Privacy has evolved beyond compliance; its relevance in creating brand loyalty and customer trust has proven to build a competitive advantage for organizations with a comprehensive privacy management program. Data privacy management combines practices that consider organizational goals and privacy strategies while ensuring compliance with relevant privacy laws. There are many benefits to implementing a privacy program; some of them include gaining a competitive advantage, preventing and mitigating data breaches, increasing the value and quality of data, and demonstrating good data stewardship.
There are several areas to consider when building and operationalizing an effective and robust privacy management program.
The National Institute of Standards and Technology (NIST) defines privacy risk management as a key aspect of effective privacy practices, helping to analyze and assess the risks associated with processing individuals’ personal data. Risks arise during the processing of personal data, which includes its collection, sharing, storage, and disposal. There are several privacy principles that, when administered, will help minimize the impact of these risks should they occur.
As we explore key factors for building effective privacy management, let’s examine the requirements that guide the development and implementation of a privacy program.
An effective privacy management program should consider the privacy laws that apply to its areas of operation. Most countries have their respective privacy laws, and while they are similar in certain areas, they each have their peculiarities. As technology and privacy laws evolve, the processes set up to manage privacy risk should also evolve.
An effective data privacy management program will enable organizations to protect personal data, manage privacy risks, and respond to privacy breaches within the specified timeline. To successfully accomplish these goals, organizations need to take a couple of steps back and identify which type of personal data they process (gather, store, share, and dispose of). This exercise, also referred to as data inventory and mapping, is the identification of the various categories of data, the data elements, and data subject categories from which personal data are gathered. It also covers the jurisdiction from which personal data is gathered. Upon completing this exercise, the organization can map the flow of data and guide it toward identifying the obligations of the organization regarding the personal data it processes.
The legal reasons for processing the data identified from the data inventory and mapping should also be captured and documented. This exercise forms the foundation for developing the framework that the organization will use as a guide for implementing the developed privacy program. The term ‘framework’ here refers to the development of processes, templates, tools, and laws that will be implemented and the requirements for different industry privacy regulations, privacy laws, and best practices recommendations. As a thorough exercise, this process will involve conversations with different business functions of business in the organization to gather more information on why the processing of personal data is required.
The WHAT and the WHY are steps that can be conducted simultaneously. Both steps require in-depth discussions with the subject matter experts and business function heads in different areas of business within the organization.
The application of privacy principles in the development of a privacy program is essential as these principles help to reduce the risks that come with processing personal data. Some of these principles include Privacy by Design, Purpose limitation, Data Minimization, Storage Limitation, Lawfulness, Fairness and Transparency. The application of these principles in the development of the privacy framework will be reflected in the processes, policies, and templates that will be developed and implemented for operationalizing the privacy program. For example, in the process of applying the principle of data minimization, some of the questions that will be covered here will include: Why are we gathering XYZ data? Is there a way that we can perform this task without gathering all this data? The application of Privacy by Design facilitates the incorporation of privacy when developing systems, products, and services.
The International Association of Privacy Professionals (IAPP) describes ‘privacy strategy’ as an organization’s approach to communicating and supporting the privacy program and vision. It is a collaborative effort with all stakeholders within an organization. Communication as one of the privacy principles (Lawfulness, Fairness, and Transparency) is a key factor in developing an effective privacy program. Examples of how an organization can display its compliance with this principle are in the communication of its:
a. Privacy Notice: A personal letter from the organization to individuals on how their personal data gathered is processed, which includes the legal basis for processing, how long the data will be stored, how it will be shared, who it will be shared with, and any other activity relating to the processing of their personal data.
b. Consent and Data Subject Rights: Provision of mechanisms to enable individuals to exercise their rights. Several jurisdictions have different privacy laws that provide their residents with different data subject rights, which organizations are obligated to fulfill when exercised. Several privacy laws require that the methods provided for exercising these rights are communicated to individuals in a clear and conspicuous manner.
c. Incidents and Breach Notification: Developing an incident and breach communication plan is essential in ensuring that incidents and breach notifications are communicated when required during the specified time frame and to the right recipients.
There are several types of privacy risks that could occur when managing and processing personal data. Non-compliance with privacy principles is a form of privacy risk, while the lack of privacy controls is another form of privacy risk. Privacy Risk Management is another area of a privacy program that we will touch on. The factors to consider when establishing processes, policies, and assessments to cover risk management include the establishment of the following:
a. A Third-Party Risk Management Program: This will cover vendor policies and risk assessments and establish processes for identifying, assessing, and mitigating risks when involving third parties, which include service providers and vendors.
b. Data Privacy Impact Assessments (DPIA & PIA): These privacy impact assessments are conducted against processing activities, which include processes and projects. They help to identify risks, develop a treatment plan, and eventually understand how to decrease identified risks.
c. Data Transfer Mechanisms, e.g., Transfer Impact Assessments (TIA): These are required in cases where personal data is received or sent outside the country. There are mechanisms that can be completed when transferring data across borders. These mechanisms vary based on the jurisdictions of the transfer and include Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCR).
To ensure that the developed framework (policies, processes, procedures, and templates) is well implemented, certain questions need to be asked, and structures need to be in place.
Privacy Governance: Establish a privacy committee and a privacy team. A privacy manager’s duties will include defining the privacy obligations for the organization, creating and implementing privacy policies and procedures, and monitoring, maintaining, and improving the maturity of the privacy program.
A privacy committee will comprise stakeholders and representatives from the different business functions and geographic regions that will ensure that proposed policies, processes, and solutions align with applicable privacy laws.
After developing a framework for a data privacy program, the areas to analyze and identify if the developed program is robust enough include:
1. Are privacy and the organization’s potential privacy risks properly defined and identified?
2. Has the privacy program been properly implemented into all key work streams?
3. Has accountability and ownership been ascertained for managing the privacy program?
4. Will the privacy program identify gaps in current processes?
5. Does the privacy program factor in industry best practices for data inventories and risk assessments?
A privacy program is a living document; as we mentioned earlier, as processes, technologies, and scope of processing evolve, so should the methods of managing privacy.