Privacy has changed. Decades ago, it was less complicated, with fewer regulations and opportunities to capture data. While just checking the boxes was once good enough, organizations now need an ongoing privacy program to keep up with changes in regulations, technology, and consumer preferences.
Today, digital transformation is thrown around like candy, and data breaches have become the norm in our news cycle. Not only are regulators watching, but so are your consumers, executives, and board members.
Although a one-and-done approach to privacy compliance can sound ideal, it will likely leave the organization open to learning an expensive lesson.
Compliance is Not Enough: You Need a Risk-Based Privacy Program
Developing an effective privacy program goes beyond compliance. It requires a strategic approach to how organizations manage and protect data aligned with business processes. Some privacy experts even insist that achieving 100% compliance shouldn’t be the goal and isn’t realistic today. There aren’t enough resources for organizations to keep up by putting out fires.
Instead, a risk-based approach helps organizations have confidence that they are doing their best to protect information. This shouldn’t be seen as avoiding legal compliance but rather as taking the most effective, preventative approach to protecting what matters most.
Companies recognize that respecting privacy is good for business, as consumers value brands that prioritize privacy. Because of this, some organizations grant privacy rights to individuals across the board – rather than by legal jurisdiction. This approach also creates less work for your privacy team (and saves you money).
A Culture of Privacy Creates Business Value
Privacy, security, and data conversations are no longer reserved for legal, compliance, governance, and IT teams. Because data is used in nearly every business function, data protection awareness and processes are needed across the organization. Data protection and privacy are part of everyone’s job.
Information enables the creation of better products, services, and customer experiences, driving innovation and business value. But handling data comes with great responsibility. To continue to benefit from data, executives must establish privacy as a business strategy, not a cost.
A strong culture of privacy enables employees to use accurate, relevant data in ethical, transparent ways to increase business value. It’s an awareness of privacy across the organization and adherence to using personal information responsibly – as if it were your own.
The values of transparency, accountability, and honesty often permeate organizations with robust privacy protections. Organizations that demonstrate these values respect consumers’ wishes about how their information will be used. This creates mutual respect and trust between both parties and, in many cases, an advantage over competitors.
Organizations should increase privacy awareness and consistently train and update employees about data protection. Keeping employees trained is important because the most likely root of an expensive privacy or security incident is one of your employees. A culture of privacy can reduce those odds.
Privacy by Design
Building privacy into products and services by default is even more important in today’s IoT world, where just about everything collects data constantly. As privacy permeates an organization’s culture, it is demonstrated through the thoughtful design of your products and services.
When privacy is considered from the beginning of a project, choices are made about what information to collect and how to provide notice, choices, and transparency to users. Many headaches can be avoided by planning data minimization in your products and service development.
Simply put, data minimization focuses on collecting only what’s absolutely necessary for processing. And businesses currently have a long way to go.
For example, Forrester Research revealed that 42% of companies aren’t sure how to effectively use the data collected with consent. So nearly half are collecting data without a strategy to extract value, leaving massive data graveyards in the wake.
Companies have more data than time to explore it. Privacy by design can reduce the data overwhelm and help you find valuable insights from your data with less risk to the subjects.
As you can see, data privacy and data protection go far beyond compliance with legal guidelines. If you want to keep using data without the threat of fines and losing consumer trust, proactively consider privacy with a risk-based program.
Rather than playing catch-up every time a new regulation is introduced, quickly adjust and feel confident your organization is compliant.
Beyond Compliance: Four Steps to a Risk-Based Privacy Program
Assess the Current State and Your Privacy Program Requirements
Start with fully exploring your current privacy program requirements and the economies and jurisdictions your company operates in. At a minimum you should answer the following questions:
- How is the business defined?
- What privacy laws and regulations apply to you?
- What jurisdictions are you operating in? State? National? International? List every single one.
- Do specific data laws, such as HIPAA or COPPA, apply to your organization?
- Healthcare, finance, and manufacturing are highly regulated industries. And protecting children in the digital age has become paramount as well.
- What information does your organization collect? Store? Share? Process? Sell?
- Where is the information stored?
- Who are the privacy stakeholders in your organization?
- Establish a committee with people from legal, IT, cybersecurity, marketing, HR, and other departments to support the privacy program efforts.
Identify Your Current Compliance Level and Risk
The purpose of using a risk-based approach is to weigh the benefit of processing data against the risk of doing so. Thus you can develop the right processes to accommodate the risk to the data subject.
When you think about harm or risk, remember it is the damage or negative impact to an individual that may flow from the data processing. Data protection laws protect people, not data.
Depending on your organization and how much information it collects or processes, this step may keep your privacy team busy. Furthermore, compliance isn’t static. Because privacy and technology change quickly, the company’s compliance status may change. Don’t think you’ve checked this box off for good.
Keep a constant tab on the business strategy and where it’s headed. Literally and figuratively. If the business plans to expand into new geographies, additional regulations may impact you.
Privacy Assessments
Conduct a general privacy impact assessment (PIA) to discover your current compliance level. This will help you identify what data resides in the business (data inventory) and general potential risk areas from a technology perspective. Conducting a PIA is also recommended anytime you start a new project, develop a new app, on existing applications that store or process personal information, and when business processes are changed.
