In Part 1 of this blog series, we discussed Mastering Data Protection. If you now understand the technicalities behind data protection laws, processes, and cybersecurity fundamentals, you are then one step closer to implementing a robust Data Protection Management Program (DPMP) for your organization.
A recap of the 6 essentials for Data Protection Officers (DPO) we are touching on in this series:
Understanding DPO Basics
To be an effective DPO for your organization, the following is a list of essentials in any Data Protection work:
- Master Data Protection
- Gather Management Support
- Form a DPO team
- Conduct a Gap Analysis
- Build a Data Protection Management Program (DPMP)
- Run the DPMP
For any DPO to drive a robust and successful DPMP, buy-in from management is integral to eliminating the roadblocks across the organization — which can be a challenge to navigate, especially for a DPO who is new to the organization or role.
In Part 2 of the 6 Essential Things Every DPO Needs To Be Effective series, I will zero in on the best practices behind gathering management support in these three areas — (1) Garner Cross-Functional Support, (2) Focus On Good, (3) Identify Data Protection Champions.
Garner Cross-Functional Support
The implementation of a DPMP is comprised of significant process changes and educating the organization on these changes, all of which require the investment of extra resources in the form of manpower and budget to add to and train additional members on the DPO team.
For instance, if the DPO needs to implement a penetration testing process that affects all applications that store personal data, this program would require:
- Management to first approve the program
- Finance to approve the budget
- IT to coordinate the pentest with the security vendor
- Developers to patch the vulnerabilities
Since the process changes in a DPMP have a cross-functional impact, a top-down approach to making the changes a reality will be a more efficient approach than one where a DPO tried to implement the new processes by themself.
Focus on Good
Fear, Uncertainty, Doubt (FUD) is a common tactic that DPOs will employ to get management support. The harsh reality and penalty for not endorsing a DPMP — a breach of Data Protection laws, plus reputational and financial damage — are self-evident. For smaller businesses where sensitive Personally Identifiable Information (PII) is crucial to business operations, on top of the cost of lack of compliancethe cost of lack of compliance, a serious data breach could spell the end of the business.
This fear-based approach, however, does not put a DPO in an advantageous position with the top management in the long term. Excessive use of it could promote skepticism and or even contempt.
Instead of always using the stick, successful DPOs strive to get management aligned with the benefits of Data Protection compliance. Not only does this mitigate data breaches, but by being transparent to customers about how your organization is committed to data security, this privacy assurance can go a long way to fostering long-term brand loyalty among your best customers. In Singapore, for instance, the mark of a robust DPMP is an organization being awarded the Data Protection Trustmark Certificate. For customers, this is proof of a modern and trustworthy organization.
Identify Data Protection Champions
Rather than adopt me-against-the-world approach to speaking to management, successful DPOs understand how critical it is to the first partner with other internal stakeholders who care about compliancecompliance generally and also about Data Protection. This way, they have a stronger voice for both speaking to the management and disseminating the message across the organization.
Obviously, the more influence the Data Protection champion has in the organization, the better. This person could be the finance manager since finance tends to hold a considerable amount of sensitive data. They could also be the revenue director, who would be concerned about the hit on revenue should a data breach happen.
In my experience, I have seen the strongest support coming from senior management directly, to the extent that it was a board member who came to the DPO’s support because of the former’s cybersecurity background.
The DPO Learning Journey Continues
Because many elements are out of a DPO’s control, there is ultimately no textbook answer to best obtain buy-in from management in the implementation of a DPMP. Joining a DPO network to understand the learnings from other DPOs is an excellent way to accelerate one’s learning journey.
In the next installment in this series, we discuss the topic of forming a DPO team, so stay tuned.