Top 3 data protection program issues and how to start resolving them: #27
Risk management must be at the heart of any data protection programme.
It must be living and breathing.
It’s an accountability mechanism that generates evidence.
If you don’t have one, or you do and it’s ineffective, you’ll struggle to demonstrate to a regulator that you’re in control.
Here are some common issues we encounter.
#1 All mixed up
Operational risk, legal risk, compliance risk, reputational risk, project or programme risk, information security risk, information risk, data protection risk, etc.
We need to know what these terms mean, the processes needed to manage them, and the triggers or interlocks that may exist between them in a given context.
It’s complex and anyone involved in the risk life cycle needs to understand the differences.
Education is key, especially for senior management who make critical decisions that can make or break your work.
Using the correct framework is equally important.
For example, you’ll struggle to identify risks to the rights and freedoms of individuals if you rely purely on a security risk framework.
If you are new to data protection, a good starting point is to gen up on what ‘risk-based approach’ actually means.
The old WP29 issued a statement about this in 2014 - look it up.
It may surprise you.
#2 You own everything!
Roles and responsibilities around risk are also critical.
Too many data protection practitioners end up owning risks that they have no knowledge, power or influence over.
Risk management requires delegation and people taking responsibility.
For example, if a risk is identified in relation to the use of a piece of tech, we need to hone in on the most appropriate individual associated with the technology, or the process it may support.
The same can be said for deploying deceptive design (dark) patterns in a user interface.
As DP pros, we need to ensure the risk management system is in place, and woven into the fabric of the company.
Don’t own risks that you have no influence over.
#3 Dusty registers
This issue is common to all kinds of risk.
Often you’ll find wonderfully crafted *initial* risk registers.
And that’s it.
Lots of valid ideas about risk treatment.
Not in control.
At Purpose and Means, we do things differently.
The data protection experience for employees and management is what we focus on.
We build passion and interest in data protection through highly visual, creative approaches.
Data protection is complex, and to bring it alive, make it actionable from top to bottom requires an approach your average copy/paste consultancy doesn’t provide.
Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.
We’re based in Denmark, but operate globally.
If this issue resonates, book a call to discuss your requirements!