Within other countries, especially Europe, there’s requirement to have data protection committees to enforce the privacy and protection of a countries or organizations data. Within America we don’t have those particular laws enforced here, but it’s something we should still strive towards even if it’s not mandated by government….yet. By establishing a committee regarding data protection within an organization there needs to be upper management approval, understanding of risk and law and the proper tools to complete the job. With this in mind the two largest concerns to data itself is security and privacy. These two topics overlap in certain areas, but can each standalone individually. When building a committee to protect these two aspects of data we’ll need to understand what the role of the committee is and how it will function going forward.
By far the most important part of the committee is the membership of who’s been asked to attend. There needs to be chairs, preferably co-chairs, that have been either voted on or assigned to the committee by upper management or leadership. The committee itself should include all walks of life when it comes to its members and not only include those in the security field. By only including members within security you miss out on valuable insight from other areas of the business.
Membership should include representation from legal, compliance, particular business units, M&A teams, security & privacy, operations, etc. The membership can grow, but it should be kept to individuals who have the authority and acumen to make decisions regarding the topics at hand. They don’t always have to be experts on data security, but should bring knowledge of their business unit or field and how it relates to the protection of the organizations data. These members should be a cross-functional group of individuals working together with potentially a few advisors to help guide the conversation. This group should be in attendance for the majority of the committee meetings and not continually sending someone in their place. If this happens the meeting will be derailed and won’t bring about change. The tone of the committee should be one of top down management that’s making strategic decisions about data security and should be less operational in nature.
The need for this committee should be one that stimulates conversation with each business group, while guiding, proposing and advising the company on how to handle data protection as an organization. They’ll have to have an understanding of the current threat landscape and where the company is with protecting their data and privacy. By understanding this they’ll also have to understand where the gaps lie within their strategic vision. Once this occurs they can start putting plans in motion for standards and deliverables for subsequent meetings. By creating a vision of the future and reacting towards gaps that are in the company currently the data protection committee can start making real progress within the organization.
With this progress, there will also need to be resources, budget and metrics. Proposing a plan of the future might require budget, but many times there are things that can be done without even spending a dime. Creating an agenda for each meeting with the appropriate deliverables to be accomplished is a helpful way to determine the progress of the committee. By brining metrics of these deliverables and holding those accountable to the data protection tasks will help involvement and participation. Long story short, this data protection committee needs to be made up people throughout the business that are looking to the future to protect the security and privacy of the data your organization holds. By using this committee to shine a light to your data protection efforts it can improve the safety of your data going forward.