Lack of collaboration with your organisation is detrimental to your privacy and infosec programme.
If you’re unable to create a climate of co-operation within your organisation, you will be less effective as a compliance pro AND data protection and information security will suffer.
The solution: Officers and Operators.
This is what we discuss in this episode of podcast 'Sustainable Compliance'
We discuss one of the five sustainable Compliance trends: Going from central authority to company-wide collaboration.
5 problems of centralised compliance
If you find yourself in a centralised compliance function, you will experience one or more of the 5 problems:
- You don’t get the information you need from your organisation. An example: Marketing has already implemented a new system, before you hear about it.
- You experience a knowledge gap. You know about privacy, however to be effective, you need information from the people who know about the practises of the business.
- You struggle to get the message that privacy and information security out.
- Key person vulnerability. You are the only one who knows about your privacy and infosec programme. If you leave, everything will have to start over.
- You get buried in administration and don’t spend your time on the right things.
In other words: You need to make co-operation happen in your organisation.
The solution: Compliance Officers and Operators
A hybrid compliance function comprising Compliance Officers and Operators is the fix to this problem.
The first part is a (probably centralised) “compliance office” of Compliance Officers with in-depth knowledge of compliance, privacy and information security.
They should:
- Set the compliance strategy
- Secure buy-in and regularly communicate with top management
- Make sure you have a structured overview of your compliance platform of systems, vendors and processing activities.
- Uncover the demands on our compliance from regulators, the business, customers and other stakeholders.
- Decide on the compliance workflows (some call them playbooks) and systems to use.
- Capture and process new developments that challenge the compliance programme
- New systems
- New processes
- New risks
- New legal requirements or customer demands.
Operators who know the business
Moreover, you need Operators within the business or departments of the organisation, responsible for parts of privacy and infosec.
They must know quite a lot about privacy and infosec, however, their main task is knowing about the business.
They should.
- Share responsibility for specific processing activities
- Share responsibility for vendor assessment
- Share responsibility for specific awareness training
- Share responsibility for security efforts
