A Policy should be a document that reflects actual business practice, and the Information Commissioner may ask to see evidence of how you have integrated policy into the mainstream processes.
It’s true to say that most policy documents are written by a specialist in a back room somewhere. Sometimes based heavily on a template without much consideration to how your organisation actually works. That no longer works, nor is acceptable to the regulator. Nor should it be accept able to you. A good policy document requires talking to the business areas and understanding how work gets done.
When you force your employees to adopt a process that doesn't take into consideration what they need to do their job, they find ways around it. Typically, those workarounds are less secure than the process it replaced.
It is not uncommon to find security policies that leave the business less secure than before they were written.
Releasing policies that don’t cater for the practical realities of how your employees carry out their duties, scores an own-goal in the war to win the hearts and minds of your workforce.
When we write, or review a policy, it is done on through first understanding how work gets done, then identifying if there’s a better way to do it. Then we ensure there is always a way to manage exceptions. Once this information has been identified, the policy is written and communicated.
Conducting DPIA’s and Threat Assessments
You are required to carry out Data Protection Impact Assessments (DPIA) under certain conditions, and it is considered a good practice to do in any case. One advantage of integrating DPIA’s into standard operating procedure is the level of information and important record keeping that is generated as a natural outcome of the process.
UKGDPR create a custom work-flow procedure with OneTrust software that integrates the required roles and streamlines the entire process.So now, your subject matter experts can complete their section, and hand over to legal, who then hands on to IT, etc. Risks in the processing activity are flagged and put into a register to manage. Alternatively, for smaller companies, we can set up a work-flow using simple Excel spreadsheets.