Getting Started in Privacy

Privacy PowerUp Series #1

Privacy has become an essential aspect of our online lives today. As we’ve seen from various headlines, news articles, and legal updates over the last few years, the risk of and actual misuse of data is on the rise, as are the risks of data breaches, identity theft, and the pervasive nature of digital surveillance.

Understanding how to protect personal data (you may be used to hearing this as another term, depending on geography or your business operations, such as personal information or personally identifiable information) maintained and/or entrusted to you is more important than ever.

This series aims to provide a starting point for anyone looking to navigate the complexities of privacy program management. It offers practical tips and strategies to help you safeguard and ethically and lawfully manage personal data.

Whether you’re new to privacy or someone looking to enhance your current privacy measures, Getting Started in Privacy will empower you to build and manage a privacy program.

What is data privacy?

Data privacy, sometimes called data protection, refers to the ethical and responsible handling of data, particularly personal data. This includes how data is collected, stored, managed, and shared.

Essentially, if you work in privacy, you are the responsible steward of any personal data entrusted to you or your organization, including any employee, customer, or prospective customer information, and ensuring it’s protected from unauthorized access and responsibly processed and handled.

Why is data privacy important?

From trust to compliance, here are five reasons why businesses should embrace data privacy.

Societal expectation

As 79.3% of the world’s population is covered by some form of national data privacy law, people expect and demand their privacy be respected, and businesses are expected to answer the call. This has led to privacy being a default expectation, and it can be seen in things like Apple running full campaigns around privacy or Google providing privacy-specific features in many offerings.

Trust and loyalty

Showing how you can and do protect and respect data and being transparent about practices translates to customer loyalty and trust. In today’s competitive environment, trust is a critical differentiator. 65% of customers say they won’t support a company that shows signs they can not be trusted.

Compliance

Ignoring privacy laws can lead to numerous potentially severe consequences, including legal risks, loss of business/revenue, and possibly hefty fines. Laws like the EU’s GDPR (defined below) can impose fines of up to 4% of worldwide revenue, while the EU AI Act can levy fines of up to 6%.

Risk management

Poor privacy program and general data management, handling, and/or use can lead to numerous risks, including—but not limited to—data breaches, reputational harm, loss of revenue, possible fines, and disrupted operations.

Ethical responsibility

While not strictly a business reason, ethical responsibility is crucial for the long-term health of your organization. Protecting personal data aligns with a

values-driven approach to business. You have a responsibility to protect and safeguard information maintained by your organization.

Key data privacy regulations and frameworks

If you’re just getting started, it may be helpful to familiarize yourself with some key laws and frameworks:

• GDPR (General Data Protection Regulation): A comprehensive EU privacy law that has set a global standard.
• CCPA (California Consumer Privacy Act) is the California State equivalent of GDPR, and it influences many other state laws.
• HIPAA (Health Insurance Portability and Accountability Act): Regulates the handling of protected health information.
• LGPD (Brazil’s General Data Protection Law): Brazil’s modern privacy law, with some similarities to the GDPR and other recent regulations.
• PIPL (Personal Information Protection Law): China’s comprehensive privacy law that includes concepts such as criminal sanctions.

Frameworks like the Nymity Privacy Management Accountability Framework, OECD Privacy Framework, APEC Privacy Principles, NIST, and ISO 27701 can also guide your program’s development.

Save time with expert assistance in staying up to date with the above regulations, frameworks, and more.

Easily learn and understand laws with Nymity Research, a comprehensive regulatory database built by experts. Covering over 244 jurisdictions globally, save legal research time, effort, and costs with premier regulatory insights, legal summaries, operational templates, and law comparisons.

Seven core privacy principles

While each law or framework differs, these seven core privacy principles, which originate from GDPR (but GDPR was inspired by multiple sources, including the OECD frameworks and of course, prior EU regulation) can be a useful mechanism to provide a foundational framework that guides organizations in their approach to personal data management.

