Frustrated man

Data protection templates

Top 3 data protection program issues and how to start resolving them: #21

Templates are useful.

But remember, a template is just a template.

Alone, it will not make your company compliant, even if you've populated it with some basic information.

In the right hands, a template is a useful starting point.

A template in the wrong hands may give a false sense of compliance.


#1 Circulated template = implemented

Implementing solutions that address abstract legal requirements is complex, and we may use a template to provide a basis for documentation, or gathering information as part of a process or procedure, or for setting expectations in the form of a policy.

It could be a template for a ROPA, a DPIA, registering an incident, to name a few examples.

There’s often an over-reliance on templates.

Circulating a DPIA template by email to senior managers does not equate to implementing the DPIA process, yet I see and hear this type of practice often in companies.

Implementation is an entire process in itself if you want to embed and sustain change.

A template is just a small part of a larger equation.


#2 Business context

You’ll find templates everywhere.

Many are free.

Most are generic.

In many cases, a template you’ve acquired will need to be adapted according to the nature of your business.

Take a DPIA again - are you in the business of emergency services, biotech, education or online retail?

Different context, different risk scenarios.

The same goes for policy templates.

Without adaptation, employees will be confused.

Context is everything.


#3 Isolation versus collaboration

I also see employees given a task to complete a DPIA, or populate a ROPA single handedly.

In isolation using a standard template.

They may have the competences to complete some parts, but for other parts they may end up guessing.

Data protection requires a broad set of competences.

It's all about collaboration.

Recognise the knowledge and competences needed.

Recognise the sources of information to complete the template.

Gather your colleagues - it’s a team sport.

Tailored, facilitated workshops to elicit the required information to populate a template are highly recommended.


Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
March 23, 2023

Blog

Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 24, 2023
Explaining Data Controller/Data Processor obligations
Tim Clements
May 23, 2023
5 years on - are these perspectives still relevant?
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 11, 2023
The US privacy landscape: complex and in a state of flux
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 4, 2023
Unsure of which IAPP course fits your needs?
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 27, 2023
Interactions and inter-dependencies with others
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 26, 2023
Being prepared for a data protection audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements