10 ways to ensure a successful policies and procedures strategy

If you’re reading this blog, chances are you’re already aware of the importance of policies and procedures in the workplace.

Besides being a powerful legal tool for GDPR, policies and procedures play a vital role in safeguarding your company’s compliance plan. The general guidelines of a policy, supported by the corresponding step-by-step instructions of its procedures, provide employees with a clear roadmap to follow, giving them the information and structure they need to execute compliance strategies as planned. 

However, in order to deliver consistency and compliance across your organisation, it’s not enough for these policy structures to simply exist. They need to be implemented and maintained effectively if you want to achieve real results and impact.

A smart approach to your policy and procedure strategy is the subject of the sixth episode in our webinar series ‘Compliance best practices’ featuring DPO Catherin Raasdal from Basisbank. With a background working for the Danish Data Protection Agency, as well as Ernst & Young, Catherin shared some of her in-depth knowledge around planning, implementing and maintaining policies and procedures.

Read on for our main takeaways from the conversation, including advice on policy creation, which factors to consider for the long-term success of your policy structure, and how to ensure your colleagues engage with new policies and procedures. 

First up, what is a policy? And how does it differ from a procedure?

Before we get to our key learnings from the webinar, here’s a quick breakdown of some key definitions within this GDPR space.

  • Policies are internal documents that outline where a company stands on different GDPR issues. They don’t need to be too detailed as their main aims are to show a company’s commitment to GDPR and provide an overall strategy for a business’ data protection activity.

    Some areas you may cover in a policy include: the purpose of the policy, who the policy applies to (internally), relevant principles or legislation (e.g. Article 30) and information about data subject rights. 
  • Procedures support policies by detailing practical information relating to policy implementation. They should bring a policy’s intent to life through step-by-step tasks.

    For example, if a policy dictates an employee must delete customer data that has been stored for over a year, a procedure would then outline the numerous steps involved in deleting that data within a specific system. 
  • Policy structure is another way of saying ‘document hierarchy’, which covers any documents or internal files relating to a policy.

    Typically a policy structure would look something like this:
    1. Policy
    2. Procedure
    3. Supporting documents such as manuals, guidelines and handbooks

    For every step that’s further down the document hierarchy, files get more practical and hands-on.

10 ways to ensure a successful policies and procedures strategy 

If you want to set your policy and procedure strategies up for success, Catherin asks you to consider several factors in your policies and procedure setup, as well as your approach to implementation and maintenance. 

You’ll find ten of her top tips below and you can watch the full webinar here.

1. Invest time in your initial overview

At the start of your journey, you need to have a good overview of all your processing activities, especially regarding GDPR regulations. 

You should use your Article 30 record or gap analysis to clearly identify any weaknesses or missing documentation. For example, do you have up-to-date retention policies in place and how thorough are your procedures for handling data subject requests? If you jump straight into policy creation or do a half-hearted job on your overview, you risk missing out on the protection of vital policies and procedures. 

Data mapping software will be helpful during this stage to provide a central location for all your information and assist you in easily visualising your data flows, as well as establishing any links or dependencies between documents. 

2. Get buy-in from your C-suite

As discussed regularly on the Complyon blog in articles such as ‘Why you need buy-in from the top for your compliance strategy to succeed’ and ‘How to set your privacy program up for success’, C-suite buy-in is essential for any compliance activity, including policies and procedures. 

Top-level management needs to allocate enough resources for you to effectively carry out your role, whether that’s giving you the time to create a clear overview of current data activities or providing you with the support you need for frequent training programs. 

The C-suite also set the tone for the entire organisation’s attitude to GDPR and compliance. If maintaining the integrity of data processes and cultivating a GDPR compliant culture aren’t priorities for those running the business, you can bet it won’t be a top concern for the rest of the company.

Aligning with your C-suite before you begin your policies and procedures journey will give you the backing, resources, and support you need to successfully implement and manage your policies and procedures. 

3. Think about who is reading your documents

It’s also important to remember that policies and procedures start with people – specifically the people who will be reading your compliance documents. 

To begin with, you need to consider whether or not employees are used to following policies and procedures. If not, do you need to create more detailed supporting documentation to help guide people through your compliance steps? Or will too much detail frustrate colleagues who are used to interpreting high-level policies and procedures? 

Next, think about how you’re communicating your information. Are you using language that they can connect with and understand? Do your procedures include relatable work flows and scenarios that employees will recognise and engage with?

