Frustrated man

Reporting data protection status

Top 3 data protection program issues and how to start resolving them: #19

At the end of each week, month or quarter, data protection leaders put in a lot of effort to assemble and circulate a report that provides a status of their work over the past period.

In many cases, the effort is a complete waste of time.

Here are three reasons this is the case.

#1 Meaningless metrics

Different people in your company have different needs.

If you don’t identify their requirements or the decisions they may need to take, you’ll have little chance of fulfilling their needs.

Don’t assume you know what people want.

Ask them.

If you have close alignment with the business, align reporting with their needs.

It’s an opportunity for you to show value.

Number of consent withdrawals after a new marketing campaign?

That’s surely a valuable insight for your CMO if the info is not available elsewhere.

What other insights can you provide that bring value?

And don’t just report lots of things because you can measure them.

Who is interested in them and what value do they bring?

#2 One size fits all

I worked in a company once where a weekly status was circulated in one long email to between 50-100 people.

It was a ‘one size fits all’ list that you had to sift through each week to see if any bits were relevant - and often there weren’t.

Use a simple structure and navigation - make it easy for the reader.

If your program is large or complex, consider producing tailored reports for different groups of colleagues.

Less is more.

#3 Stuck on red, or always on amber

Align your reporting with any reporting principles and definitions that may exist in your company.

Especially principles that dictate that a program can’t be reporting red for ever.

Or amber for that matter.

Or, unless a complete disaster has occurred, a program can’t go from green to red.

Some senior colleagues may not like red or amber and the fact they prefer you not to use them doesn’t remove the underlying issues that mean you need to reflect reality in your status reporting.

Insisting on green is often about avoiding the exposure of dirty laundry.

The graphic shows a typical program reporting setup I recommend for companies that don’t have much in place: simple structures, no fancy tools, measure a few things that provide value, start small and grow from there.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
March 6, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements