Once you assessed the status quo in your company on data protection compliance, the question often arises how to implement a framework that enables you and your colleagues to manage compliance on an ongoing basis.

You may have assessed your gaps and prioritised risks, but while you're working yourself through those priorities, companies continue implementing new projects, new vendors, hire new team members, and new data requests from customers come in, all the while dealing with probably daily cyber-attack attempts. It's often a juggle between catching up and managing the day-to-day.

This can be a lot to take on. We have created this guide with tips on how you can manage and implement ongoing data protection compliance.

If you're looking to set-up your initial framework, we recommend you to read our 6-Step guide to get started with your Data Protection program.

Assuming you have done your scoping and all of the ground-work and you want to hit the ground running, one of the first things is to choose your tool(s) to manage everything if you haven't done so already.

Depending on the size of your company or your client's operation, Excel may work perfectly fine. However, it can have its limitations when you want something more collaborative to manage the progress of activities and engage with the individuals who are responsible for certain tasks.

Just like you would manage a new marketing campaign or product release, the right tool can make the management of many different tasks a lot easier. Here you can choose project management solutions like Monday.com, Asana, Jira or ClickUp.

In case you want to keep everything in one platform where you have both, your tools for compliance management and your tools for project management you can work with tools like Palqee.

It's important that process owners understand their responsibility to keep you in the loop. So whenever there is something happening in the company where you should be involved, you can be ensured you're being involved at the right time and not as an afterthought when it's already too late.

Make sure they know exactly what they're supposed to do when certain controls are triggered that fall under your scope. For example, every time a new employee joins (or leaves) the company, HR creates a ticket - using your tool of choice - so you can ensure the correct onboarding procedure is followed.

Depending on your organisation or client, plan this meeting at least every quarter. If you're working on something urgent, such as achieving ISO certification or similar, make it more frequent. Plan these meetings regardless of whether you already know in detail what will be covered in the meeting. When it comes closer to the date, it's highly unlikely that there is “nothing to talk about”.

The least, use the meetings to re-assess whether everyone is clear about their responsibilities and if there are questions or uncertainties.

In addition, regular meetings bring consistency to your compliance program, and will over time ensure compliance becomes part of the day-to-day operation of your organisation.

These are all of the activities that, to a certain degree, are repetitive. For example, this includes the review of your policies and procedures every x amount of years, or the assessment of a new vendor which always follows a certain process.

Workflows can include the scheduling of tasks in advance, automatically assigning responsibilities and following a set of tasks in a certain order.

These recurring activities are part of your general maintenance. They're always there no matter what other projects and things are happening, and these activities are quite predictable which makes it easier to plan ahead and understand how much you and your colleagues can manage on a monthly basis.

Assuming you've done your gap analysis and discovery (if not, that is a good place to start), you will have a range of things that need to be implemented. From here it makes sense to categorise them according to risk.

Once that's done, create your action plan, and prioritise activities according to urgency. Depending on the risk, these are activities that involve different teams and different levels of effort.

Depending on the complexity, they may take several months to implement or maybe just a couple of weeks. Implementation is often also influenced by budget, various stakeholders, and the overall business strategy. Take that into consideration while planning. Those projects run in parallel to your recurring activities.

These are things that can come in any time such as your data access requests from customers and employees as well as security incidents and data breaches and they usually take priority over everything else.

Depending on the event, the procedure may be already covered by your business continuity plan. Generally for unknown events, you may not know WHEN an event happens, but you can still plan WHAT to do if it happens. This is the case for example for data requests. You don't know when a customer or employee will make an enquiry about their data, but regulations outline clearly how you need to respond and within what timeframe. Which means you can have a procedure in place in advance, so when a request is coming in you and your process owners already know what to do.

If you read our guide about setting up your initial data protection compliance framework, the monthly reporting is tightly linked to measuring and tracking KPI's. The first step really is to know what KPI's you have and make sure they're aligned with all relevant stakeholders, otherwise you won't know what your report should cover. The monthly report can feel like unnecessary extra work, but there are ways to automate the report creation - for example with the help of tools.

In addition, these reports help you to demonstrate to all stakeholders your progress. It enables you to identify risks which otherwise may would've gone unnoticed and you can hold everyone accountable as you track if they're delivering on their responsibilities and tasks.

If it's not something you've done in the past, the beginning may be a bit bumpy. You may have not a lot of data to work with initially. That's fine, every month it will get better until you have the right format that works for you and your stakeholders will appreciate it, as it's something tangible. In addition, these reports are also excellent to prove your GRC efforts to authorities.

Here some examples on what you can track:

- Security incidents:

• Number of incidents that involved personal data
• Number of incidents that were a data breach
• Number of incidents that were solved within X amount of time
• Number of incidents that were unsolved and why
Etc.

- Vendor risk management:

• Percentage of all vendors that have been assessed against company policies and requirements
• Percentage of high-risk vendors (over time you'd want that number to go down)
• Avg. time to process a new vendor

- Data requests / Subject rights:

• Number of requests/ months on average
• Average time to respond on requests
• Breakdown on type of requests over time (access requests vs. deletion requestions, etc.)

- Risk management and mitigation:

• Number of risks broken down by high, medium, low
• New risks added
• Risks mitigated
• Overall risk score

- GRC management:

• Number of requests from teams/ colleagues
• Number of open tasks
• Number of activities processed
• Engagement rate
• Response rate (such as data mapping)
• Avg. time to process one activity/ ticket

You're seeing a lot of similarities to how other business functions project manage their work. We've learned that treating compliance as a mix of various projects - large and small - helps to reduce barriers of engagement. Colleagues and clients will find it easier to operate this way as it's something they're often already used to from their own way of working. Working in projects broken down into tasks allows participants to understand the scope and expectations and to track progress more easily.