A data protection management programme or DPMP is a system used to establish an effective data protection infrastructure within the organisation. A data protection management programme consists of the following elements—assessing, protecting, sustaining, and responding (APSR).

• Assessing – this involves assessing the risks within the organisation in relation to data inventory and flows
• Protecting – this involves protecting the information assets of the organisation through the implementation of security and privacy controls
• Sustaining – this involves sustaining the data protection management programme through training, communication, and regular audits
• Responding – this involves responding to privacy and data breach incidents 

How to Sustain Your Organisation’s DPMP

To ensure your organisation’s data protection management programme is effective, keep the following fundamental components in mind: 

Monitor

In data protection, this aspect involves keeping track of DPMP amongst concerned individuals. This is achieved in two steps—learning and assessment. Learning involves the creation of relevant data protection content and ensuring it is available to the people in the organisation.

Mode of delivery can be done through e-learning or face-to-face sessions. Since many organisations are adopting the work from home setup, providing content through an online portal or website has become the norm. The portal will also give Data Protection Officers (DPOs) the ability to track participation and show accountability.

Assessment involves ensuring any information the employees have on their Personal Data Protection Policies as well as the data protection regulations of the country can be easily recalled when needed. This is usually done through quizzes and tests. Tool aids like DPOinBOx can help ensure assessments can be administered quite easily.

Audit

Organisations need to conduct regular audits of their privacy or data protection programme to ensure they stay compliant. Reviewing the privacy procedures and policies of the organisation should also be part of the audit process. Current regulatory requirements should be taken into consideration as well.

Singapore’s Personal data Protection Act (PDPA) was amended and the 10th obligation that related to breach notification was added. Organisations that want to align themselves with the current PDPA amendments will have to amend their standard operating procedures (SOPs) as well as their policies.

Audits can be carried out for an organisation, department, or process. Typically, the auditing process will involve checking all the policy documents, SOPs, and notices in visible areas. Once the audit has been completed, the findings will be recorded. A report will then be submitted to the management to assess if there are corrective actions needed.

Communication

It is important for organisations to be able to effectively communicate to their employees any data protection law amendments, data protection policies, and updates on data protection matters. When new updates are sent, it is important to track those who have read the information.

This can demonstrate accountability to the regulators as it will show that the organisation has a well documented and systematic approach to disseminating data and content related to personal data. Software like DPOinBox can come in handy as it can help DPOs show management the progress of their campaigns.

To sustain their DPMP efforts, organisations need to monitor, audit, and communicate. Also, adopting software tools like DPOinBOx and other beneficial tools like GRC software can also help. A GRC software can also help increase internal efficiencies and manage regulatory and internal compliance.

Danny Watson