There is an organisational structure for managing data protection and information governance, which provides strong leadership, clear reporting lines and responsibilities, and effective information flows . This could mean clear management roles and responsibilities for staff in the information security or records management departments.
Ways to meet our expectations:
- The board, or highest senior management level, has overall responsibility for data protection and information governance.
- Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.
- You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.
- Policies clearly set out the organisational structure for managing data protection and information governance.
- Job descriptions clearly set out responsibilities and reporting lines to management.
- Job descriptions are up-to-date, fit for purpose and reviewed regularly.
- Data protection and information governance staff understand the organisational structure and their responsibilities.
Can you answer yes to the following questions?
- Do staff report that your organisational structure is effective?
- Is there a positive and proactive culture of data protection compliance across your organisation?
- Are staff aware of their responsibilities and those of others within the structure?