A Data Privacy Program from Scratch

Photo by Taylor Vick on Unsplash

Motivation

Information security has become an important business enabler over the years and now (after many incidents, blunders, and breaches) most of the organizations appreciate its value. No serious organization in the information economy can do without an information security management program and all the associated activities. This is because the opposite would be extremely damaging and no company can survive without proper handling of its information security.

The same is happening on the privacy side. In the age of big data and machine learning, most of the companies find themselves in the need to store or process personal information. This generates incredible value for the users as well as for the companies. The question is, does the value generated for the users compensate the risks associated with the processing of personal information by the companies? These risks can become very harmful if materialized since human rights can be at stake by the improper processing or sharing of information.

Therefore, companies need to set their standards for the activities related to protecting personal data they collect and process. Management of privacy must also follow a structured and systematic approach similar to what we see in a well-established information security program. This involves buy-in from the top management, establishing a privacy officer, risk-based planning and decision making, policies, structured training and awareness, oversight, reviews, and continual improvement.

One of the greatest advantages when developing a privacy program is that some of the activities in the previous paragraph are already being enforced by the privacy regulations and adopted by the companies. For example, GDPR necessitates the establishment of a Data Protection Officer position in the organizations. Similarly, Privacy Impact Assessments (PIAs), which involve risk-based assessment of processing, are needed before starting to process personal data. So, many organizations, at least at a ticking-checkboxes level, know about the activities in the process.

In this article, we are going to provide general guidance about how a privacy program can be implemented from scratch, what the main requirements are and the details about how the organizational change can be carried out.

The Scope

The main scope of a privacy program is the activities that enable managing the full lifecycle of personal information from collection to deletion.

Ideally, at the end of the rollout of a privacy program a company can tell:

• Where every bit of personal information resides,
• Who has access to which personal information,
• All security controls to protect personal information, and
• The retention times for every piece of personal information.

Photo by Owen Beard on Unsplash

The company also needs to guarantee that,

• All the employees have awareness and have received the necessary training before they touch the private data, and
• The third parties the company works with comply with the protection requirements of the company and regulations.

Defending the Change

As in most of the change initiatives the privacy program needs to be sold to the top management as the first step. The business case must be defended and the value to the corporation must be shown completely and clearly. In order to do this the top management must be made aware of:

• The current problems being faced every day regarding the difficulty of managing private information,
• The difference between the current situation and the situation after the introduction of the privacy program,
• The reasons why the change matters to the organization,
• The potential costs of not having the program and the potential benefits of having one.

To defend the privacy program initiative, the “why” needs to be supported by different arguments and examples. It can be expected that the top management is aware of why privacy matters, because of the popularity of the topic. So, the most important thing to be shown to the management is the benefits of the privacy-preserving approach and the related activities to the bottom line. Two of the main messages can be 1) that the strength of data privacy (and data protection) at a company is very important for the customers and 2) privacy breaches are so costly that it can even bring down companies.

The Building Blocks

After “selling” the initiative to the management, the project can start. At the end of the program we can expect the following to be in place:

1. Privacy Officer: In different contexts, we see different terms like Data Protection Officer (DPO) or Chief Privacy Officer (CPO) for this position. The DPO term comes from GDPR and they are the liaison between the company and the public in privacy-related matters. Their position within the company enables them to advise senior executives in privacy-related issues. They also audit the company and lead awareness activities about privacy. On the other hand, CPO is the leader for privacy-related compliance efforts in the company. CPO is more on the implementation side than a DPO. So, the choice of title depends on the needs and function of the Privacy Officer in the company.
2. Privacy Office: Main responsible department for privacy-related analysis, policy and decision making, privacy risk management, training, improvements and so on. Privacy Officer leads the Privacy Office.
3. Policies: These are the main bodies of rules governing private data within the privacy life cycle. The policies sets clearly what’s allowed, not allowed, the main principles about handling private data, the responsibilities and so on.
4. Private Information Inventory: This is the address book to find which piece of private information resides where. It is up-to-date and one of the main components of the privacy program.
5. Risk Assessment Process: This is in place to identify, assess, and mitigate the privacy-related risks. Data Protection Impact Assessments (DPIAs) is one of the main tools in this process. The process makes sure that the risk assessment is done before the processing takes place and takes the appropriate measures for mitigating risks.
6. Reporting Channels: The company provides channels to get the privacy-related incident reports and privacy-related requests from users, customers, and other parties.
7. Training and Awareness: The employees must be trained to adopt the required behavior when handling private information. Especially the employees who have access to private information or the ones who need to reach private information to accomplish their day-to-day tasks need specialist training.
8. Incident Management: This process needs to be in place to learn from the incidents and improve the overall company processes to protect private information. The process is supported by procedures, protocols, training, drills, and other activities.
9. External Communication: Public relations or communication departments handle the communication with the public in case of a breach.
10. 3rd Party Management: If the private information is being accessed, processed or shared with 3rd parties, like service providers, these need to be managed within a well-defined process.

In the next article, we’ll discuss some of the details of a privacy program project, its deliverables, and success factors.

Sources:

1. Hughes, David, Getting it Right: Accountability and Your Privacy Program, One Way to Implement an Accountability Framework, IAPP Canada Privacy Symposium 2013, https://iapp.org/media/presentations/13CS/CPS13_Getting_it_Right_PPT2.pdf
2. Art. 37, General Data Protection Regulation (GDPR). (2018). General Data Protection Regulation (GDPR), [online] Available at: https://gdpr-info.eu/art-37-gdpr/
3. Maze, Jill. “Starting Up: Building Your Company’s First Privacy Program.” CPO Magazine, 21 May 2019, www.cpomagazine.com/data-privacy/starting-up-building-your-companys-first-privacy-program/.