Enhancing Data Protection Governance: Roles & Responsibilities
A core part of data privacy and protection compliance is about demonstrating accountability. This includes the ability to evidence management...
3 min read
9ine : Jul 1, 2020 9:19:25 AM
In order to excel in your governance of data privacy and protection, it is essential that there is understanding and visibility of all personal data being processed by your organisation. You need to understand clearly who has access to it, where the data is held, how long it is held, and whether or not the data is shared with any third-parties.
Your documentation needs to reflect the overall position and record the flow of data from collection to destruction. Your data protection regulator may request these details from you so it is important that your documentation is comprehensive and clear.Creating a data map or inventory is an important step in the journey towards fully understanding what data a school or organisation collects and how it is used. 9ine recommends this step is completed diligently and in consultation with all relevant parties within your school or organisation as this will help to ensure all processes are identified and detailed accurately.
In the early stages of developing your process, it is key to identify the stakeholders which play a role in the use of data, as data processing activities take place across all areas of your school or organisation. These “frontline” stakeholders can offer important insights into the use of data across your school or organisation. In a previous 9ine blog, Getting Buy-in for Data Protection Initiatives in Your School, we explored the benefits and added value of educating stakeholders and team members about the need for cooperation and considering the whole school or organisation when you start to think about developing the process needed to generate appropriate records.
9ine provides free, virtual leadership training in the areas of data protection & security and systems in education.
All governance records must be kept up to date and reflect your current practice where personal data is being collected or used. But what happens when there isn’t a suitable tool in place for managing the processes? Well, this increases the risk that your records become out of date, inaccurate and unreliable. The data protection lead will ultimately be left without an accurate overview of the organisation’s processing activities and will be unable to track where any changes to data processing have been made.
It is therefore important that, once you have identified and involved your stakeholders, you determine a suitable process by which the records must be obtained, checked for accuracy, added to a central record and kept up-to-date. It’s often the case that some processing activities will need a Data Privacy Impact Assessment (DPIA) so you should explore ways to identify when a DPIA is required and streamline your practices to prevent a duplication of information gathering. 9ine’s Governance, Risk and Compliance (GRC) platform is designed with this in mind.
Defining clear roles and responsibilities in the early stages of the development of the process is also a key to success and can be easily achieved through clever streamlining. Think about responsibilities with regard to the collection of the required information, the creation of the record itself and updating the information in the record when needed. You can learn more about how to improve the way you manage Roles and Responsibilities in 9ine's recent blog Improving Governance of Roles and Responsibilities in Data Protection.
The records that must be kept, should be stored in a centralised location. When exploring ways to support this fundamental process, schools and organisations should look beyond storing information in spreadsheets and use a proper, (purpose built) tool instead. In this way one centralised system will provide a full overview of the processing activities that take place within the school organisation. In this scenario users should be aware of the appropriate technical measures, such as access and authorisation rights (not everyone should be authorised to change or alter information).
Knowledge is power! Your school’s data map or records of processing inventory will provide an overview of all data processing activities within your organisation and enable you to understand what kind of data is being processed, by which departments and for which purposes. At 9ine, we’ve experienced first hand how this knowledge allows schools and organisations to understand the value of clear records as it joins the dots and allows you to align projects with equivalent goals and challenges. The result is an increase in oversight for the data processing activities being carried out in your school or organisation, providing valuable insight into risk and mitigation.
Organising records of all the data processing activities that take place within a school or organisation can be challenging, particularly when many different departments are involved. We understand that, during the COVID19 pandemic, schools have had to deal with the introduction of many new data processing activities as a result of implementing new remote learning programs, virtual event software platforms and online learning tools. We appreciate that these are challenging times for all. However, streamlining the process improves the pace and confidence at which schools can introduce new activities involving the use of personal data. 9ine’s Governance, Risk and Compliance (GRC) platform is aimed at helping schools improve their governance processes and provides a centralised platform to store, maintain and keep records up-to-date; ultimately providing a single point of truth for all data processing activities. To learn more about how 9ine's GRC gives you full picture of how data flows across your school and records your school’s inventory of processing activities request a trial.
ABOUT THE AUTHOR:
Olivia Malaure is 9ine's Head of Content Marketing and has worked in the education sector as both an educator and marketer for 20+ years. Prior to working in edtech marketing, Olivia worked in print media as deputy editor for a publication in the family and parenting sector. She holds a Bachelor of Dramatic Art and a Diploma of Digital Marketing (CIM).
A core part of data privacy and protection compliance is about demonstrating accountability. This includes the ability to evidence management...
Risk management is an important component of the governance regime of a school, yet for many schools, there is a struggle to operationalise it. Many...
A Data Protection Impact Assessment (“DPIA”) is a type of risk assessment in which an organisation identifies the data protection risks associated...