Solving Problems or Putting On A Show?
Having being involved in Performance Management and in Governance, often I wonder why the many laws were created did not come with clear instructions on the documentation requirements, instead of leaving the interpretation of the implementation open, resulting in so many institutions created to do just that. Isn’t this a waste of time?
If we see a problem and we need to solve it, we simply look at the problem from various angles using critical-thinking, and then quickly come out with various potential solutions. Of course in designing the solutions, the process will need to be guided by PRINCIPLES, and with a FRAMEWORK to set the needed areas to look into, then the required DOCUMENTATION for the IMPLEMENTATION needs to be drafted as the ACTION PLAN.
The current “COMPARTMENTALISE” approach is simply a waste of time! You have one group discussing for years to come out with the principles, then another groups discussing for years to draft out the law and then leave it there. Then various groups were formed to come out with the framework and proposed documentation on the implementation, and leaving much of the work undone with many people wondering what is the law passed, how to go about it with so many organisations created talking about it.
The WORLD has many REAL PROBLEMS that need to be SOLVED, thus we cannot be wasting time churning out policies, without getting things solved! It looks like all these policies (laws) only churned out many “time-wasting mechanism” instead of truly look into the problem!
Let’s take the Privacy Laws that has gained much attention due to the increased number of breaches globally. We can see that OECD has drafted the Principles, and then various entities from the governments have drafted their Privacy laws from these principles — GDPR, PDPA, PIPL, etc…then we also see so many organisations created to look into the implementation of these mandatory law in the organisation, with so many different “standards”. Law firms were say just draft out a Privacy policy will do to comply with the Privacy law, while consultancy companies familiar with compliance will say that you need a whole set of documentation. Then you get another group setup to laid our certification, training, etc. and great confusion was created with companies not even know what the Privacy law is.
If something is launched as mandatory to solve a problem, then the authority has to provide the tools and enforced the application of the tools to solve the problem. Strategy needs to be then drafted out to how to help organisation in using these tools and then register application of these tools. In this way, you quickly get the problems tackled, instead of wasting years and seeing organisations are still so lose!
For example: The Privacy Law
Essential Tools / Documentation Requirements based on the Principles and the Privacy Law:
- Data Flow Diagram
- Data Inventory Map
- Various Notices indicating the Purposes for the collection of Personal data
- Various Consent forms needed for purposes requiring future communication; eg. customer support, marketing, etc. with clear procedure for withdrawal of consent
- Data Accuracy verification and Access and Correction procedure
- Privacy Impact Assessment (PIA)— Organisation Data Flow
- Data Protection Impact Assessment (DPIA); for processes with high risk
- Documentation of Various Controls to ensure proper protection of the data; based on PIA and also required register/log to monitor
- Retention and Disposal SOP
- Data Portability Procedure
- Cross-Border Transfer Requirements and SOP
- Vendor Selection SOP
- Dispute Resolution Integration to Customer Support
- Awareness and Training Plan — Including Cyber Essentials Training
- Incident/Breach Response Plan; includes Breach Notification Plan
- Internal Audit Plan
With such a clear requirements, then Software developers can create an integrated solution to assist organisation in drafting out these documentation for their implementation, or necessary templates be made available for organisations to manually draft out their Action Plan in their organisation. Then a proper registering of organisation’s compliance be made. In this way, you quickly ensure organisations know what to do and get things done fast; either by themselves or engage consultants to assist them.
There are many problems in the world that we really need to look into, thus much resources can be channeled to these, instead of wasting so much time creating confusion and wasting so much time on one problem.
References:
OECD Privacy Principles: http://oecdprivacy.org/
A Message from DataFrens…
Thanks for being a part of our community!
Do join us here at:
Read all our DataFrens articles here at:
