When it comes to data protection leadership and oversight, there can be a lot to consider and at the recent Data Protection Practitioners’ Conference, a recurring theme expressed by ‘front-line’ data protection specialists was their concern about the lack of appreciation of the importance and value of their work from their most senior level colleagues.
I never fail to be amazed at how many of our clients possess dedicated, proficient Data Protection Officers, or leads for their information governance, yet their most senior managers and members of the Board appear to have little understanding of the vital role they undertake.
Similarly, when supporting and advising Senior Information Risk Owners (SIRO) and Board members on risks and threats of failing to comply with the legislation, we constantly advocate that senior roles should always set the standard for compliance, that they should lead by example and ensure they engage in proactive and positive approach to data protection within the organisation.
Accountability is one of the key principles contained in the UK GDPR and that accountability begins with well-informed leadership and oversight by Board members. In general, a board of directors in a public or private organisation, provides oversight and strategic guidance.
As an experienced board member of a variety of organisations, I always approach board meetings with a keen scrutiny on how the organisation is performing against the information governance standards expected, both legally and from a best practice perspective in their internal processes and procedures.
The majority of the elements on most board meeting agendas will require some form of data protection consideration.
I like to remind the meeting that ‘The Board’, or highest senior management level, has overall responsibility for data protection and information governance and I would hope that the hundreds of SIROs and Caldicott Guardians (CG) we have trained would do likewise.
What is good board governance and data protection leadership?
Firstly, there should always be a member of the Board who leads on information governance. This is usually a trained SIRO (or CG) but may be other specialists who have a data protection background. I have known data protection experts to be temporarily brought into meetings to support decision making for specific, challenging items on the Board Agenda.
This may become especially relevant as more and more organisations embrace some form of artificial intelligence (AI) elements into their organisation. Whilst the application of privacy considerations in AI processes is still evolving, there is no doubt this topic should be (and will inevitably become) a significant constituent in decision making for early AI adopters.
All Board members should proactively seek assurances regarding the levels of data protection compliance in their organisation. There are some valuable steps to take to achieving this, including:
- Do you have a clear, effective organisational structure for managing data protection and information governance, from Board level across the whole organisation?
- Make sure you understand your organisation’s strategic risk plan, risk register or similar document. If this does not include reference to complying with the UK GDPR you may need to task a review or re-write to ensure non-compliance is referenced as a risk to the organisation.
- Task a self-evaluation from your DPO or appoint an independent assessor to analyse your current information governance processes and protocols. A good DPO or information governance consultant will be able to highlight any significant gaps or areas of weakness in non-compliance. If necessary, prepare an action plan with regular reporting back to the Board on any required improvements, timescale etc.
- Ensure that your data protection and information governance staff understand the organisational structure and their own responsibilities.
- Review the levels of expertise, training and awareness across the organisation. The Information Commissioner’s Office (ICO) state “training and awareness is key to actually putting into practice your policies, procedures and measures” and they expect all employees to receive some role-appropriate training, including the principles and culture towards privacy standards. Your training must be relevant, accurate and up to date.
- There should be clear reporting lines and information flows between relevant key groups; i.e. from an information governance management board to an audit committee, or from an executive team to an information governance steering group.
Unless there are emerging substantial risks that require urgent improvement, we usually advise a considered, pragmatic approach to improvement, focussing on any areas of your information governance that you know aren’t as strong as others or where you already have plans to improve.
Improving Board members’ awareness and ownership of data protection issues can significantly contribute to a longer-term process of moving towards high-quality governance.
BLS Stay Compliant deliver experienced, high-quality, respected training and support for Board members across all public and private sectors. Get in touch to find out more.