On Monday 14 January, techUK held a briefing exploring how data governance is managed in companies that operate in a global context.
- Dyann Heward-Mills, CEO, HewardMills Ltd (A global DPO service headquartered in the UK)
- Gerard Chan, Vice-President, Legal, Symantec
- Deahne Baker, Senior Legal Counsel, Marken
- Kasey Chappelle, DPO, GoCardless
The panel had a wide ranging discussion looking at:
- The various data governance frameworks and standards being considered and implemented by Data Protectin Officer’s (DPOs), Chief Privacy Officer’s and Privacy Offices;
- The cross-functional and operational challenges faced globally by organisations and measures taken to overcome them; and
- Tips on best practice steps required to put your organisation in a defensible position and to leverage good data governance as a market advantage.
Key challenges and the role of DPOs
Speakers discussed the common challenges faced by DPOs across all organisations. These included:
- Understanding what data organisations hold, where it sits and where it might go;
- The challenges around understanding and utilising data from various different legacy systems; and
- Mitigating against known risk; when escalating a problem is appropriate.
It was agreed that a competent DPO will not just have a good understanding of data flows within a company, but put in place a system by which processes can be implemented around key data checkpoints.
Some attendees suggested that a lot of people see the role of a DPO as inward-facing, however the panel agreed that they should have a key outward facing role, engaging with relevant authorities and organisations. This is in order to ensure good understanding of current trends in regulation and forthcoming changes. It was suggested that an engagement with an external DPO service offers benefits in this regard as DPOs that simultaneously work with a number of organisations will have a more complete understanding of how regulation can be (and is being) applied across sectors.
All speakers agreed that every DPO should look to engage with regulators regularly whether or not they have breaches.
Beyond compliance – implementing data strategies
One key area for discussion was how data governance was not just about data protection and following regulations. Whilst compliance with a myriad of international regulations should be a key aim for any organisation, it should not be the start and end point of a company’s data strategy. Many in the room argued that the General Data Protection Regulation (GDPR), for example, has overemphasised the importance of complying with legal regulations, whereas the fundamentals of data governanceare more important. Speakers agreed that putting in place a strategy which focuses on privacy by design would in fact lead to compliance, whilst at the same time creating an internal framework for good data governance. Furthermore, it was agreed that the majority of international agreements have broadly similar goals, and as such working towards compliance with one will help with others too.
Some speakers outlined how they are approaching this within theirown organisations, with one example being the creation of a Privacy Operating Model. This has seen the creation of a network of ambassadors created amongst a range of employees, who can then flag and filter issues up the chain to the legal and senior management team. It was stressed, however, that each organisation is different and that developing a culture that respects privacy is most significant. What works for one company won’t necessarily work for another.
Effective operations and improving company cultures
Speakers agreed that implementing processes within an organisation to protect and safeguard data are important but also that over emphasising this can lead to a cumbersome and ineffective strategy. Too much process can mean that data privacy becomes a tick box exercise for employees. Processes cannot be as simple a form to fill in or an email to send but something which employees can understand and engage with, seeing the value to both their role and the wider organisation. Ensuring that employees get to that stage is another key aspect of the DPO role.
Where data functions sit within an organisation will also be a variable depending on the company’s purpose, scale and capability. Scale is often an important factor for those companies trading internationally in different regions and jurisdictions as it will often allow for a high capability but at the same time a larger degree of complexity. Here senior leaders should be looking to ensure a relevant and effective team has oversight of the entire organisation rather than placing responsibilities into siloes.