Regular readers of my blog will know that compliance with data protection legislation is not a once-off exercise, it’s an ongoing practice that needs to be embedded in the business. In keeping with the ongoing practice, you need to perform management reviews of your programme. While the acts and regulations are not necessarily explicit in conducting a management review, they do mention that the Information Officer (or similar role, depending on which law you’re looking at) needs to maintain a programme or framework, and part of this is ongoing review of activities. While you can do this annually, I argue that it should be run much more frequently: if there are issues in February, you don’t want to only address them the following January!
Why Should You Review?
Top level management teams must be aware of how personal data is managed within the organisation. Personal Information permeates any business, and an awareness of the ebbs and flows of data throughout a business is critical for management thereof. Input from different business units may affect your programme going forward, and developments within the business need to be tracked and accounted for as far as data is concerned.
In the businesses I work with, I encourage these reviews to take place quarterly. This allows for a faster turnaround on higher impact issues and keeps the management team aware of privacy requirements. The fact that the meetings are run more frequently also mean that the meetings are shorter. Running an annual meeting can result in a full day of an entire management team’s time; something that many businesses are reluctant to do from an operational standpoint.
What Should Your Review Contain?
The management review is different to auditing your programme and the operations within. The management review is a high level review of the performance of the company when it comes to data privacy and protection, whereas an audit of the programme is much more granular. Your management review should go over the results of the audit, but shouldn’t be bogged down in the technical detail (that is for the Information Officer). Bureau Veritas, a well known certification body, recommend that the following is included in your review:
- status of previous management review action plans;
- results of internal and external audits;
- customer satisfaction and/or feedback from interested parties including complaints;
- incidents, breaches, nonconformities and associated corrective actions;
- the effectiveness of actions taken to address the Data Protection Impact Assessments; monitoring and surveillance results;
- performance of suppliers and service providers;
- any change in compliance obligations.
Your outcomes of the review should include:
- opportunities for improvement;
- an action plan including resource needs;
- improvement actions, if needed, when data protection compliance has not been achieved;
- any implication for the personal data protection policy of the organization.
Maintaining a record of your management reviews and audit results is key to showing accountability to the laws that are out there. Holding reviews like this on a regular basis highlight the fact that privacy compliance is ongoing and should be regularly addressed. Getting a programme in place and running doesn’t need to be perfect, and it doesn’t need to be unbearably costly. In fact, ‘perfect’ is the enemy of ‘good’ and will prevent you ever launching a programme if you are waiting for it. If you need a helping hand for your programme, don’t hesitate to reach out!
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.