPs, policy documents, notices in visible areas. Other areas that are part of the audit process include technical, administrative, and physical procedures, employee training conducted, third-party vendor management, and response management, if applicable. The audit team, which can be internal or external, sets the objective, approaches, and defines the scope of work. Once the audit is completed, the findings are recorded, and a report submitted to the management for any corrective actions to be taken. The DPOinBOX tool can assist the DPO in performing a comprehensive audit including the recording of findings during and post-audit.
It is vital for the organisation to communicate effectively and to let their employees know about the Data Protection Policies, updates on Data Protection matters, amendments to the Data Protection Laws and events with regards to Personal Data.
When the relevant updates have been sent, it is important to keep track of who has read the information. This demonstrates accountability to the regulators as there is evidence that the organisation has a systematic and well-documented approach to communicating personal data-related content and updates to their employees. DPOinBOX makes this task very easy for the DPO. In just a few clicks, the DPO can send out the required information and present dashboards to the management to show progress on all the campaigns.
In essence, the key to managing an effective and robust data protection management programme (DPMP) is through sustaining the initial efforts that have already been done by the organisation. The organisation can look into sustaining their DPMP through monitoring, auditing and communication (MAC) efforts towards their internal stakeholders. It is also useful for organisations to adopt software tools such as DPOinBOX built on specific frameworks & features to ensure that managing their data protection management programme is an easy and seamless process.
Written by: Karthik Laxman, CIPM, CIPP/A, EXIN (Information Security)
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region