“Culture eats strategy for breakfast,” is a famous quotation attributed to the business management guru Peter Drucker. For Drucker, organisational culture plays a central role in how organisations work. When it comes to data protection, a culture must be created where protecting the personal data of clients is at the forefront of what every employee does. This article explores some of the building blocks that are needed when creating a culture of data protection.
Undertake a gap analysis
A data protection gap analysis can provide objective data about your organisation’s current level of compliance, build awareness amongst the senior management team of issues and risks and send a strong signal to staff that protecting personal data is taken seriously within the organisation. Trilateral conducts gap analyses to identify security gaps and ensure compliance with up-to-date data protection regulations.
Ensure alignment between data protection and organisational objectives
The senior management team needs to understand the connection between a strong data protection culture and the company’s ability to deliver on its objectives. Senior leaders need to be educated on the potential impact of data breaches on the organisation’s reputation. Trilateral specialises in compliance support services, working to understand your organisation’s current culture and establish best practices for alignment.
Integrate the data protection workstream within existing organisational processes
It is important to define the critical functions within the organisation with which the data protection programme needs to dovetail. Some of the key integration points that may need consideration are discussed below.
Human resources
Incorporate data protection training within the organisation’s induction programme for new hires and require new staff to complete data protection training before being granted access to systems containing personal data. Refresher training should become part of the human resources standard training package. Trilateral delivers awareness initiatives and training programs to foster a data protection culture within organisations.
New business development
Some companies use gating processes to evaluate new initiatives. This is a process whereby concepts are reviewed and proceed through a series of increasingly rigorous assessment phases – or “gates” – until they are ultimately either rejected or approved. Data protection risk management tools such as Data Protection Impact Assessments (DPIAs) should be part of the documentation required at each “gate.” This will help to ensure that potential data protection risks are identified and mitigated. Trilateral offers data protection impact assessments to ensure your policies and processes are fit for purpose.
Procurement and contract management
The data protection team needs to work with the tendering, purchasing and contract-management functions within the organisation to ensure that data protection requirements are appropriately incorporated. All public tenders, system or vendor requirements documents and selection criteria for purchases that result in personal data processing should include data protection elements. Trilateral’s DPO assist service can augment and complement your existing data protection team, liaising with each function in your organisation to ensure data protection elements are prioritised in relevant documentation and selection criteria.
Internal audit
The data protection team should collaborate with the internal audit function to undertake both first-party and second-party audits. These audits would seek to measure how best the organisation and its suppliers are complying with the applicable data protection laws and regulations. Trilateral provides audit and assessment services to assess and improve your organisation’s systems.
In sum, after the fundamentals of a strong data protection programme and senior management support are in place, data protection leaders must decide which actions should be pursued to firmly embed and integrate the desired data protection practices within the organisation’s business processes.
This article has provided some insights that will be useful to data protection leaders in creating the integrated set of knowledge, beliefs and behaviour that will define their organisation’s data protection culture. For more information on how Trilateral may be able to assist your efforts to enhance your policies and procedures on supporting data subject rights please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.
