Having in place a policy and procedures will make it absolutely clear who is responsible for sorting things out when they go wrong.
We’ve recently provided advice to an organisation that’s had a data breach. They hadn’t done anything wrong but they were the target of a web hack.
A number of people – including us – were involved in rapidly sorting out the response but as the dust began to settle it was clear that there was (and is) a gap at the top of the organisation where the responsibility for data protection and information security should have been.
Policies aren’t necessary in every organisation or in every case but if there are more than a handful of people in your company then the chances are that it will benefit from documentation that makes it clear to everybody (no matter the topic):
- What is to be done (the required outcome)
- How the required outcome will be achieved
- Who is responsible for achieving the required outcome (hint – responsibility should be very closely matched to the authority to make things happen)
- The roles that others in the organisation must play to help it achieve its required outcomes
Policies bring structure to an organisation and can be very brief and high level documents. They should however mostly be supplemented by procedures which set out the specific actions to be taken in any given circumstance. In the case of the data breach, there was no policy in place setting the required outcomes for the handling of personal data, nor was there a procedure for the action to be taken in the event of a data breach. Had they been in place then it would have been clearly understood who was to be doing what and to what end. The breach might even have been avoided in the first place.
It’s not quite the Story of Everybody, Somebody, Nobody and Everybody but a policy framework can help bring calm when things go wrong.
If you need to find out more about how we can help develop policies for your organisation, not only for keeping data secure, book a free 15-minute initial consultation.