Privacy governance: Guide to an effective programme

For businesses looking to set up or operate in the UK market, a comprehensive privacy governance programme is vital to ensure compliance with data protection regulations and to enable the effective collection and use of personal data.

A privacy governance programme is important for many reasons. If a data breach occurs the consequences can be serious, including investigations by the Information Commissioner (the UK data protection regulator), fines of up to £500,000, claims for compensation, and major reputational damage. Having a privacy governance programme in place mitigates these risks by creating data protection policies and procedures to ensure that the business has clear guidance on how to deal with personal data in compliance with the Data Protection Act. It also develops a data protection culture throughout the business, ensuring that all employees are aware of data protection obligations, policies and procedures and why they exist.

Three governance models

In the local governance model, local employees take responsibility for data protection matters such as training, policy updates and reporting.

In the central model, a single data protection officer is the main point of contact for all data protection-related matters across the business and is solely responsible for dealing with communications from the Information Commissioner and other regulators.

In the hybrid model, a data protection officer is the main point of contract for the whole business but day-to-day compliance is delegated to local employees, similar to the local model.

It is important when setting up a privacy governance programme to identify the key areas of risk across the business. Often this will involve carrying out an initial data mapping exercise to obtain a good understanding of how personal data are obtained, used and shared within and outside the organization.

Alison Deighton is a partner and head of data protection and privacy at TLT LLP.