Want to know more about privacy assessments? Download >> The Top 10 Most Common Privacy Assessments
After doing a broad PIA you should have a general understanding of your riskiest activities based on the organization’s technology use and volume of data. Through this process you should have created a data inventory documenting what types of data it collects, how its processed or shared, where it goes, who has access to it, how long it will be retained, and when and how it’s disposed of.
Next, domain specific assessments should be conducted on your privacy policies, vendor management process, and data subject rights response compliance, for example. An important assessment for many companies operating internationally is Transfer Impact Assessments (TIAs).
Additionally, it may be necessary to conduct Data Protection Impact Assessments (DPIA), which focus more specifically on the harm to individuals. GDPR Article 35 requires that Data Controllers conduct a DPIA before a processing activity takes place that is likely to pose a high risk to the rights and freedoms of individuals.
Defining Risk
How risk is defined, processing activities are classified, and tolerance for risk can vary greatly between organizations. Senior executives, legal, compliance, governance, and board members should discuss the level of risk the organization is willing to tolerate.
Risk is commonly divided into three categories based on the type of data, volume, applied safeguards, potential for malicious use, potential damage to the data subject, and legal requirements. Low, Moderate, and High.
Develop a custom scale for your organization to prioritize risk and analyze how likely the threat is to cause harm and how serious the harm would be. And to determine what levels of security and protection are appropriate for each level of risk.
There are a few examples of high risk processing activities in the GDPR:
- Systematic and extensive automated profiling
- Processing on a large scale of special categories of data
- Large scale systematic monitoring of a publicly accessible area
And the European Data Protection Board has defined guidelines for high risk processing activities:
- Evaluation or scoring (credit checks)
- Automated decision making with legal or similarly significant effects (job opportunities, promotions, loans, etc.)
- Systematic monitoring (employee workstation monitoring)
- Sensitive data or data of a highly personal nature
- Data concerning vulnerable subjects
- Data processed on a large scale
- Datasets that have been matched or combined
- Innovated use or new technology (fingerprint and facial recognition for access control)
- Interferences with rights or opportunities
- Other likely high risks to the fundamental rights or freedoms of individuals
- As you conduct assessments and associate risk levels to your activities, thoroughly document how you reached those conclusions and the evidence used. This is necessary in case a threat, breach, or audit occurs. Meticulous due diligence efforts during this phase demonstrate accountability.
Not to mention, in some cases being able to demonstrate compliance is mandatory. You need to establish a good system for completing and organizing your Article 30 Reports, DPIAs, and other privacy and risk assessments, so they’re readily available to demonstrate compliance.
With the TrustArc Assessment Manager, you can automate, simplify and customize the DPIA and PIA process to complete only what’s necessary for your organization and save your privacy team time. You’ll get an organized repository of all your assessments and a valuable picture of your compliance gaps, high risk areas, and a path to remediation.
Prioritize and Mitigate Risk
Now that you clearly understand what regulations apply to your organization and your data processing activities, you can develop a strategy for prioritizing and mitigating the risk to the organization and to the data subjects.
It probably goes without saying that you should start by mitigating your areas of highest risk first. Enforcement actions can also give you an idea of what authorities are paying close attention to. Mitigating risk in those areas is recommended as well.
An important aspect of your privacy program will be compliance with data subject access requests (DSAR). This includes requesting to stop selling or sharing information, know or access, change, and delete personal information.
These requests are part of how individuals in the EU, California, and other jurisdictions exercise their privacy rights. Because the GDPR and CCPA, as amended by the CPRA, dictate response requirements within a specific number of days, you won’t want to overlook this aspect of your privacy program.
To support compliance with DSARs on time incorporate the following into your strategy.
- Complete a data inventory and map.
- Establish a process to intake individual rights requests that is easy on the individual and ensure this process is well communicated throughout the organization.
- Validate the individual’s identity.
- Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions.
- Have a response process.
- Put in place an appeals process for denied requests. Retain documentation throughout the process.
At this stage, you’ll better understand the tools and resources your privacy program needs based on your risk and desired outcomes. If your team wants to automate data subject requests fulfillment to improve response times, reduce cost, and build customer trust, try TrustArc’s Individual Rights Manager.
Establish Response Procedures and a Strategy for Ongoing Monitoring and Compliance
Here, you can set the foundation for their privacy program. Using the business strategy, your data inventory and map, privacy assessments, and overall risk analysis results, you can create a long term privacy strategy that also achieves your short term compliance goals.
As you create your privacy program, you’ll want to include the many assessments and reports required annually by law. GDPR requires Article 30 Reports and DPIAs; other examples include PIAs and security assessments. It’s also a best practice for you to conduct these assessments regularly as things quickly change with data, technology, and regulations.
Consider what the laws have in common and your responsibilities as the handlers of precious data. Don’t collect more than you need, be accountable, and embed privacy by design into development processes.
As new laws are introduced, you will no longer need to return to the drawing board. Rather than developing a compliance strategy for every regulation, you have established a baseline privacy standard. Now you just need to look for where the law differs from the standards you already have.