As privacy regulation evolves, so must our approach to compliance. Now more than ever, it’s essential to build a foundation for your privacy program based on common-sense concepts and controls. Privacy processes should foster sustainable growth of your program and enable you to quickly and impactfully respond to new or changed requirements and surpass consumer expectations.
Below we outline a few basic principles required to achieve long-term success with your privacy program. Even if your organization has an existing program, these concepts can be used as a guide to assess against basic requirements.
What Fuels Your Privacy Program?
Identifying and communicating the “why” behind your privacy program is necessary to gain buy-in from business stakeholders, secure funding, and obtain the fundamental culture shift required across the organization. Three key drivers are:
1) Consumer trust and public image: Customers care about their privacy and are loyal to brands that simply do the right thing. By treating data with respect, you are more likely to build and maintain lasting and trusted relationships.
2) Risk management: Beyond regulatory risk, there has been a significant increase in the collection and use of data across industries, and data processing technology continues to evolve. More data means more risk, and your program must be one step ahead to proactively manage or mitigate these risks.
3) Resiliency: It’s not a matter of if a breach will happen, but when. Organizations must prepare accordingly and have processes in place to respond to breaches swiftly.
What Do You Need to Be Successful?
The trifecta of people, process, and technology are all necessary to build a cohesive and sustainable program. Consider the below priorities in each category:
|– Tone-at-the-top and a seat at the table
– Partners and privacy champions across the organization, especially within cybersecurity and compliance
– Either in-house or outside privacy counsel for legal expertise
– A team that is passionate about building a privacy-aware culture and protecting data
|– Clearly defined goals that tie back to the broader business mission
– Quantifiable metrics to communicate impact and measure progress
– A complete understanding of the data landscape
– Periodic risk assessments to confirm applicable requirements and identify gaps
– Policies, procedures, training, and communication
– Third-party risk management
– Testing of key privacy and data protection controls
|– Data discovery
– Data protection controls
– Automation of business and compliance processes
What Is the Path to Building a Privacy Program?
There are many ways to approach building a privacy program. Here are three key initiatives you can undertake to jumpstart your program:
1. Identify Sensitive Data
Appropriately protecting data is not possible unless you know what data you have and where it’s located. Building a data inventory allows you to gain a comprehensive view of your data footprint and helps you prioritize data so that in the next phase of assessing privacy risk, you can apply risk-based controls. Not all data needs to be protected equally.
There are several methods of inventorying data, and the right selection depends on a variety of factors (e.g., size, maturity, and available resources). One of our favorite methods is a hybrid approach. This approach combines automated data discovery scanning with interviews of key business owners, who provide context on the types of data they use. Scan results are validated by the owners and data is classified and ultimately protected accordingly.
2. Assess Privacy Risks
Once your data footprint is mapped, assessing associated privacy risks is a logical next step. There are several types of risk assessments you can conduct based on your company’s unique needs:
· Program: holistic program assessment based on an industry standard or framework such as NIST Privacy Framework or ISO 27701.
· Regulatory: compliance assessment focused on industry (e.g., GLBA), geographic (e.g., GDPR), or data subject-specific (e.g., COPPA) requirements.
· Project: specific assessment to help identify and minimize data protection risks of a project, typically using a Data Protection Impact Assessment (DPIA).
· Technology: assessment to determine privacy protections considered for an information system throughout the data lifecycle, usually via a Privacy Impact Assessment (PIA).
3. Implement Privacy Processes
To successfully operationalize your privacy program, you must strategically implement supporting processes based on risks identified during assessment(s). Putting together a pragmatic, prioritized, and actionable roadmap that outlines next steps will help you rationalize resources needed, gain important buy-in from stakeholders, and develop metrics to demonstrate progress and impact. A few key areas to consider for your roadmap include:
· Training, awareness, and communication.
· Data protection controls and technologies.
· Privacy-by-Design (PbD).
· Third-party risk management (TPRM).
· Compliance, metrics, and reporting.
For more in-depth guidance on meeting regulatory requirements, check out U.S. Privacy Compliance Checklist: What to Know for 2023.
CrossCountry Consulting’s robust privacy and data protection team is actively involved in the industry, holds leadership roles within IAPP, and is passionate about data protection and the evolution of the field. Contact CrossCountry today with questions or to discuss how we can best partner to achieve your goals.