This article seeks to highlight three items that we consider to be important to highlight when it comes to #data compliance. It is based on the work that MZIZI-Africa is doing to support organisations implement or strengthen compliance systems.
1. Apply the age-old #compliance frameworks when implementing data compliance.
The framework is tried and tested and provides a useful implementation framework that covers:
- policies and procedures (including code of conduct and #ethics),
- effective #communication (hotline),
- training,
- compliance office (outsourced or in-house),
- #audit and monitoring,
- consequence/accountability management, and
- third party transactions.
You will note that registration with the Office of the Data Protection Commissioner (ODPC) is not listed as an element on its own.
Registration is a necessary but not sufficient aspect of compliance.
In fact, we consider registration, particularly the declarations made in that process, as exposing organisations to compliance #risks relating to incorrect / misleading disclosures.
To illustrate, review the declarations made during registration, specifically the #data processing activities and technical measures, against actual practice. Do those declarations replicate existing structures and practices that support the declarations made or do we congratulate your firm for fulfilling yet another tick-box exercise?
2. Benchmark against global, not just local, legislations.
We live in a global village, and #Kenya is a regional hub. The probability that your organisation is processing other nationalities' data is high.
The ODPC is increasingly, based on last year activities, looking to the EU to develop jurisprudence on data compliance.
This is why, in designing 350-point MZIZI-Audit tool, we looked to gold standards in data compliance for inspiration.
The compliance team need to continuously update their understanding of these standards/emerging jurisprudence as part of their continous development.
3. Involve your ICT Teams.
Legislation does not exist in a vacuum. Data legislation seeks to influence how organisations process data. This data is stored in systems, and data may be baked into an organisation's business model.
Working without the technical teams is fruitlessly and can compromise compliance efforts, this is particularly relevant when implementing privacy by design principles.
Our decision to work with an IT consultant in this regard, bears testament to this.
Conclusion
Large organisations typically have specialist functions that deal with specific aspects of regulation with consolidation being achieved at the apex. Smaller organisations on the other hand may not do this and consolidate data compliance into the overall regulatory compliance framework, whether or not this feeds into the enterprise risk management framework.
Therefore, when conducting annual or regular legal audits, data compliance becomes a part of the overall regulatory risk management.
---
Compliance, simplified.
Comments ()