Understanding the different mindsets and levels of compliance knowledge in your organisation will go a long way in ensuring people understand and follow the documents you’ve tasked them with reading. 

4. Drill down into the different needs of your departments 

Just as one policy structure will work for one organisation, but not another, you may realise that some policies and procedures work well for one department, but aren’t picked up by others.

Different departments have different needs, so to succeed with implementing various GDPR policies and procedures, you need to take into account the range of abilities, knowledge and interest that exists across your enterprise. 

Some divisions such as finance and legal may be very familiar with these types of documents, so require little management, whereas others may need much more support. Try to tailor your awareness campaigns to specific departments in order to anchor your policies across the whole organisation. 

For departments that need more support, consider tools such as templates and flowcharts that make implementation easier. Scheduling regular training workshops will help you monitor progress and spot any issues before they become a problem or start to form part of an employee’s daily habits. 

5. Try to instil a positive compliance mindset

In Catherin’s experience, keeping policies and procedures simple, fun and engaging is the best approach to achieve maximum employee engagement and buy-in.

Adding humorous, interactive or fun elements to your compliance activity makes learning about policies and procedures more enjoyable and should leave employees feeling more motivated and upbeat about your plans. Kahoot quizzes have proven a particularly successful tool for Catherin and her team.

Similarly, by keeping your approach simple, leaving out any unnecessary industry terminology or complex language and opting for easy-to-follow,  operational documents, you’re more likely to connect with your reader and get your message across.

6. Find your GDPR ambassadors

A smart way of understanding the needs of departments and their workers is to set up a GDPR ambassador program.

Working alongside your GDPR responsibles, your ambassador team should be made up of representatives from each of your key departments. These individuals will be much closer to their department’s workstreams, so will be able to pass on valuable insights about what is working and what needs more attention. This inside information will help you create policies and procedures that more accurately reflect what employees actually do, making your strategies more relevant and relatable.  

Involving employees directly in your compliance efforts will help foster a sense of connection and accountability with your plans, particularly if you’re able to assign responsibilities and documents to your ambassadors. 

This type of team setup also gives you the opportunity to demonstrate why your work is so valuable to the different departments in your company, helping to motivate key members of your organisation to get more involved and help you reach goals that benefit the entire enterprise. 

7. Make sure your plan isn’t person-dependent

While it’s important to consider the human aspect of your compliance activity, you don’t want to become too dependent on individual employees for the delivery of your policies and procedures. 

Employee turnover is a reality for all businesses. If all the knowledge and expertise needed to execute your plans sits with an individual who then leaves the company, your efforts become compromised. 

One of the most effective ways of counteracting organisational knowledge loss is to introduce a system into your compliance mix. Compliance solutions enable you to store all your information in one centralised location so that it’s available to anyone who needs access to it. Someone can leave your company, but the system will ensure vital compliance knowledge isn’t lost in the process.

Centralising your compliance documents is also extremely helpful for those carrying out internal audits on your policies and procedures and makes it easier to train new recruits, as everything you need is stored in one place. 

8. Regularly update your policies and procedures

A fundamental element of maintaining the success of policies and procedures is to ensure they reflect the current reality of your company. 

Over time your company will change, whether that’s through exposure to new business deals, third party services, market legislations or staff turnover. To keep up with this change, your policies and procedures need to be updated on a regular basis so they offer the right level of protection and guidance for your organisation. Catherin recommends reviewing your policies and procedures at least once a year to see if you need to make any changes or not. 

If you’re working with a system, these updates will be made much easier. Policies and procedures can be amended directly within your centralised system and relevant employees can be automatically notified if something in their workflow changes. This means everyone is always up-to-date with the latest state of play and are prompted if they need to change any information in the documents they manage. The end result is you’re able to achieve much more transparency with much less effort. 

9. Establish document links and dependencies

The documents that make up your policy structure don’t exist in isolation. One document is often connected to another document, whether it’s another version that sits in a different department or a corresponding policy or procedure. 

This means that when you make a change to one document, it’s likely that updates need to be made to other documentation. As a result, it’s really important to be aware of any links and dependencies between policies, procedures and supporting documents.

If you’re managing these document dependencies manually, particularly if you work for a large or complex organisation, your tasks soon become problematic. Manually keeping tabs on every change your colleagues make to their policies and procedures, and then ensuring all other documents have been edited with the correct changes, can be time-consuming and risky.

