The three foundations of good data governance People, processes and technologies Creating a clear data governance strategy is crucial to making sure data is handled in line with your organisation’s aims and industry best practice. Data governance is often thought of as the management process by which an organisation protects its data assets and ensures compliance with data laws, such as GDPR. But it’s far broader than compliance. It’s a holistic approach to data and should have people at its very heart. People with defined roles, responsibilities, processes and technologies which help them make sure data (not just personal data) is properly looked after and wisely used throughout its lifecycle. How sophisticated your organisation’s approach needs to be will depend on the nature and size of your business, the sensitivity of the data you hold, the relationships you have with business partners, and customer or client expectations. Benefits of good data governance There are many benefits this activity can bring, including: Minimising risks to the business, your employees, customers and suppliers Giving your people clarity around expected behaviours and best practices Embedding compliance requirements A strong data governance approach can also help an organisation to make the most of their data assets, improve customer experience and benefits, and leverage competitive advantage. Data governance – where to start? There are three foundational elements which underpin successful data governance – People, Processes and Technologies. People Engaging with stakeholders across the organisation to establish and embed key roles and responsibilities for data governance. Many organisations look to establish a ‘Data Ownership Model’ which recognises data governance is an organisational responsibility which requires close collaboration across different roles and levels, including the delegation of specific responsibilities for data activities. Here’s some examples of roles you may wish to consider: Data strategy lead – such as Chief Data Officer / Chief Digital Officer Data protection lead – such as Data Protection Officer (DPO), if you have one Information security lead – such as Chief Information Security Officer (CISO) or Chief Technology Officer Information asset owners (or data owners) – leaders of business functions / teams which collect and/or use personal data for particular purposes. Such as HR, Marketing & Sales, Finance, Operations, and so on. Data specialists – heavy users of complex datasets, such as data analysts and data scientists. System owners – the people who manage the key systems which hold personal data, such as IT managers. Processes Think about all the processes, policies, operating procedures and specialist training provided to guide your employees and contractors to enable them to handle data in line with your business expectations – as well to comply with the law. For example: Data protection policies and provision of relevant training Specific procedures for handling individual privacy rights requests and data breaches Information security policies and provision of relevant training Standard Operating Procedures and handouts Without these in place and regularly updated, your people can’t possibly act in the ways you want and expect them to. In my experience, success comes from keeping these items concise, and as relevant and engaging as possible. They can easily be forgotten or put in the ‘maybe later’ pile…  a little time and effort can really pay dividends! Technologies The technologies which underpin all data activities across the data lifecycle. For example, your HR, marketing & CRM, accounting and other operational systems you use regularly. Data governance requires those responsible for adopting technologies to ensure appropriate standards and procedures are in place which ensure appropriate: Accessibility and availability standards Data accuracy, integrity and quality management Privacy and security Looking at privacy technology in particular, the solutions available have really progressed in recent years in terms of both their capability and ease of use. Giving DPOs and others with an interest in data protection clear visibility of where the risks lie, help to prioritise them and pointers to relevant solutions. They can also help provide clear visibility and oversight to the senior leadership team. The ‘Accountability Principle’ Data governance goes hand in hand with accountability – one of the core principles under GDPR. This requires organisations to be ready to demonstrate the measures and controls they have to protect personal data and in particular, show HOW they comply with the other data protection principles. Appropriate measures, controls and records need to be in place to evidence accountability. For example, a Supervisory Authority (such as the ICO) may expect organisations to have: Data protection programme, with clear data ownership & governance and regular reporting up to business leaders Training and policies to guide staff Records of data mapping exercises and processing reviews, such as an Information Asset Register and Record of Processing Activities Risk assessments, such as Data Protection Impact Assessments and Legitimate Interests Assessments Procedures for handling of individual privacy rights and data breaches Contracts in place between organisations which include the relevant data protection clauses, including arrangement for restricted international data transfers Data sharing agreements Ready to get started? If you’re keen to reap the benefits of improved compliance and reduced risk to the business, the first and crucial step is getting buy-in from senior leadership and a commitment from key stakeholders, so I’d suggest you kick-off by seeking their support.

