IG-Smart Ltd’s Good GDPR Governance Guide

This brief Good GDPR Governance Guide will provide you with an overview of what GDPR Governance is and a good idea about what good GDPR Governance should look like.

What is GDPR Governance?

GDPR Governance is the management discipline through which organisations can ensure that they have the right organisational, people-based and technological controls in place to effectively and measurably embed GDPR compliance into their business as usual procedures and practices.

6 Key GDPR Governance Best Practices

1. Establish a GDPR Governance Group/Committee

If you have not already done so, you should establish a GDPR Governance Group or Committee that will have the responsibility for approving and overseeing your organisations GDPR Governance & Compliance Framework (see below) and key GDPR compliance Strategies, Policies and Standard Operating Procedures.

The GDPR Governance Group should be well represented by everyone in your organisation that has key responsibilities with regards to the management of your organisations data processing activities (e.g. Data Protection Officer, Chief Information Security Officer, Head of Legal, Head of HR, Head of IT, Head of Marketing, Head of Risk etc.).

The GDPR Governance Group should have a clear Terms of Reference which as a minimum sets out the GDPR Governance Groups purposes, core membership (members that must for example attend at least 90% of all meetings) and quorum (the minimum number and type of members that have to attend for a meeting to be viable).

2. Engage key stakeholders with good GDPR Governance

There are essentially three categories of key stakeholders that should be engaged with to develop and embed a robust and effective GDPR Governance & Compliance Framework.

Data Subjects

One of the key legal principles which underpin data protection law is that whatever you do with people’s personal data must be within their reasonable expectations. Understanding what those reasonable expectations are and meeting them should therefore be one of the primary measures of success of a good GDPR Governance Framework. As a general rule of thumb, the more sensitive and voluminous the personal data your organisations processes, is the more you should be doing to engage and communicate with data subjects. Consider surveys, workshops, drop-in advice clinics, web pages, social media campaigns, and even radio, television and bill-boards (e.g. if you are involved in really big national, regional or sub regional data processing activities).

Employees

It’s pointless imposing controls that will either prevent people from getting their jobs done (unless what they are doing is unlawful or unsecure) or increase the likelihood of them finding risky workarounds (e.g. using one very basic password to make it easy for them to remember because of the number of different systems they have to log into each day). You should therefore engage with strategic and operational employees when seeking to embed an effective GDPR Governance & Compliance Framework.

Regulators

Once you have got your GDPR Governance & Compliance Framework, Strategy and associated Policies and Standard Operating Procedures in place, consider reaching out to the data protection authority (e.g. the UK Information Commissioners Office) and asking them to audit your organisation. This will not only give you an excellent idea as to whether your GDPR Governance & Compliance Framework would stand up to the scrutiny of the regulator in the event of a data breach but will also demonstrate to them that your organisation is proactive and takes its GDPR compliance responsibilities seriously.

3. Establish GDPR Governance Critical Success Factors & KPIs

Now that you have the right people in place and have a good understanding of what data subjects, employee and regulator reasonable expectations and limitations are you should define what the Critical Success Factors and Key Performance Indicators (KPIs) of your GDPR Governance & Compliance Framework should be.

Critical Success Factors (indicative) 

• No harm, damage or distress caused to data subjects
• No reportable data breaches
• No legal claims
• No damage to reputation
• No unduly restrictive controls
• Personal data always accessible on a need to know basis 

KPIs (indicative)

• 100% of employees trained at induction and provided with annual refresher training
• 100% of data subjects informed about the uses of their information
• 100% of 3^rd party data processors appointed after passing due diligence checks and signing GDPR compliant Agreements
• 100% of personal data encrypted at rest and in transit
• 100% of personal data complete, accurate and up to date
• 100% of Data Subject Access requests responded to within 1 calendar month
• 100% of personal data securely destroyed within 1 week of it no longer being required
• 100% of data breaches reported within 72 hours
• Record of Processing Activity updated every month
• Cyber security vulnerability assessments conducted at least monthly
• Penetration tests conducted at least annually and whenever there is a significant change
• 0 breaches of internal GDPR policies

4. Establish a GDPR Governance & Compliance Framework

Having a clear and robust GDPR Governance & Compliance Framework in place will enable you to effectively embed, audit and monitor GDPR compliance best practices throughout your organisation.

