A daunting task for a lot of recently appointed DPOs is the necessity to communicate with the board. This is a new environment for many people.
It is likely that you will be required to make occasional board presentations. However, this is unlikely to be the main mode of communication between yourself and the board. What you will need to do on a regular basis is submit board reports. If this is not something you are required to do, it is actually something you should suggest.
This is a guide to what you should include in a GDPR board report and why it is an opportunity to meet other GDPR requirements as well as fulfil internal expectations.
Why GDPR Board Reports Are Important to Compliance
The thing to understand about the GDPR is that, on a basic level, it creates a demand to demonstrate efforts for compliance as much as it creates an expectation for perfect outcomes. Compliance, itself, is obviously important. However, it is impossible to create a hermetically sealed data environment — regulators understand that. Breaches are always a possibility and mistakes happen.
The GDPR has expanded the rights of individuals over their data, and has set a higher bar when it comes to data protection standards. However, what it really requires is that organisations show what they are doing.
You need to be able to outline what you are doing right now to protect data, and what you are planning to do in order to further improve those outcomes. You need to be able to demonstrate a defensible position when it comes to your data collection, processing and retention policies.
Board reports allow you to do this because they are a summary of the actions you have taken as DPO. That should include assessments of data processing, recommendations made and an overview of actions taken. In a sense, your board reports are a summary of the conversation you would have with a regulator in the event of a breach.
What this does from a compliance perspective is to create a contiguous stream of archived material that demonstrates the actions you have taken to meet regulatory requirements. The fact that this information can be shown to have been communicated to your board only bolsters its significance as a means of displaying compliance. This record, and its ability to show a culture of compliance throughout the hierarchy of your organisation, creates the bedrock of your defensible position when it comes to data privacy.
- GDPR requires organisations to demonstrate compliance.
- Board reports are a great opportunity to create a summary of the actions you have taken as DPO to ensure compliance.
- Submitting that information to your board demonstrates a culture that values compliance.
- Board reports are the bedrock of your defensible position when it comes to data collection, processing and retention.
How to Write a Board Report
How often and how rigorous your interactions with your board will be is dependent on the internal requirements of your organisation. Data-heavy and dynamic operations will require larger and more regular reporting because they will require more regular assessments. Boards and management that are interested in taking an active role in data protection may require more regular engagement.
At a minimum, you should take a day every month to compile an overview of everything you have done as DPO. It is prudent to keep detailed records of all your actions and recommendations in real time. However, having a high-level summary of that information will be helpful when looking back on your history of data protection. Simply take the information that you have already catalogued and create a brief that details the various actions you have undertaken as DPO.
This information can then be submitted to your board. Regardless of how involved your board wants to be in that process, having that paper trail of communication will be beneficial to GDPR compliance in its own right.
- Keep records of all your actions as DPO in real time.
- Once a month, set aside a day to create a high-level summary of those recommendations and actions.
- Submit that summary to your board.
Contents of a GDPR Board Report
How long and detailed your board reports will be is dependent on the extent of your actions as DPO. That, in turn, will be dependent on the nature of your data processing operations. Your reports may vary from month to month, but should broadly cover the same structure.
- Timeline of DPO activities and actions (Monitoring and compliance, Data protection awareness training, DPIA activities, Information about any data breaches)
- Opinions on guidance and improvements
- Include records of previous advice and whether or not it was followed
- Summary of the period of time in question
Here is an example report.
Data Protection Impact Assessments [DPIAs] will be a major part of your report, should any have occurred during the period in question. Set out an assessment of why a DPIA was undertaken and simply include the information uncovered throughout the process.
Summary: Board Reports are a Great Way to Stay on Top of the Regulatory Requirement to Demonstrate Compliance
Your board reports should simply be an overview of what you have been doing as DPO — recommendations you have made, and a summary of the assessments and actions taken to improve data privacy. This is necessary to keep your board updated on what you are doing. From a compliance perspective, it is a fantastic means of creating a defensible position around compliance.
A large part of GDPR requirements is the ability to demonstrate compliance. It is impossible to create an environment that is completely impenetrable to risks. What you need to do is be able to sit down with a regulator and talk through what you and your organisation have been doing to keep data safe and constantly improve outcomes.
If you think about a school exam, the focus is often less on your answers and more about showing your work. The GDPR is the same. The regulator wants to see how you are working to maintain compliance, and what you plan to do in order to improve the situation.
If you have to sit down with the regulator to discuss data privacy, something bad has probably already happened. At that point, what is important is to be able to demonstrate that the failure was out of your hands. Even if your organisation has failed to maintain compliance, being able to demonstrate that you have improved practices and have plans in place to continue to do so, will likely have in impact on the severity of fines the regulator will level on your organisation.
Board reports not only provide you with a high-level and ongoing record of your activities that you can fall back on if needed, they provide an archive of communication between you and management that itself bolsters the claim that you are actively striving to improve data privacy outcomes. You shouldn't think of the board report as simply a task required to keep management updated on your activities. It is part of how you demonstrate compliance and is, therefore, a core part of your role as DPO.