Working with a compliance system simplifies and safeguards this process. When a change is made to a document, owners of linked documents are automatically notified about the update. They are then prompted to review this change and make the necessary updates to their document. As all these updates are centralised, you’re able to easily keep track of any outstanding deadlines, sending reminders in just one click.

10. Automate as many compliance elements as possible

Automation is a key area that Catherin highlights for successful implementation and maintenance of policies and procedures. 

Complyon software facilitates many aspects of compliance automation, from data mapping to policy and procedure management. You can find an example of how Complyon enables you to easily update and automate your policies and procedures here.

If you’d like to learn more about how Complyon can help you streamline and automate your compliance plan, we’d love to talk. You can get in touch with our team here.

7 expert tips on how to effectively implement security frameworks

In the last of our 2021 webinar series ‘Compliance Best Practices’, we tackled a crucial component of any successful compliance or privacy plan: implementing security frameworks. 

Joining us for this episode was Christoffer Fries, a Senior Consultant at Complyon’s implementation partner VENZO. With experience running large-scale implementation projects within both GDPR and information security, Christoffer brings a wealth of experience in risk and compliance, particularly around issues of implementation, maturity and standardisation. 

In the 30-minute talk, Christoffer and Complyon CEO and Co-founder Julie Suhr focussed on the benefits of investing in your security framework, as well as discussing their top pitfalls to avoid and strategies for success. You can watch the full webinar here or keep reading for our main takeaways on how to effectively implement your security framework.

What is a security framework?

Before we delve into the main learnings and tips from our conversation with Christoffer, here is a quick recap on what a security framework is and why companies embark on implementing such frameworks.

In general, frameworks are a set of rules or questions that work to standardise a chosen area, whether information security or compliance. Within GDPR, a compliance framework can be described as: 

“a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation.” 

This framework should cover all business processes and procedures related to the regulatory compliance standards an organisation needs to abide by. For example, a framework could detail risk mitigations, communication protocols, roles and responsibilities, governance and post-breach responses. 

Frameworks will vary from business to business, with companies required to build their own set of controls that reflect the frameworks being implemented as well as their individual maturity status. 

Why do companies introduce security frameworks?

There are many different reasons why businesses embark on their implementation journey. 

For some, they’re required by customers or suppliers to be certified, for example with certifications such as ISO/IEC 27001. For others, they could be part of a merger or acquisition deal where different technologies, cultures and ways of working need to be aligned to ensure efficiency and unite the organisation. 

Whatever the specific motivations for implementation may be, at the core of any security framework is the aim to standardise ways of working, ensuring one way of working is used across the entire organisation. 

Standardisation then leads to many business benefits from increased security, greater productivity, streamlined output and of course, enhanced compliance.

7 tips for implementing security frameworks 

From handy steps to take pre-implementation to smart strategies for safeguarding the impact of your security framework, here are some of Christoffer and Julie’s top tips for successful implementation.

1. Clearly define your implementation goals

While drivers for implementing security frameworks will vary, it’s fundamental that whatever you’re looking to achieve goes beyond a certification or status. 

Getting certified or achieving a goal such as ensuring your company is GDPR compliant is often the comparatively easy part. It’s more difficult to actually follow and maintain the procedures and processes that have been set in place. This maintenance requires consistent governance and evaluation. As time goes on you’ll have issues such as deviations, the need to report incidents, keep track of audit logs, and so on. 

If you don’t have enough drive to maintain the systems and processes that underpin and uphold your implementation phase, it’s unlikely that you’ll be able to hold on to the certifications or compliance you once achieved.  

Focusing on the long-term goal of developing the maturity of your company and the cumulative benefits that will bring allows your business to reap many more benefits than those brought by a piece of paper or certification. 

2. Take high-level activity and turn it into concrete actions 

Your framework is going to consist of a lot of high-level statements or objectives which while important, need to be broken down into easy to understand steps for employees to follow. 

For example, the statement ‘appropriate controls must be implemented to support this process’ needs to be backed up with documentation that specifically outlines exactly what actions and controls you expect an employee to take.

If your team don’t know exactly what steps to follow or who to contact in risk-based scenarios such as when a breach happens, a customer requests their data or a new supplier is onboarded, your security efforts will soon run into trouble.

Christoffer suggests adopting a method he calls “we do what we say and we say what we do”, where every statement exists alongside clearly defined activities, roles and responsibilities. Investing time into breaking down and interpreting the high-level action points of your framework minimises confusion in the long run and sets your framework up for success.