Here is a brief overview of the concepts:

1. Lawfulness, Fairness, and Transparency: Be upfront, reasonable, and lawful with your data handling practices.
2. Purpose Limitation: Collect data for specific, legitimate reasons, and only use said data for those reasons.
3. Data Minimization: Collect only necessary data.
4. Accuracy: Help to ensure data is accurately maintained or can be revised where inaccurate.
5. Storage Limitation: Don’t retain data longer than necessary.
6. Integrity and Confidentiality: Secure data against unauthorized access or use.
7. Accountability: Document and be capable of demonstrating your program practices.

Further, while it is important to understand if there are any key regulations with nuances you need to keep in mind, these principles can help as a “guiding light” to build a “north-star” style privacy program that meets various regulatory requirements, not to mention consumer and buyer expectations around your organization’s privacy program management.

The foundation of a privacy program

Establishing a robust privacy program is crucial for any organization looking to protect personal data and ensure compliance with relevant regulations. A well-designed privacy program meets legal requirements and accelerates your business.

The key components of a strong privacy program typically include conducting a thorough data inventory, implementing appropriate policies and procedures, providing ongoing training for employees, and regularly assessing and auditing data practices.

By focusing on these foundational elements, organizations can help to effectively manage privacy risks and demonstrate their commitment to safeguarding individual rights. Consider taking the following steps to build out your privacy program.

Identify key contacts

Build relationships with key stakeholders in your organization – particularly those who handle, process, or manage personal data. Such as engineering, product, HR, marketing, and finance leads.

Assess current practices

Conduct a gap analysis against a chosen privacy framework or set of laws to establish a starting point for advancing your privacy program. Using an established baseline helps you to identify gaps that need to be addressed to mature the program.

Create an implementation plan

Consider focusing on any perceived high-risk areas first. Develop a set of controls and standards to build an overarching privacy framework.

Develop policies and procedures

Create the appropriate policies, procedures, and disclosures needed to ensure that both internal and external stakeholders to your organization understand obligations, requirements, and transparent handling practices, as applicable. These may include items like privacy notices, data processing addenda, a data subject rights procedure, a technical privacy standard, or a retention policy.

Instill a privacy-first culture

Build a training and awareness program to make privacy a part of your organization’s DNA and improve privacy program maturity. Conduct mandatory annual training and internal campaigns to win your organization’s hearts and minds.

Continuously monitor and reinforce

Privacy is a journey, not a destination. To keep up with the evolving privacy landscape, regularly check and update your controls.

​​You can easily centralize this effort by using a program management and governance software like TrustArc PrivacyCentral. PrivacyCentral provides pre-mapped controls for global privacy and security laws, regulations, and standards. It helps you streamline evidence gathering and automates shared controls and compliance work.

Understanding individual rights in data privacy

Many modern privacy laws have a specific focus on permitting particular individual rights. It is important for your organization to understand not only what those individual rights are, but to also to make sure to have processes, vehicles, or mechanisms to actually facilitate the exercising of those rights.

Let’s explore some of the most common individual rights/data subject requests and their implications:

The right to know/access

The right to know, also known as the right to access, empowers individuals to request and obtain information about the personal data that organizations hold about them. This transparency helps build trust and ensures that individuals are aware of how their data is being used.

The right to rectification

The right to rectification allows individuals to request corrections to inaccurate or incomplete data – it may be inaccurate or incomplete, for example, because circumstances change (e.g., you moved addresses or changed email addresses) or it was inaccurately captured (e.g., someone’s phone number has a typo in it). This right permits individuals to request the correction of this type of information.

The right to erasure

In the EU, it’s often referred to as the “right to be forgotten,” – which allows individuals to request the deletion or removal of their personal data. This can be particularly important when the data is no longer necessary for the purpose for which it was collected or if the individual withdraws their consent.

The right to restrict processing

Think of this as putting a “do not disturb” sign on your personal data. The right to restrict processing allows individuals to limit how their data is used. For instance, if there is a dispute about the accuracy of the data, processing can be restricted until the issue is resolved.

The right to data portability

In an increasingly digital world, the right to data portability is often seen as essential by numerous consumers and individuals. It allows individuals to obtain their data in a commonly used and machine-readable format. This means they can keep a local copy of their data or transfer it to another service provider easily, facilitating flexibility and control over their personal data.

