Example: Governance Model for Data Protection (GDPR)
This is an example of a data protection governance model for a medium-sized organisation. It is designed to support GDPR compliance, with a focus on accountability and clarity of responsibilities.
.webp)
Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.
Read more from the authorLearn more:
1. Roles and Responsibilities
Executive Management
Holds ultimate responsibility for GDPR compliance and sets strategic priorities. Approves all data protection policies and guidelines.
Data Protection Officer (DPO)
Must be involved in all significant matters concerning data protection. Advises management, oversees the organisation’s data protection efforts, and reports directly to the executive team. Acts as the point of contact with the Data Protection Authority.
Compliance Officer
Responsible for overall GDPR compliance and adherence to internal procedures. Provides training for system owners and staff, and ensures coordination between system owners, operations, and IT.
System Owners
Accountable for the lawful processing of personal data and privacy compliance within the systems they manage.
HR, Sales, Marketing and Other Departments
Ensure day-to-day compliance within the processes and data activities they oversee.
IT Department
Responsible for implementing technical measures to maintain the security of processing.
2. Decision-Making
- Quarterly Governance Meetings
Scheduled and led by the Compliance Officer, with participation from the DPO and senior management. - New System Process
Any new system must be documented and risk-assessed before being put into use. Final approval comes from the Compliance and IT teams (the compliance board). - Data Protection Impact Assessments (DPIAs)
Required for any high-risk data processing activities. - Reporting
The DPO delivers an annual report to executive management.
The Compliance Officer reports quarterly, focusing on data breaches and risk assessments.
3. Policies and Documentation
All policies and documentation are managed in Wired Relations and include:
- Register of systems and suppliers
- Article 30 Record of Processing Activities
- Risk assessments and mitigation plans
- Privacy policies (internal and external)
- Consent policy, data deletion procedures, etc.
4. Monitoring and Follow-Up
- Annual Audit
All processing activities are audited once a year. - Vendor Oversight
Based on a risk assessment and schedule approved by Compliance.
- Management Reporting
Delivered quarterly to ensure continuous oversight.0
- Risk Reviews
Conducted annually or upon significant changes – this includes DPIAs.
📰 Stay Ahead in GRC
Get stories like this straight to your inbox. From GDPR to cybersecurity – we’ll keep you informed on what’s shaping the digital future.
