Demonstrating your data protection compliance

Steve Macmillan

Having clear, consistent and risk-appropriate IT security policies in place to manage data security can help you comply with your legal obligations and create positive, organisation-wide change.

Most people tasked with data protection responsibilities will already be familiar with the Accountability Framework as a guide to safeguarding customer data. The Information Commissioner’s Office, which drafted the framework, states that ‘accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.’

The benefits of compliance 

As well as helping you protect customer data and comply with the legislation, the framework offers you ways to inspire confidence among your clients and foster better working practices for the benefit of the entire organisation.

At Protocol, we can work with you to create IT policies and procedures to assist with accountability, compliance and data security, so your policies will:

- give staff confidence in your organisation’s day-to-day and strategic approach to data management,

- foster a culture of transparency, accountability, confidence and clear communication, and

- demonstrate to customers that your robust policies are helping to protect any personal information you hold.

The risks of non-compliance

Data protection is one of the most critical aspects of safe business conduct. You need to be able to risk-assess and monitor your data security. If a breach occurs, you must investigate, report and record it, as well as responding appropriately to mitigate fallout and prevent further incidents.

A personal data breach can have serious repercussions for organisations, their employees and customers. These range from reputational damage and loss of business to disciplinary action and financial penalties – failure to notify a breach when required can lead to a significant fine.

Drafting effective IT policies and procedures

Across its 10 categories, the framework offers guidance on structure, strategy and policy in relation to data protection, and also sets out the ICO’s expectations of your organisation.

It explains, for instance, that your measures must be ‘appropriate, risk-based and proportionate’, and they will comprise both technical and organisational initiatives, including:

- adopting and implementing data protecting policies,

- drawing up contracts with third parties,

- making and keeping documentation (this is a legal obligation), and

- reviewing and updating your policies regularly.

In terms of policy and procedure, the ICO expects your organisation to provide:

- direction and support, ensuring you have policies, procedures and manuals in place to guide your staff on their roles and responsibilities around data protection;

- review and approval processes in place to ensure your policies and procedures are effective;

- staff awareness (detailing further ways in which to communicate and publicize policy and procedure); and

- data protection by design and default – that is, a organisation-wide culture of awareness and responsibility around the topic.

How we can help

Since the Accountability Framework is not a one-size-fits-all document, you can adapt it to suit the nature of your business – and we can help. We will work with you to draw up clear, consistent IT policies that are tailored to your specific needs, and which document how information is to be managed. The policies we draw up in IT Policy Management as a Service are automatically cross-referenced to relevant industry standards and best practice, including ISO, PCI and Cyber Essentials.

Our ongoing partnership with you will ensure that your policies remain up to date and aligned with best practice, ensuring your staff are clear on their responsibilities and have access to transparent channels of communication.

Once you have the right policies in place, the process of engaging with users and monitoring their interaction with the content is both easy and visible.

Here are some of the options included with the IT policy management software:

  • In Stakeholder Mode, input around policy wording can be captured from your team in the software throughout the service delivery phase.
  • Onscreen policy signing makes it very easy for users to manage policy acceptances.
  • Enrolled users are presented with specific content from the overall policy framework to review and accept.
  • You can invite new starters or contracted third parties that are required to work with your systems and data to login, view, and accept initial policy content.
  • You can set review dates and reminders to ensure existing policy content still meets your requirements.

The InSite Compliance Reporting module provides great visibility to track and report on policy acceptances, page views, and more.

There are various supporting elements – security awareness videos, topic index, glossary of terms, top security tips – to help users develop and improve their understanding of the need for good security behaviours.

Find out more

To learn more about our IT Policy Management Software and Service, contact us.

Click here to view the Service Highlights


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233