The right to object

This right allows individuals to object to certain types of data processing, such as marketing activities. For example, an individual can opt-out of receiving promotional emails or refuse the use of cookies that track their online behavior.

Jurisdictional variations

It’s important to note that these rights are not absolute and can vary by jurisdiction and geography. Different countries and regions may have specific regulations that further define or limit these rights. Therefore, it’s crucial to stay informed about local laws and regulations, make your own determinations about applicability and consider conferring with counsel.

Understanding these individual rights is important for those involved in data privacy. These rights form the backbone of modern privacy laws and practices, ensuring that individuals have greater control and protection over their personal data.

Incident response or breach response

Even if you do everything right, incidents can still happen. Be prepared with a solid incident response plan or procedures. Not every incident is a breach, but knowing how to respond to each could save your organization from potentially significant risk or harm to any individuals whose data was entrusted to the organization.

For detailed breach obligations by country, TrustArc’s Nymity Research can help with understanding comprehensive applicable laws, including by providing a country-by-country easy-to-use cheat sheet called a Breach Index.

Below are some privacy-focused considerations and steps, but as always, we recommend consulting with your counsel as well.

• Understand the cause of the incident, what systems and information was affected, to whom do the information belong and to what does it pertain to. An incident may have roots in a security or be purely a privacy-related event. Typically, organizations would refrain from broadcasting outside a predetermined group or from making public definitive and conclusive disclosure at this juncture.
• Assess the potential and theoretical maximum that could be caused by this incident – sometimes called a “blast radius.” Could financial or personal data be exposed, creating a risk of theft or fraud, as one example.
• Determine if the risk is ongoing, imminent, or now contained (meaning whatever “open window” of risk has or can be closed). If the incident or threat is not contained, continue working until containment occurs.
• Know your obligations, which may vary by jurisdiction, regarding potentially impacted data, if the worst-case scenario were to hypothetically occur. For example, every state in the U.S. has separate obligations for breach response while certain regions have umbrella response obligations, which may supplement or supersede local requirements, like in the European Union.
• Depending on the facts and circumstances of the incident, you may need to escalate this further internally and/or externally, e.g., your outside counsel, insurance brokers, and other stakeholders. While consulting legal counsel, consider if law enforcement or government agencies need to be informed. For example, if there is a suspicion that this event was linked to criminal activity, such as a malicious data breach?
• If a notifiable event has occurred, assess who needs to be notified and how to notify them properly. This could include notifying clients, affected individuals, regulators, and the public at large – these determinations may be made the basis of a variety of factors such as contractual obligations, legal obligations, or industry standard exceptions, among others.
• Once containment has occurred, decide what other post-incident activities need to be completed. These could be due to contractual or legal commitments or public expectations. These could be internal program improvement or data hardening/security measures, incident-specific call center operations, providing credit and fraud monitoring services, etc.
• Document, review, and look for hardening measures and improvements to avoid similar events in the future.

Lastly, don’t wait until an incident occurs to set up a response team or response process. Be prepared by developing a data incident playbook and conducting annual simulation exercises before an event occurs.

Embracing continuous improvement in data privacy

In the ever-evolving landscape of data privacy, organizations must recognize the importance of embracing continuous improvement as a critical component of their privacy programs. The rapid pace of technological advancements, regulatory changes, and emerging threats necessitate a proactive approach to data management.

By regularly evaluating and refining privacy practices, organizations can help ensure compliance with current laws and anticipate future challenges. This commitment to ongoing assessment and adaptation fosters a culture of accountability and resilience, enabling businesses to build stronger relationships with their clients through enhanced trust.

Continuous improvement is an essential strategy for safeguarding personal data and maintaining a competitive edge in a privacy-conscious world.

These guidelines will help you establish a foundation for starting in privacy. Continue mastering the privacy essentials by reviewing the other resources in the Privacy PowerUp series.

Visit us again on September 24, 2024 to read the next article in this series: #2 Data Collection, Minimization, Retention, Deletion, and Necessity.