What types of data protection risk are there? Data protection risks come in all shapes and sizes. They are not always easy to identify. How do we know what to look for and how serious they could it be? There are risks to individuals (e.g. employees, customers, patients, clients etc) which are paramount under data protection laws. But there are also commercial and reputational risks for businesses relating to their use for data. Risks could materialise in the event of a data breach, failure to fulfil individual privacy rights (such as a Data Subject Access Request), complaints, regulatory scrutiny, compensation demands or even class actions. We should recognise our service & technology providers, who may handle personal data on our behalf, could be a risk area. For example, they might suffer a data breach and our data could be affected, or they might not adhere to contractual requirements. International data transfers are another are where due diligence is required to make sure these transfers are lawful, and if not, recognise that represents a risk. Marketing (either in-house, agency or tech platforms) could also be a concern, if these activities are not fully compliant with ePrivacy rules – such as the UK’s Privacy and Electronic Communications Regulations (known as PECR). Even just one single complaint to the regulator could result in a business finding themselves facing a PECR fine and the subsequent reputational damage. The seven core data protection principles under UK and EU GDPRs are a great place to start when trying to identify where data protection risks may lie. Data protection principles 1. Lawfulness, fairness and transparency Is what we’re doing legal? Have we identified a suitable lawful basis, and are we meeting the conditions of this lawful basis? Is it fair and ethical? Are we being transparent about what we do in our privacy notices? See DPN Lawful Basis Guide 2. Purpose limitation Are we only using personal data in the ways we told people it would be used for? We might want to use their data in new ways, but are these compatible with the original purpose(s) we gathered the data for? If we surprise people, they’ll be more likely to complain. 3. Minimisation Are we collecting, using and holding onto more data than we actually need? Is some data collected and kept ‘just in case’ it might be useful in future? 4. Accuracy Inaccurate or out-of-date personal information could lead to false assumptions which could come back to bite us. 5. Storage limitation Hoarding data for longer than necessary could mean the impact of a data breach is much worse. Over-retention of people’s data could be exposed when handling a Data Subject Access Request, or an or Erasure Request. See DPN Data Retention Guidance 6. Information Security Have we implemented robust security measures and controls to make sure personal data is protected, when at rest on our systems and when its transferred? 7. Accountability Are we in a good position to defend what we do with the data? If scrutinised, do we have suitable records & evidence to demonstrate that we’ve taken data protection seriously? See Quick Guide to Data Governance The lengths we go to try and embed these principles across our organisation will clearly differ depending on the sensitivity of personal data involved and what we’re using it for. When considered what security measures are appropriate, we should take a proportionate approach. Some activities can automatically bring with them more risk. For example; handling special category data (such as health data, biometrics, sexual preference and ethnicity), collecting children’s data, using innovative technology such as AI and any activities which could result in an automated decision being made about someone. We need to consider people’s privacy rights and have procedures in place to handle any requests we receive. For example, their right to be informed, right of access, right to object, right to erasure and so on. An inability to fulfil such requests may draw unwelcome attention. In certain circumstances it’s mandatory to conduct a Data Protection Impact Assessment (DPIA). Conducting an assessment can often be useful, even if what you’re doing doesn’t fall under the mandatory criteria. It can help us to identify data risks from the outset so you can put measures in place to mitigate risks before they have any opportunity to become an issue. See DPN DPIA Guide. Mistakes can happen Here are some issues or gaps which could lead to data protection risks coming to the surface. People-related risks – such as lack of training and lack of governance or ownership Process risks – such as poor data handling procedures or manual processing on Excel / Sheets. Technology risks – such as ineffective controls on core systems, or ineffective archiving/deletion processes. If you don’t know where your risks lie, you won’t have a handle on how much risk the business is carrying. You may have several significant risks, but multiple low-level risks could also prove damaging. Listen back to our online discussion: Managing and Assessing Data Protection Risks

Top 10 Data Protection Tips for SMEs Is it onerous for SMEs to become compliant? One of the stated aims of the UK Government’s Data Protection and Digital Information Bill is to support small businesses and remove unnecessary bureaucracy.  As context, there are 5.6m businesses in UK of which SMEs (less than 250 employees) represents 99% of the total. According to IAPP research approximately 32,000 organisations in UK have a registered DPO. It’s right, therefore, to focus on SMEs.  But how onerous is small business data protection now? Arguably, the answer is, not as onerous as you might think. We’ve created a top 10 checklist for start-ups and small businesses to help you decide what you should be concerned with:  1.     Do I need to worry about data protection regulation?  Yes. Pretty much any business processing personal data for commercial purposes need to worry about data protection. (It does not apply to purely ‘personal or household activity’). Having said that, the law and regulatory advice focuses on taking a ‘proportionate’ approach. There’s no one size fits all and it will depend on the risk appetite of your organisation.  2.     Do I need a DPO? Probably not. If the answer to these three questions is no, you don’t need a DPO… Are you a public authority or body? Do your core business activities require regular and systematic monitoring of individuals on a large scale? Do your core business activities involve processing on a large scale ‘special category data’, or criminal convictions or offences data? Even if you don’t need a DPO, it’s wise to nominate someone in your organisation as a data protection lead. This does not need to be a full-time role. Alternatively, you can outsource this activity to someone/a company who can provide the support on a part-time basis.  