Steer the programme and ensure that it meets its objectives and adapts to the changing needs of the organisation.

The Govern element of the programme ensures that top management is aware of the requirements of data protection and assured that these requirements are being met through the remaining parts by:

• Maintaining the risk assessments against data protection requirements
• Maintain the records of data processing
• Reporting on key performance indicators

The General Data Protection Regulation (GDPR) in its approach is like an ISO standard. Similar to ISO 9000 it specifies the objective; not the method. ISO 9000 requires the keeping of records; the QMS implementor decides how. GDPR requires the keeping of records of processing activities; the data controller decides how.

The details of how a data controller responds to subject access requests may vary from organisation to organisation and based on the data processing activities affected.

Erasing personal data from records

Erasing an email address from a marketing newsletter distribution list is an easy request to complete. Removing a former employee’s name from invoice documentation would require the redaction of data from financial records that are required to be maintained.

The governance element of the Data Protection Programme is responsible for the overall programme. The programme maintains the records of data processing, analyses and mitigates data protection risks and conducts data protection impact assessments when required.

Governance, like a monthly management meeting in ISO 9000 or ISO 27K tracks the Key Performance Indicators (KPIs) of the programme and, in the event of an audit or inspection, demonstrates that the company is accountable for data protection.