Establish a strategy for protecting personal data. Design, develop, and maintain personal data protection policies and controls that comply with relevant data protection standards, regulations, and laws, and that align with the organization's business model and objectives. Promote and drive personal data protection compliance.
Define personal data protection qualification criteria for identifying and validating suppliers, and select suppliers who are committed to observing the organization's personal data protection obligations. Draft and agree the data processor contract, and manage contract compliance with the suppliers.
Establish appropriate measures for enforcing compliance and monitoring and reporting non-compliance with personal data protection policies, and for taking remedial action where necessary. Drive improvements based on lessons learned from incidents (e.g. data breaches and inappropriate or unauthorized data access) and near-incidents.