Top 3 data protection program issues and how to start resolving them: #23

Our last post was about preparing for an audit.

You'll receive a report once you finish the audit or inspection.

If the report is positive, you’ll have little to do - apart from reflecting on your good work and the investment your company makes in data protection.

A damning report can hit you like a ton of bricks, confirming your worst fears about not being in control.

Your response to a critical report is crucial - here are 3 common issues.

#1 Taking it personally

You may be responsible for data protection in your company, but you depend on the actions of others.

You need to identify the colleagues you need to assemble and delegate responsibility.

This includes reviewing the findings, categorising them, root cause analysis, prioritisation, and planning.

If you’re sitting with the report alone, or just within your team and taking things personally, you are already beating yourself up unnecessarily.

Data protection is a team sport, and you need to assemble the team in a structured, facilitated workshop.

#2 Hap hazard approach

The approach you use to respond to an audit will reflect upon how you demonstrate Accountability.

You need to use a structured approach to review the findings, sort them, categorise them, identify root causes, identify actions, prioritisation, as well as estimation and planning.

All this work will generate evidence - a key element of Accountability.

I wrote an article outlining a structured approach I’ve used for years here.

I recommend you read it if you have an audit report sitting in front of you.

#3 Empty words

Often you’ll find actions defined and written as responses to the audit, but never executed.

Defining actions required planning, estimating, seeking funding and finally getting budget approval.

There are no blank cheques, and nobody is sitting around waiting for you to give them work.

You may need to tap into operational mechanisms, such as a business case process or portfolio management.

Once underway, you’ll need to closely monitor that all actions are carried out, especially where you rely on others across your organisation.

The auditors will eventually do this so it pays to be ahead of them and ensure there are no awkward questions later on about broken promises.

‍

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!