Overview: Ensuring data protection compliance

Allocation of responsibility

The analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.

See Allocation of responsibility.

Induction and training

Policies and procedures buried on the intranet or forgotten at the bottom of the drawer will not impact the cybersecurity risks faced by your organisation. In order to be effective policies and procedures must be integrated in data to day operations, be used in decision making and training, and be revised and updated in response to changes in technology, changes to the business and experience with risks and incidents. If not implemented, your well-documented strategy can serve as a benchmark available to be called upon as evidence of proper practice should a third party claim or formal investigation by a regulator take place as a result of a security incident. It is vital that your security strategy be embedded in the operational life cycle of your organisation.

See Induction and training.

Monitoring, testing and responding to change

In this subtopic, we discuss steps that you can take to embed your cybersecurity strategy and the management culture and business life cycle of your organisation. As part of the privacy operational life cycle, data protection compliance is achieved through the monitoring, auditing and communication aspects of the management framework, where:

  • monitoring identifies any gaps and weaknesses in an organisation's privacy program;
  • auditing ensures consistency, effectiveness and sustainment of the privacy practices; and
  • communication creates internal and external awareness of the privacy program, ensuring flexibility to respond to legislative and industry changes.

See Monitoring and testing and Responding to change.