Policy serves as the foundation in any data privacy governance framework. It sets out the principles and rules that guide the execution of data privacy efforts throughout an organisation. Policies guide companies towards compliance obligations to data privacy regulations and can serve as the conduit to guide business functions in the processing of information or carrying out day-to-day activities.
However, most companies fail to follow the basic tenets embedded in their policies. This happens because companies fail to build an appropriate policy lifecycle management framework. A policy lifecycle framework, when built, helps with the implementation and dissemination of the policies. If this is not done, then the policies will remain paper tigers.
In implementing a policy, an organisation should employ a RACI matrix methodology or follow industry standards. The RACI acronym simply stands for responsible, accountable, consulted, and informed. So, in implementing policies, organisations must first consider who needs to be responsible for drafting and ensuring that the policies are actionable. Who would be accountable? Who needs to be consulted before the policies go live, and who needs to be informed? When these questions are addressed, compliance with the policies becomes a walk in the park.
The task to create a policy can be quite demanding in many organisations and this can be so for many reasons.
First, policies must be action-oriented in that the use of words suggest what to do and not necessarily filled with fluffy words. For example, a CCTV policy can suggest how to handle certain data within a particular system.
Also, to attain compliance, the words within the policies must be testable. There is no need saying that workers should maintain a clear desk when they need some paper documents to carry out their day-to-day activities. The onus lies on the policy writer to fact-check whether the statement within the policy is achievable.
After policies are drafted then the organisation shifts to the procedures. Procedures are detailed, step-by-step processes that individuals and organisations must follow in specific circumstances. For example, a data subject access request should be handled according to the prescription set in the policy. If a data subject asks for their right to be forgotten, then the responsible personnel knows how to go about it by following the prescribed steps in the DSAR policy.
Procedures ensure a consistent process for achieving a data privacy objective. Organisations create these steps for building new systems, releasing new products driven by the privacy by design principle and responding to data privacy incidents and carrying out many tasks.
Compliance with policies and procedures must be made mandatory and organisations should employ measures of consequences when these policies are not followed. If these disciplinary measures are not put in place, then compliance with the policies will be hard to attain. As such, organisations who want to comply with regulatory laws and build businesses that really care about the privacy of their customers must ensure that they have right policies in place and that their staff are properly trained to follow them.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com
