Notes from the compliance front line: a governance framework that works

4 min read

Scrabble tiles spelling out the words I am inevitable on a purple background

One of the words that often comes up when we talk about data protection governance is the idea of a framework. Something to help you get your head round and keep on top of compliance requirements, policies, processes, and everything associated with ‘data protection’. This can be very daunting for a small organisation. Search online for this term and you’ll be overwhelmed with results. There are more templates out there than you can shake a stick at; how to know which might work for you? Some go to the ICO website, hoping for a helping hand. But if you want to use their accountability framework, make sure you have a spare few hours, a supply of coffee and some painkillers for the inevitable headache!

The resources out there

Now before I am accused of bashing a regulator trying to provide resources, the ICO website can be helpful. In my experience it can be less helpful for small organisations, and the accountability framework can be a bit much for them. I note the ICO has recently launched a data protection audit framework, as an extension of the accountability one, and with revamped toolkits. It has expressly said this is not aimed at small organisations.

Many years ago, the Nymity framework was all the rage, and physical thick card copies were handed out at every DP conference. Hands up if you still have one. This too is a kitchen sink approach - everything you might conceivably need for all aspects of governance. Fantastic for a large organisation, mind-melting for a small one. Some large organisations look to international standards, such as ISO 27701. That’s often unrealistic and out of reach for small orgs. And there are countless software tools out there that aim to help you get to grips with all your different compliance obligations.

Ahh! My head hurts!

If you are a small organisation, where on earth do you start? In my experience, with my clients, it’s best to keep it simple. I have used some of the above-referenced frameworks, along with my experience, to distil the key governance elements into a simple framework of 10 headings. These headings cover topics such as where responsibilities sit, policies and processes, training, and so on. I usually start by having conversations with relevant people at the client to go through this framework and understand what they do or don’t have in place.

Ask good questions, focus on outcomes

I have tweaked and adapted this framework over the years and have found that the key to its success is focusing on asking the right questions, avoiding jargon, and focusing on outcomes. Instead of using technical or legal terms, I ask questions, in plain English, to understand what the organisation has done to achieve a given outcome.

For example, I could ask how they implement the transparency obligations. Or if they have privacy notices for different audiences, or if they provide just-in-time data processing information. Instead I ask these questions.

How do you explain to your staff what personal information about them you collect and use?
How do you explain to an external audience what personal information about them you collect and use?

And I substitute ‘external audience’ for the categories of people I know the client deals with. Sometimes it helps to break it down even further. For example, I might ask an HR person to start by thinking just about the recruitment process, and what they tell people in job ads (if anything) about the application process. Then we move onto what they tell people throughout the application and interview process. And so on.

This approach meets people where they are, and gets them to focus on aspects of their job they are familiar with. It avoids having to explain potentially complicated data protection jargon. And it provides the information on what the organisation is actually doing to meet a compliance requirement. (Or is not doing, in some cases.)

The other benefit to focusing on outcomes is that you don’t miss things that people use different terms for. Most people think about privacy notices as the only way to manage the transparency requirements. But many organisations with some kind of user journey also provide information along the way - a classic way of doing ‘just-in-time’ notices. But they don’t call them that, and they don’t often think about this information as being anything to do with data protection. And you can sometimes find inconsistencies between that info and what’s in the website privacy notice!

One-stop shop

My template framework is intended to be a living document, to be updated as needed along the way. It provides the organisation with a ‘one-stop shop’ view of how they are doing DP governance at any given time. Some clients colour code - green for stuff in place, amber for things being worked on, and red for ‘to do’. It can act as a signpost: some clients have used it like a contents page, and from it link out to actual policies, processes, drives, folders or intranet spaces.

Because it’s simple, and focused on questions about outcomes, it is easily adapted to any client. To their data processing, their internal terminology and their needs. We can use it to look at what their key risk areas are, based on compliance requirements, what is and isn’t in place, their risk appetite and their resources to make progress.

Secret sauce

Ultimately, the only governance framework that works is the one you actually use. There is no secret sauce to creating one that suits your organisation. The complex frameworks I mentioned at the start cover everything you could possibly need and then some. So you can start by using them to identify the key governance topic areas. You don’t need to produce anything complicated if that doesn’t work for you.

If you are a small organisation struggling with your governance framework, or perhaps struggling to even get started, get in touch, and let’s get you sorted.