data protection

Establishing a data protection committee for boards

shaane syed / 12.09.16

Guest post by Matthew Pascucci, Frontline Sentinel

Within certain countries, especially in the European Union, there are certain data protection committee requirements to enforce the privacy and protection of a country’s or an organization’s data. In the United States while we don’t have comparable laws enforced, we believe it’s an idea we should still strive towards before it’s mandated by the government .

To establish a committee for data protection within an organization, there needs to be upper management approval, understanding of both risk and law, and the proper tools available to to monitor and enforce policies. The two largest concerns to data is security and privacy, and while they overlap in certain areas, each standalone individually.

When building a committee to protect these two aspects of data we’ll need to understand what the role of the committee is and how it should function going forward.

By far the most important part of the committee is the membership. There need to be chairs (preferably co-chairs) that have been either voted on or assigned to the committee by upper management or organization leadership. The committee itself should include all job functions as members not only those in the security field. By only including security professionals, you may miss out on valuable insights from other areas of the business. Membership should include representation from legal, compliance, particular business units, M&A teams, security & privacy, operations, etc.

The membership can grow, but it should be kept to individuals who have the authority and acumen to make decisions regarding the topics at hand. They don’t always have to be experts on data security but should bring knowledge of their business unit or field and how it relates to the protection of the organization’s data. This group also should be in attendance for the majority of the committee meetings (and not continually sending someone in their place). If this is allowed to happen the meeting will be derailed and won’t bring about the desired changes. The tone of the committee should be focused on making strategic recommendations regarding data security and should be less operational in nature.

The committee should be one that stimulates discussion within each business group while guiding, proposing and advising the company on how to handle data protection as an organization. They’ll have to have an understanding of the current threat landscape and where the company is with protecting their data and privacy. To be truly effective they’ll also have to understand where the gaps lie within their strategic vision. Once agreement is reached they can start putting plans in motion for standards and deliverables for subsequent meetings. By creating a vision of the future and reacting to gaps that currently exist in the company the data protection committee can start making real progress within the organization.

Proposing a plan for the future might require budget, but many times there are things that can be done without spending a dime. Creating an agenda for each meeting with the appropriate deliverables to be accomplished, for example, is a helpful way to determine the progress of the committee. Bringing metrics of these deliverables and holding those accountable for the data protection tasks will help involvement and participation. In summary, this data protection committee needs to be made up of people throughout the business who are motivated to protect the security and privacy of your organization’s data. By using this committee to shine a  light on your data protection efforts can only  improve the safety of your data going forward.