When developing any sort of Privacy Programme, there are a number of key components that need to be included. Information Officers have a duty to ensure that these components are in place and are running effectively and efficiently. 5 of my top components of any Privacy or Data Protection Programme are listed below.


You need to have some form of overarching governance programme and strategy in place, at the very least you should have a programme charter defining the responsibilities and your approach to data protection. How are you handling things? Who will be involved? What are your timelines? How will you deal with risk management? All these items need to fall into your strategy.

Policy Management

The first component that a regulatory authority will look at is your policy framework. You need to ensure that you are embedding your data protection efforts within your company policies. A strong policy management approach, along with effective controls and distribution, make for a solid foundation of your programme.

Cross-border Data Transfers

A major stumbling block for many companies and a complex area to manage is that of cross-border transfers. Many privacy laws do not allow for transfers across borders without some sort of protection and agreement in place. Different countries have different laws, and in the case of a transfer from a stronger legal system to a weaker system, additional steps will need to be taken to ensure compliance.

Privacy by Design and Default (GDPR)

Privacy by Design and Privacy by Default involve your strategy for using Data Privacy Impact Assessments and any internal development of processes, products, services and operating procedures. You need to have risk management in place and be looking at your impact and likelihood of issues within any sort of development – particularly when sensitive information is involved.

Information Security

Both physical and logical security need to be considered when it comes to Data Protection. Items such as vulnerability assessments and penetration tests become paramount for software companies at this point. In addition to security around development, you need to look at Identity and Access Management (IAM), backup procedures, disaster recovery and internal processes for encryption and other policies.

Information Officer Training

These components are not an exhaustive list of what needs to be in your programme. There are many more aspects you need to consider when managing compliance with privacy legislation. Ross G Saunders Consulting offers a 1-day training course for Information Officers called “Practical Privacy”, detailing these components and many more. If you’d like to know more, select an upcoming training course in your area.

Share This

Share this post with your friends!