Three lines of defense: GDPR and data management

Three lines of defense: GDPR and data management

With the growing significance of data privacy, organizations now have a unique chance to derive value from adopting a comprehensive approach to information governance (IG): three lines of defense method. This strategic approach empowers organizations to address data privacy concerns effectively and leverage their data privacy capabilities as a potential avenue for gaining a competitive edge. In this article, we'll tell you more about the popular concept of 3 lines of defense for data privacy.

Why do organizations need to protect data?

Nowadays, good information security and data management in organizations is crucial. They should all have well-established IG (information governance) programs and a well-developed infrastructure to collect, retain, and remove information. For example, section 500.13 of the NYDFS Cybersecurity Regulation states that companies "shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or other legitimate business purposes, except where such information is required to be retained by law or regulation."

What are the three lines of defense in data management?

In the realm of financial services, the concept of the "three lines of defense" is a well-established framework for managing various risk functions. In this structure, the first line of defense typically consists of the business itself, while the second line of defense is occupied by specialized control functions. Finally, the third line of defense is represented by the internal audit function.

  • 1st Line of Defense: Business and privacy liaisons.

Data owners and stewards are responsible for data quality, ensuring it meets regulatory and consumer requirements.

  • 2nd Line of Defense: Global privacy office and compliance.

The central data office (e.g., data governance, management, or chief data office) sets data policies, monitors data quality metrics, and offers advice on data sourcing and its impact on technology and business.

  • 3rd Line of Defense: Internal audit.

Internal audit ensures the firm's data management policies, conducting routine audits, and reporting to the audit committee and regulators.

Deloitte three lines of defense
© Deloitte

Check out this comprehensive research by Deloitte to find out how to effectively organize your company's data protection.

any more questions about data privacy and security? check out our forum!