3. Communicate change in everyday language

Any documentation that needs to be read and acted on by employees needs to be written using language and scenarios that are familiar to the reader. 

Unless they work in the legal or compliance department, employees will struggle to understand and connect to legal documents that are full of complex industry terminology and overarching company objectives. So if you want to engage your colleagues and motivate them to fulfil the tasks required of them, documents have to be easily understood by any member of your team, whether they work in IT or customer services. 

These documents also need to reflect the reader’s every day. For instance, talk them through their workflows and risk scenarios such as the types of emails they’re sending or the protocol of taking calls in public spaces.

Creating relatable, easy-to-follow guidance will go a long way in helping you get the support of your colleagues and maintain the implementation of your security frameworks.

4. Shift your attention beyond the IT department

Due to the involvement of systems and technologies, many companies see the implementation process as an IT concern and responsibility. Following that line of thinking, a top-down approach to implementation is often adopted with many activities sitting between the DPO and IT department. 

However, when it only takes one employee to put your company at risk or cause a data breach, you need buy-in from everyone in your organisation and your compliance processes and efforts need to incorporate daily work and workers. Real benefits and real change happen when you ditch the department-specific approach and start involving your entire organization in your risk and compliance efforts. 

Awareness campaigns are therefore another hugely important component of successful security frameworks. Engaging, frequent and interactive, these training efforts need to be factored in when planning your implementation timelines and resources.

5. Don’t underestimate the importance of roles and responsibilities

A common problem organisations face is being unable to maintain their framework once their hired consultants have come in, fixed their problems, obtained their certifications and left. 

This issue mainly arises when internal roles and responsibilities haven’t been identified and implemented from the start of the project and consultants have been unable (whether due to resources or direction) to bring employees on the compliance journey with them. 

Effective implementation requires assigning these roles and responsibilities to internal teams to ensure they know how to sustain and evolve your framework. There is also the issue of accountability. If no one is responsible for upholding your new ways of working, change simply won’t happen. 

These internal responsibilities should become apparent through your initial gap analysis and CMMI assessments, which need to be rigorous and ask employees the hard and potentially annoying questions. 

Through this deep knowledge of a company’s maturity and ways of operating, you’re able to help management understand all the different parts of the organisation and get them thinking about what they’re doing, how they can do it better, who can help with this change and whether or not they need new hires such as a DPO or CISO. 

6. Remember to work towards “continuous compliance”

One of the major points Julie and Christoffer emphasised in the webinar was the need for businesses to understand the concept of ‘continuous compliance’. 

Risk and compliance are not areas where you can apply a ‘set it and see’ mentality. Frameworks that try to mitigate risk and standardise company practices must be dynamic, constantly changing to adapt to new business scenarios and environments.  

Where many frameworks fall short is they fail to scope for and view compliance as an ongoing process. May 18th 2018 is a good example of this, where many companies dedicated a lot of time and resources into mapping their data and becoming compliant, only to lose momentum on their compliance efforts after GDPR legislation had taken effect. 

Fast forward a couple of years, and many of these businesses are working with outdated and risky processes, systems and practices because no one has been updating them. 

Treating your risk and compliance journey as a never-ending, long-term process ensures you’re able to move to a proactive rather than reactive approach to safeguarding company data and processes and allows you to maintain an optimum level of protection against internal and external risk.

7. Track your activities 

To be able to continuously monitor the efficacy of your framework, you need to give your employees tools that provide them with a clear overview of the data and controls relevant to their tasks, as well as functionalities to help manage roles, responsibilities and the project status.  

Asking individuals to manually keep up with evolving controls, security measures and data, alongside managing various colleagues’ deadlines, soon becomes overwhelming and prone to human error.  Particularly if you’re working with multiple frameworks at the same time such as ISO 27001, ISO 27701 and CCPA, processes and scenarios quickly reveal themselves to be more too complicated and complex for manual practices and Excel spreadsheets.

Integrated risk and compliance systems like Complyon automate many of the manual tasks involved with implementing and safeguarding your security framework and provide a much clearer overview of the data flows, regulations and controls relevant to your projects. Its project management module allows you to quickly assign and track roles and responsibilities, send task reminders and keep on top of task and project statuses. 

If you’re interested in learning how Complyon helps organisations successfully implement security frameworks, take a look at our short demo here. The 7-minute demo focuses on how to create controls of security measures and implement multiple framework controls at the same time. 

To learn more about how software can help you effectively implement security frameworks or to speak to our team about your compliance efforts, get in touch here