The key to meeting the principle of Accountability is good governance backed up with lots of evidence. If your business suffers a personal data breach or a serious complaint, the ICO will investigate and will look for evidence of a compliance framework.
A previous article has answered the question “What are the elements of a compliance framework?” This blog will consider how the compliance framework could be documented.
Identifying data protection “Roles and Responsibilities” is the first task. Ideally responsibility should be clearly visible in reporting lines through the business starting with the board of directors and senior management team. Their role is to evince support for the compliance framework. This is best evidenced by including data protection compliance on SMT or board agendas at least annually and to add it to the terms of reference of the audit or risk committee. The Data Protection Policy (see here for a quick guide to the jargon) should be approved by the highest authority in the business, either the board of directors or the SMT. This sends a clear message that data protection compliance is an important topic that really matters to the organisation.
“Roles and Responsibilities” can also help to overcome some of the traditional hurdles to compliance. How many times have we heard that data protection is the responsibility of IT or compliance personnel. Dispel those common cop-outs by adding data protection compliance to the documented role of line management. Their role should be to ensure their team delivers a quality, timely, cost effective and compliant service. Build it into job descriptions and include it in Key Performance Indicators. We also advocate naming departmental managers as the “Responsible Person” for personal data processed by their team and document it as part of the Article 30 records.
Use “Roles and Responsibilities” to outline the role of the Data Protection Officer or data protection lead. Make it clear that this role is in support of the business, not total, singlehanded responsibility for compliance. Ideally there should be statements included about the need for independence of this role which means that the DPO will not write policies and procedures or draft privacy notices. Their role is to check those documents, which task they will not be able to perform if they wrote them in the first place!
There may be other specific roles and responsibilities that need to be included for example the Caldicott Guardian in relation to health data but the final section relates to “all staff whose work involves processing personal data”. Their role is to follow documented policies and procedures and undertake training when instructed. Both these elements of the compliance framework will be considered in a future blog.
We recommend that “Roles and Responsibilities” be documented in an overview of the organisation’s compliance framework and in its Data Protection Policy as a minimum.
If you would like assistance documenting your organisation’s compliance framework ask us for a quote. This is part of the compliance process and we would be happy to help.
Mandy P Webster, Data Protection Consultant