Demonstrating and achieving compliance with data protection legislation remains a significant challenge for business. This has only increased through the Covid-19 pandemic. BDO Jersey’s head of governance Mel Pardoe discusses the challenges businesses face ensuring data governance and considers how organisations can manage their data assets
WHEN implementing data governance regulations within an organisation, siloed and duplicated work is common with multiple spreadsheets, conflicting versions and burdensome policy documents.
This creates an information management burden for business leaders, where time and effort are focused on finding the correct documentation at the right time rather than delivering business outcomes.
Organisations can also lack a formal ‘approval process’ which provides no oversight for the board, or ability to demonstrate compliance to the regulator, auditors or clients. These gaps in the audit trail and approval can lead to costly fines with the regulator and reputational damage with clients.
Your organisation may have also implemented GDPR and data governance and protection as a project where a record of data activities was created and never updated or was kept in isolation from the real-world business activity. This can result in processing activities being carried out without DPIAs being performed or third-party data processors being onboarded without due diligence. This creates a lack of ‘live’ documentation and accurate record-keeping.
It can also be difficult to promote a culture of privacy by design and devolve accountability and ownership of data privacy activities throughout the organisation so that the data protection officer can step back and perform their monitoring function without being conflicted.
Finally, if staff are not aware of what they need to do to keep data safe, they are more likely to cause a breach or not to recognise one; or to initiate data processes without considering the data privacy implications.
These challenges in demonstrating and achieving compliance are felt across many organisations and there are several tools that can address these. We built our own software tool, ROBUS, to use across our organisation. It is now not only being used in Jersey but also in other BDO countries and we sell it to customers. ROBUS aims to bring all activities required by GDPR in one place – online. This means that there will be no more documents gathering dust, no more Word templates and endless versions and unwieldy Excel spreadsheets.
ROBUS enables organisations to create and manage data inventories, retention schedules, GDPR contract compliance, service providers, registrations, data breaches, subject access requests, data protection impact assessments and risks. This is done in real time with helpful tips and guidance to help along the way. ROBUS also has built-in and customisable visual oversight for board and senior management teams.
All records are easy to reach and are linked together. Businesses can see which assets are affected by a data breach or whether a data impact assessment has been written for a processing activity. This ensures that the data is consistent and that there is no duplication, enabling businesses to deliver increased efficiency.
All data-processing activities and records are owned by a member of the organisation. This allows senior managers to devolve responsibilities for data processing throughout the business. If someone arrives or leaves, the data can be reassigned with one click.
ROBUS is powered by the latest Microsoft technologies. Being built on the Power Platform, data is secure in a robust environment. It is not just a technical solution to compliance but is matched by the statutory accuracy as the content has been written by compliance experts. If it is in the law, it is in ROBUS.
Please contact Mel at email@example.com or Damon on firstname.lastname@example.org for further information on ROBUS and how BDO’s advisory practice can support your business.