3.     Do I need a RoPA (Record of Processing Activity) Maybe. There’s no escaping the fact RoPAs are challenging documents to complete and can absorb a huge amount of time. Companies with more than 250 employees must always keep a RoPA – that’s just under 8,000 businesses in UK. If you have less than 250 employees, you don’t need a RoPA if the following applies: Processing does not pose a risk to the rights and freedoms of the data subject  No special category data is being processed If the processing is only done occasionally The debate start when you consider what constitutes a ‘risk to the rights and freedom of the data subject’. It’s worth considering the type of data you handle rather than the volumes to help you decide whether to complete a RoPA. As a start up, you may not need a RoPA as defined in the legislation. However, having a record of what information is processed, for what purpose and under what lawful basis is a good idea even if the ICO RoPA form is not.  There are changes afoot with regards to the RoPA under UK data reform plans, but a record of your activities may still be necessary, just not as current prescribed. 4.     Do I need to register with ICO? Almost certainly YES. The ICO asks all businesses that process personal data to pay the Data Protection Fee. This is used to fund the ICO and its activities. This isn’t onerous. In fact, most small businesses will only have to pay £40 (or £35 with a direct debit). And that’s before you’ve considered whether you’re exempt. Not for profit status is a possible example.   5.     Do I need a privacy notice (policy)? Yes. A privacy notice is a foundational piece of your data protection work. Any organisation which processes personal data needs to set out what data they are processing and how they are processing it as well as the data subject’s rights. The ICO’s checklist provides very clear guidance for what must be in a notice and what might be in a notice. 6.     How about a cookie notice? Yes again. If you have a website, assume you need a cookie notice. Even if all you’re doing is using cookies to manage the performance of your website, a cookie notice is required. This does not need to cost money. You can get free software from the major privacy software providers. They have simple step by step set up guides. There is really no excuse not to have a cookie notice.  7.     What about accountability? Yes, but make it proportionate. In a nutshell, accountability means ‘evidencing your activities’. Keep a record of what you do, why you’re doing it and your decision-making. It also means making sure you have appropriate technical and organisational measures in place to protect personal data. Have staff been adequately trained in data protection? Do we have clear guidelines and/or policies to help them?  8.     What about Individual Rights?  Yes. Every individual has clear rights and irrespective of the size of the organisation you need to fulfil these requests.  These rights include right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing. Not all of these might apply to a small business but it’s important to decide how to recognise and respond to these requests from individuals.  9.    Don’t forget information security Yes. Cyber Essentials was designed for SMEs. Arguably it’s the absolute minimum for any business. It does cost money but not a lot. Gaining the Cyber Essentials certification (if self-certified) costs £300. The five technical controls are:  Boundary firewalls and internet gateways Secure configuration. Access control. Malware protection. Patch management. 10.  What about International Data Transfers?  Hopefully no! If you and your suppliers are only operating in UK and Europe stop reading now. However, if any data is exported to a third country (such as USA, South Africa or India), there’s no escaping the fact that international data transfers can be painful to work through.  When EU-US Privacy Shield was invalidated in 2020 this caused significant problems for data transfers between US and EU/UK. At the time, Max Schrems’ advice was to only work with companies based in UK or Europe who are not exporting data to third countries. However, this isn’t always possible – just consider how many people use Google, Microsoft or Mailchimp.  Many, if not most, businesses will have dealings with these three and the reality is that you must accept they’re not going to change anything for you, or choose not to use them.  Conclusion Many small and start-up businesses can get ready relatively quickly. The trick for small business data protection is to review your arrangements on a regular basis and be aware if any more complicated processing emerges. For instance, anything involving automated processing, special category data, AI or children’s data carries significant risk and should be treated with care.  There’s more helpful information available on the ICO’s Small Business Hub.

Privacy Management Programme – what does one look like? The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws. In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP. It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance. The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities. What is a Privacy Management Programme? A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth. Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default. Core components of a Privacy Management Programme There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like. This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach. Governance Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks. Assessments Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments). Record-keeping Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with. Policies Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on. Training and awareness Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave. Privacy rights Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection. Protecting personal information Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach. Data incident planning Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements. Monitoring and auditing Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance. What might change? To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar. So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme. On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes. On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).