Tricia Higgins
Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.
DPOs talk a lot about the chaos of compliance, of moving from one drama to the next. Trying to organise compliance activities, without a solid data protection programme, is like stumbling around a dark tunnel waiting anxiously for the light of an oncoming train.
As this is such an evolving concept there are many different takes on what a Data Protection Programme is. The Cambridge Dictionary defines a programme as “an officially organised system of services, activities, or opportunities that help people achieve something”. So what does it take to make a Data Protection Programme official and organised? If I train staff on basic GDPR requirements, deal with breaches and Data Subject Access Requests as they arise is that a Data Protection Programme?
If I had a room full of DPOs and I asked them to raise their hand if they have a Data Protection Programme in their organisation, I wonder how many would put their hand up? Of those who raise their hands I wonder how many would say that their programme is effective and provides the right results? Would they be able to explain to me clearly what the programme is and how they measure its effectiveness?
Like many things in GDPR the only real way of checking the answer is to review and test. We should all be testing our Data Protection Programmes to ensure the programme is delivering the results that we need. Here are some Key Performance Indicators (KPIs) that DPOs should be using to measure the effectiveness of their Data Protection Programmes? If the Data Protection Programme doesn’t meet some or all of these KPIs consider if the Programme needs to be updated to ensure that the organisation is going in the right direction.
The first KPI is probably the most challenging of all and strictly speaking isn’t really a key performance indicator. However I’m going to put it into the KPI bucket for the purpose of this article because it’s a step that I think many people don’t think about.
In order for a programme to be real and tangible then the Data Protection Programme should be documented, implemented and maintained. It should be referenced in your Data Protection Policies and TOMs and adopted.
The Data Protection Programme is a compliance measure, it’s a way of demonstrating compliance with the accountability principle. Key stakeholders (DPO, DP Team, Management, Customers, Supervisory Authorities) will be much more inclined to believe in a documented formal programme than a notional concept.
In order to formalise the programme it is necessary to identify all the tasks and activities that are undertaken, or should be undertaken, in order to achieve your goal (ie. compliance with the GDPR). All relevant GDPR Articles, EDPB recommendations, judgements etc should be covered in those tasks and activities……..this is not easy.
Fort Privacy realised back in the early days of GPDR (nearly 5 years ago) that a Data Protection Programme would help us deliver our Outsourced DPO Services in a consistent manner and help our customers achieve compliance in a structured way. We wanted to make sure that our programme reflected all relevant compliance requirements. It “only” took us about 3 years to come up with the right programme template and we work hard to maintain and improve it.
Over the years we have worked with DPOs to implement this in their organisations and where we are DPOs we implement it ourselves as part of our services. We now have a formal, structured, programme that we have implemented across many sectors including multinationals and SMBs.
Figuring out whether your Programme is setting the right compliance standard and hitting all the relevant areas of the GDPR is hard work. The good news is that we have already done the hard graft here. Please feel free to use our Data Protection Programme template and take the first important step in formalising your programme.
It comes highly recommended and has a whitepaper and everything! Give us a shout and we can help you implement it.
The second KPI is that the formally documented Data Protection Programme should move the needle of compliance and it should be possible to benchmark the progress being made.
Compliance should not be static. The organisation should be able to show that year on year there is a marked improvement in compliance. The data protection programme should literally be a driving force for improved compliance. The programme should provide the capability to easily identify progress against defined criteria and demonstrate maturity and improvements in areas where previously there may have been gaps.
The Fort Data Protection Programme was built with this in mind. We can audit against each category of the Programme and identify and report on increased levels of compliance maturity. This is gold for any DPO looking to demonstrate progress to key stakeholders and get the job satisfaction that shows, in a tangible way, that the job is being done right and the compliance profile of the organisation is going in the right direction.
The third KPI is that the Data Protection Programme should facilitate strategic compliance.
It’s a real struggle to manage compliance activities in a proactive manner. So often, the operational side of compliance, breaches, DSARs, DPIAs are in the spotlight and it’s hard to think strategically and focus on the bigger picture.
The Data Protection Programme should facilitate checkpoints on key areas of strategic compliance such as risk, audit and certification to ensure that precious resources are being used to shore up areas of the business that require focus. Is important breach mitigation work being undertaken? Are we managing change in the organisation, are we auditing/thinking of GDPR certification for high-risk processing activities?
The Fort Privacy Programme has all these building blocks included to ensure that the DPO sees the bigger picture and zones in on areas of compliance that make sense in the context of the risk profile of the organisation.
The fourth KPI is that the Data Protection Programme should help to structure all Data Protection compliance activities.
Your Data Protection Programme does not work if a scatter gun approach is in operation. A Programme by definition requires structure and timing. The Data Protection Programme should give a defined project plan to work to with timeframes. It should help to organise compliance activities and provide a structured repeatable programme for that.
We generally have an annual implementation cycle for the Fort Data Protection Programme to ensure that each category of compliance is reviewed and updated at least annually. DPOs are pulled and dragged into all kinds of battles in the organisation and it can sometimes feel like we are not the masters of our own destiny.
The Data Protection Programme helps to centre the DPO and supporting resources and bring order, control, and purpose to compliance activities. It helps to build confidence and understanding in compliance activities. Everyone supporting compliance is working in the same programme and everything, down to document management and version control is filed consistently and aligned with the Data Protection Programme.
The fifth and final KPI, for measuring performance of a Data Protection Programme, is ensuring that it has management buy in and supports useful reporting to board/management team.
For a programme to be effective it has to be user friendly and easy to implement. It must be something the board/management team can understand and get behind.
The DPO should easily be able to create reports of progress towards compliance, risk identification and mitigation, key focus areas and challenges being faced. The GDPR states that the organisation should ensure that sufficient resources for compliance in place. The Data Protection Programme should enable the DPO to clearly highlight the business case for additional resource to support compliance.
I could easily think of more KPIs for this exercise but the 5 above are really important for an effective Data Protection Programme. It’s well worth taking a step out of BAU and questioning if the Data Protection Programme is working for the organisation or indeed if there’s really any formal Programme in place. Many DPOs I talk to feel overwhelmed at the constant stream of tasks landing at their feet. It’s so easy to live in the weeds. As DPOs we need to raise our heads up above the maddening crowd (just like my boxer Ali (pictured)) and steer compliance in the right direction. We need a solid Data Protection Programme to support us in doing that.
If you want to see the light, take some time out to think about your Data Protection Programme and test if it works for you using the 5 KPIs above. I know it will be a worthwhile and enlightening experience.
I would love to hear how you get on….all feedback (good/bad) gratefully received.
Tricia Higgins – Co Founder Fort Privacy
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
