A Data Protection Programme coordinates and controls all the activities required to meet the requirements of data protection legislation. It ensures that records of data processing are created and maintained and that the risks of data processing are identified, assessed, and appropriate actions agreed. The programme assures a regular review of the risks and tracks the performance of the plan.

The overall governance of the programme maintains the records of data processing and the risk assessments to ensure that resources are allocated appropriately to the other parts of the programme.

Prepare activities plan the introduction of new services and identify the controls required to ensure these services comply with regulations.

Assure activities ensure the quality of processing in line with the data protection requirements.

Service activities respond to the data subject requests, whether received through your website, by phone or mail.

Control activities prepare for and manage breach events. Plans are maintained and exercised as part of this activity so that when a breach occurs each team is clear in its roles and responsibilities to manage the breach and ensure the best possible outcome for the company.

Security is an important consideration and activities in the “Assure” phase will ensure that security controls established during the “Prepare” phase operate during production.