This will allow you to identify the top priority areas and put in place a roadmap for closing gaps.
It should include a detailed document review examining all relevant policies, procedures and notices and assessing them against current best practices and guidance. It should also involve interviews with key stakeholders and [potentially a company-wide survey of employees to assess the data protection culture.
Vital to any change in an organisation is the people. You need to identify at an early stage the people who you will be relying on to embed and deliver the framework. A common role is that of the data champion/steward. They will assist you in running the framework once established and are key to its success.
It is important to have a senior sponsor, someone at the executive or board level that can champion the framework and provide the necessary support at the early stages.
Depending on the organisation's size, a small project may be required to embed the framework. This may require some project management and/or business analysis expertise. At this point, you should also have identified the high-risk areas in your organisation. These may require additional effort to embed the framework as more controls may be required. It is important to bring in the leaders from those areas early to get buy-in.
Key tools to any data protection framework include a usable record of processing activity, a risk register, data protection events logs, policies, procedures, and reporting templates. These tools need to be managed and maintained to enable ongoing effectiveness. They will allow the DPO to monitor compliance and engage with management in a meaningful manner.
Rolling out these tools will be challenging as they result in a change in how teams operate and some of the steps they may take in their day to day processes. This may require a change agent in each team who can be the data champion, as long as they have been provided with the necessary training and support.
The record of processing activity is perhaps the most challenging tool to get right as it requires input from multiple stakeholders that may take a considerable amount of effort.
There are a few techniques for ensuring the RoPA is accurately completed. This can include sending out a questionnaire, getting people to fill the RoPA directly, or filling it out on their behalf during an interview.
One of the tasks of the DPO is to report to senior management and, according to guidance from the EDPB, regularly engage with middle management. As stated in a previous article, the DPO needs to be involved when there are changes to processing or the introduction of the new processing activity. This needs to be built into the framework.
Reporting requires the DPO to report to the Board or to a sub-committee of the Board, usually the Audit and Risk Committee, and this should be done regularly. The cadence of the reporting will depend on the structure of the organisation as well as reporting to senior management.
A data protection committee is also an important cog in the framework, some organisations may already have a data governance committee, and data protection can be incorporated into this.
This committee should be made up of some key members of senior management and should meet every six weeks to two months, ensuring that all data protection risks are dealt with and actions put in place in a timely manner.
Your framework needs to have an element of fluidity to ensure it meets the needs and the culture of the organisation. Meanwhile, it needs to be controlled to ensure effectiveness and overall compliance with data protection legislation, the overall goal.
Recommendation: Get a third party to review or audit your data protection practices
Got a question? Just get in touch
We have insights into developments that affect your business. We can provide you with unique perspectives and thoughtful solutions so you can meet new challenges and seize opportunities.
Since the start of the year, many Central Bank of Ireland (CBI) articles and speeches have called out the Payments Institutions (PI) and Electronic Money Institutions (EMI) sector as being one of increased risk. One area of focus has been the wind-down plans for relevant institutions, ensuring that these are credible and prioritising minimising any negative impact on consumers.
2024 has seen the appointment of two new commissioners in the Data Protection Commission (DPC). The Digital Services Act is now effective, with several large organisations already being required to comply and establish a new regulator, Comisiún na Meán.
The role reports to the President and provides executive, administrative, and development support. The Director of the Office of the President serves as the primary point of contact for internal and external stakeholders on all matters pertaining to the President, serves as a liaison to the Governing Body and senior leadership team when required, and oversees internal and external communications for...
Tailored solutions for assurance and value creation in a changing world
Mazars supports you in achieving and maintaining data protection & privacy compliance.
Satisfying subject access requests can require a very significant amount of time and effort. Gathering the data, filtering out the irrelevant records, making decisions on what is necessary to include and redacting information appropriately can turn one SAR into a project in its own right.
Mazars DPIA methodology has been developed using years of experience, ensuring that risks are identified and mitigated in line with business needs while keeping a focus on individuals.
Mazars provides outsourced data protection officer (DPO) services to organisations that do not wish to directly employ a DPO
A GDPR audit provides you with assurance of your data protection compliance efforts.
Mazars has partnered with Europrivacy to provide companies with General Data Protection Regulation (GDPR) compliance certifications. This is the first GDPR certification to be created since the launch of the GDPR four years ago, and has been authorised by the European Data Protection Board (EDPB). This certification positions companies as front-runners in data protection with a strong competitive...
On the 4th of June, 2021 the European Commission adopted new “Standard Contractual Clauses” (SCCs) as an appropriate safeguard for the transfer of personal data outside the European Economic Area (EEA). These new SCCs are replacing older versions that were adopted in 2001 and 2010 respectively.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.