Incorporating three lines of defence in data privacy schemes
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Regulators, stakeholders and customers agree that there is a need for firms, institutions and any institution that holds data to have a firm grasp of their data governance model and structure. However, when boards fail to build a structured data governance model, it springs risks and can affect their core business functions. Regulators create regulations for the sole purpose of ensuring that companies abide by specific global standards when it comes to the management of data. Yet, while there are agreed standards, most companies and even government institutions fail to create a good data governance model.
The lines of defence (3LoD) are arguably one of the most robust models employed in data governance. However, there is a caveat. What works in, say, one organisation might not necessarily work for another company. Companies should build these models according to the company’s maturity level, available resources, and risk appetite in data governance.
Data privacy officers, chief information officers or chief privacy officers can build their data privacy frameworks around three lines of defence in risk management. Before describing how companies can apply data privacy risks control, it is critical to provide a high-level description of these defence lines.
The first line of defence deals with the operational controls of management. It requires business units and employees to identify, assess, manage, monitor, and report risks.
One share trading platform, for example, decided to create a data privacy team and build an operational risk management model to handle identified data privacy risks. I advised that they needed to employ the first line of defence. We were able to select the right individuals within the company that fits into this line of defence. From experience, getting this wrong leaves room for inchoate management of data privacy risks.
The second line of defence deals with support functions within the risk management schemes. Here, the development of methodologies for managing risks, awareness and training fall within this spectrum. This particular model focuses on the controls in managing existing risks.
This particular model pays attention to the policies, people, and technology to mitigate risks from a data privacy perspective. Without building this synergy, you defeat the second line of defence. This model is the data protection engine. In the trading platform case, we had to produce the right policies that define how the operational teams must handle data. We went to source the right third-party tools that would enable employees to do their job effectively and, what’s more, build the correct procedures to match the polices.
Without auditing function in a risk management framework, there is room for failure. The third line of defence, therefore, is the audit function. Such audit provides monitoring that the risk management controls are in line with the internal policies and procedures. This audit can be done internally, through a third party or an independent body known for industry standards.
The trading platform built auditing function into their risk management frameworks to ensure that their business consistently matched their policies and always comply with data protection principles.
Your business can use the three lines of defence when employing data protection schemes. These models can simplify your data governance management scheme and help you maintain a data privacy culture in your organisation.