.jpg)
Non-professionals are key to a sustainable GRC programme.
- That’s people who think ISO 27001 is a Star Wars droid.
- People who cannot cite GDPR article 5 and might even call it the “GPDR”.
- Heck, it might be people who think that great cybersecurity hygiene is NOT writing their password on a sticky note.
It’s not just about awareness training.
If you want to build a great, sustainable GRC programme for your data protection and information security, these people are the key to making it work, we found.
To understand that, we need to take a step back and look at the problems of centralised data protection and information security.
5 problems of centralised compliance
If you find yourself in a centralised GRC function, you will experience one or more of the 5 problems:
- You don’t get the information you need from your organisation. An example: Marketing has already implemented a new system, before you hear about it.
- You experience a knowledge gap. You know about data protection or information security, however to be effective, you need information from the people who know about the practices of the business.
- You struggle to get the message that data protection and information security is important out into the organisation.
- Key person vulnerability. You are the only one who knows about your data protection and infosec programme. If you leave, everything will have to start over.
- You get buried in administration and don’t spend your time on the right things.
{{factbox-dark}}
The thing is: Most GRC professionals realise this.
It is, however, difficult to come up with a solution. After all, we still need a lot of deep knowledge about information security and data protection to make it work.
Here’s what we’ve seen work.
The hybrid organisation - part of the solution
The hybrid organisation is one that combines deep knowledge of information security and data protection with the practical knowledge of strategies and processes within the business. The first part is a (probably centralised) information security and data protection function.
This is where the professionals with in-depth knowledge of compliance, privacy and information security sit.
They should:
- Set the GRC strategy
- Secure buy-in and regularly communicate with top management
- Make sure you have a structured overview of your systems, vendors and processing activities
- Keep an eye on your Information Security Management System (ISMS)
- Uncover the demands on our information security and data protection from regulators, the business, customers and other stakeholders
- Decide on the GRC workflows (some call them playbooks) and systems to use
- Capture and process new developments that challenge the GRC programme;
- New systems
- New processes
- New risks
- New legal requirements or customer demands
Operators who know the business
Moreover, you need operators within the business or departments of the organisation, responsible for parts of data protection and information security. They must know enough about privacy and infosec, however, their main task is knowing about the business.
They should:
- Share responsibility for specific processing activities
- Share responsibility for vendor assessment
- Share responsibility for specific awareness training
- Share responsibility for security efforts
Still an uphill battle
We see more and more organisations build hybrid GRC programmes.
- It feels liberating, going from paper tiger to real cyber security and data protection.
- Buy-in is higher.
- Data protection and information security pro’s feel more integrated into the organisation.
It’s like a honeymoon.
However, they quickly realise that collaboration is great … but difficult.
Two things happen.
The non-compliance people feel that it is difficult to contribute. When they are asked to review a processing activity, they have no idea what to do. When they are asked for information on a new system, they don’t know what information is necessary.
On the other hand, the GRC pro’s have a hard time keeping track of what is happening in the hybrid organisation. What tasks are being carried out, which one are overdue and is everything going to plan. Build for collaboration. That’s why we think a GRC solution must be built for collaboration.
Our solution is:
- Built-in best practices and in-app helt so that non-compliance people can easily know what to do, and
- A state-of-the-art Task Manager making it easy to get a complete overview of what is happening within the hybrid organisation.
5 trends to turn fragile data protection and infosec into sustainable GRC programmes.
The trends are:
Trend #1 From centralised authority to company-wide collaboration
Trend #2 From tick-the-box compliance to balanced decision-making
Trend #3 From problem-oriented to solution-oriented
Trend #4 From legal thinking to strategic involvement
Trend #5 From managing data subject to caring about people
Learn about GRC, infosec and data protection
Our Sustainable Compliance Newsletter is dedicated to compliance professionals working with compliance, GDPR, and information security. We provide insights from experts, discuss the latest trends, learnings, and advice within the field of compliance. We also explore how we can reshape the way we think and organise around compliance, in order to pave a sustainable and viable path for processes.
