Data Protection Framework

Management and governance: the organisation makes it clear who is responsible for data protection, has a written and clearly articulated policy approved by the board and ensures that a culture of data protection is set and championed by senior management.

Risk assessment: regular data protection risk assessments are carried out within the organisation, in relation to third parties and in respect of new activities or products.

Security environment: provisions are made to ensure that both physical and information security systems are secure.

Legal environment: the legal environment is monitored to ensure that any changes to applicable data protection legislation are met and that the legal implications of any data transfers are properly understood.

Operational data practices: the organisation can evidence that whenever or wherever data is processed, policies and procedures are firmly in place to protect that information.

Managing employees who handle data: awareness of data protection is high with policies and procedures easily accessible and regular training carried out.

Managing routine access by third parties: steps are taken to ensure that business partners, service providers and other third parties understand and abide by the organisation’s data protection practices.

Managing requests: systems and protocols are in place governing the disclosure of data and the response to data access requests.

Breaches: the organisation regularly checks for data breaches, has a system in place for reporting concerns and takes remedial action when necessary.

Monitor and review: senior management review the effectiveness of data protection procedures providing reports to the board of effectiveness along with information on any data breaches.