Whilst GDPR Governance & Compliance Framework need not be a complex document, it should as minimum include the following:

RACI Matrix

A RACI Matrix set out Responsibilities (e.g. the GDPR mandated tasks of the Data Protection Officer), Accountabilities (e.g. ensuring that there is someone on the board that takes ultimate ownership of GDPR compliance risks and that the CEO receives an annual assurance in the forms of an independent GDPR Audit and a GDPR Compliance Statement), Consultation requirements (the need to consult data subjects, regulators etc.) a description of those that need to be Informed (board members, employees).

Resource Requirements

Information about what resources will be required to effectively embed the GDPR Governance & Compliance Framework across your organisation and responsibilities for ensuring adequate resources are in place.

Critical Success Factors & KPI

See above.

Documentation

A list of links to the key documents which will underpin your GDPR Governance & Compliance Framework.

Risk Management Controls

Details of how GDPR Governance & Compliance Framework risks will be proactively identified (e.g. through GDPR Compliance spot checks, GDPR Audits, GDPR Gap Analysis, Data Protection Impact Assessments, Cyber Security Vulnerability Assessments etc.), reported, escalated and managed. 

GDPR Compliance Auditing & Monitoring

Details of how GDPR Governance & Compliance Framework Strategies, Policies and SOPs will be independently audited and monitored.

Standards

A set of standards to which your organisation will ensure that it is aligned with or accredited against. For example ISO 27001 and ISO 27701 – the privacy extension to the ISO 27001 information security standard, Cyber Essentials Plus (a cyber security standard recognised by the UK government) and OWASP Top 10 (a standard designed to help you avoid common cyber security threats).

5. Ensure everyone receives GPDR Training

Ensure that all of your employees (including agency staff and contractors) are adequately trained at induction and provided with annual refresher training so that they understand their GDPR compliance roles and responsibilities and your organisations GDPR Governance Compliance Framework and associated Policies and Standard Operating Procedures, and any changes in the threat landscape. GDPR training should be contextualised according to employee roles and nature and context of any data processing activities they undertake. Your GDPR Governance Committee should receive specialist GDPR Governance training.

6. Proactively identify & control risks

Don’t wait for risks to arise or data breach incidents to happen (if you do wait, they almost certainly will occur). Conduct routine staff GDPR compliance spot checks, GDPR Gap Analysis, GDPR Audits, Data Protection Impact Assessments, Legitimate Interest Assessments, Cyber Security Vulnerability Assessments, and Penetration Tests to proactively identify GDPR compliance risks, and ensure that you have appropriate organisational, people-based and technological controls in place to mitigate risks in proportion to the threat they pose to the personal data that your organisation processes.

Links to more good GDPR Governance guidance

• Information Commissioners Office Accountability & Governance guide
• Information Commissioners Office Guide to the General Data Protection Regulation
• Data Governance Obligations guidance by Bird & Bird (Two Birds)
• National Cyber Security Centre Risk Management Guidance
• National Cyber Security Centre Guidance on appropriate security measures

About IG-Smart Ltd

This Good GDPR Governance Guide was prepared by IG-Smart Ltd. Proud winners of the Innovation & Excellence Award for “GDPR Consultancy of the Year 2020” and UK Enterprise Award for “Best Cyber Security Consultancy Firm 2019”.

IG-Smart Ltd has helped world renowned institutions and leading brands to achieve many GDPR Governance & Compliance success stories. Delivering comprehensive DPO as a Service, GDPR Gap Analysis, GDPR Audit, GDPR Training, Cyber Security Vulnerability Assessment and Penetration Testing services.