Business Procedures Manual

Fiscal Affairs Division

12.5 Compliance

(Last Modified on June 4, 2021)

Meeting the provisions of Section 12 on Data Governance and Management requires active measures by ÖгöÉÙ¸¾ÊÓƵ organizations to ensure ongoing compliance. These include ensuring compliance with external regulations in addition to the provisions in this section through regular training, monitoring and auditing.

12.5.1 Regulatory Compliance

(Last Modified on September 23, 2021)

Closely managing data content is necessary to ensure compliance with federal, state and local regulations as well as grants and contract specifications. Each ÖгöÉÙ¸¾ÊÓƵ organization is responsible for clearly understanding and managing data and data privacy to ensure sensitive and confidential data is appropriately classified and safeguarded. Each ÖгöÉÙ¸¾ÊÓƵ organization must have policies and procedures to ensure that appropriate organizational personnel has a working knowledge of:

  • GeorgiaÖгöÉÙ¸¾ÊÓƵ™s Open Records Act OCGA § 50-18-70
  • Family Education Rights and Privacy Act (FERPA)
  • U.S. Department of Health and Human Services Health Information Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)
  • Specific research data requirements
  • Other applicable regulations

12.5.2 Training

(Last Modified on June 9, 2021)

The purpose of this section is to ensure that appropriate individuals at each ÖгöÉÙ¸¾ÊÓƵ organization receive training on the data governance policies, procedures, and roles developed in compliance with preceding requirements in this Data Governance and Management section.

Organizations must:

  • Provide role specific training to all individuals within the data governance structure, including data users and all those subject to data governance policies;
  • Ensure individuals understand their roles and the larger governance structure, responsibilities, and applicable policies and procedures;
  • Provide training to individuals as they enter these roles, when there are substantive changes to training and at regular intervals over time to ensure up-to-date understanding;
  • Update training materials as changes to policy and procedure require;
  • Document participation in training and audit training participation at regular intervals;
  • Provide training materials in a permanent form (such as on a website) for individuals to reference as needed;
  • Specifically address in training materials for all individuals how data classified as public or protected is managed throughout its lifecycle; and,
  • Provide clear information about how an individual should proceed if he or she believes data policies or standards (including those regarding data management, cybersecurity and privacy) are not followed, or there has been a breach of data security.

12.5.3 Monitor

(Last Modified on June 9, 2021)

Each ÖгöÉÙ¸¾ÊÓƵ organizationÖгöÉÙ¸¾ÊÓƵ™s Data Governance Committee is responsible for assigning roles and responsibilities for data governance and management per Section 12.2.1. In addition to ensuring cybersecurity and data privacy compliance, organizations must assign roles and responsibilities for active monitoring and communicating the results of these efforts.


12.5.4 Audit

(Last Modified on March 22, 2019)

Compliance with this Data Governance and Management section of the BPM can be a subject of institution, system or state audit. Institutions must maintain records not only of documentation explicitly referenced in this section but also general evidence that the organization is in compliance with its data governance and management policies and procedures.


↑ Top