How to Build an Enterprise Privacy Program
Organizations are challenged to maintain advanced privacy programs, given the pervasiveness of personally identifiable information (PII) deployed across the enterprise combined with expectations around compliance.
This piece explains how to meet the challenge by establishing a risk-based approach that aligns closely with the business.
Understand the Goals of a Privacy Program
Privacy programs have several features in common. The most successful programs work to ensure:
- The data types used throughout the enterprise that qualify as personal data are understood: These data types fall into the category of PII applicable to your employees, customers and suppliers. Examples could include names, addresses, Social Security numbers (SSNs) and account information.
- The privacy program is right sized to the organization: Like any program, there’s never a one size fits all. Privacy protections should allow for applicability to the business environment, volume and types of records, and compliance implications.
- Requirements and implications are effectively communicated: Communications and support from the executive level to the operational level should be well defined and documented to reflect the importance of privacy protections and desired outcomes.
- Privacy profiles prioritize protections: Profiles should reflect the risk levels associated with the types of data, prioritized protections and activities that best address the organization’s privacy goals, mission, business needs and risks.
Implement Key Privacy Program Capabilities
Any technologies deployed to support the privacy program should also support decision-making and communication about the efficacy of organizational processes and resources to manage privacy risk. Primary capabilities to consider deploying include:
- Privacy profiles: Organizations should use privacy profiles (including names, addresses and SSNs) to select and prioritize the capabilities that best meet their specific needs. A privacy profile can be built by selecting specific functions, categories, and subcategories from the organization’s target core privacy framework. Best practice is to consider the organization’s goals, data processing capabilities and roles, industry sector, legal/regulatory requirements and industry standards These factors inform the risk management priorities and the privacy needs of individuals who are directly or indirectly served or affected by an organization’s systems, products or services.
- Data discovery: Automated data discovery tools can help scan systems, discover and classify personal data, and create a data map. This is essential for knowing what data you have. Some of the items that can be identified from automated data discovery
include:
- Which systems hold data
- Data elements within those systems
- Categories of data elements
- Where data is stored
- How long the data has been stored
- When the data was modified
- Who can access the data
In addition, organizations may consider AI- and machine learning-based data discovery tools which go beyond just scanning metadata. These tools enable you to:
- Identify personal data, and then tag and enrich data based on the different regulations that apply to it.
- Tailor discovery and classification to your business, factoring in your industry type, business and regulatory implications (i.e., GDPR).
- Take scanned data and map it to central data inventories, which helps you understand data better and generate required compliance reporting.
- Automatically detect and flag privacy risks in your data: Examples include PII in applications where PII is not permitted, sensitive data in unexpected tools, unexpected personal data, and new categories of data elements that require additional security or protection.
- Enforce data retention schedules and policies: Data discovery helps teams understand how long data has been stored and when it was last modified or used, enabling teams to understand where they have “stale” data in violation of their retention policies.
- Identify redundant and obsolete data: This reduces the amount of duplicated and unnecessary data that may qualify for data deletion, reducing their PII footprint and the likelihood of a breach.
READ: Data Governance 101: Establish a Solid Foundation
Get a Privacy Framework in Place
Once the privacy profiles and data discovery capabilities are in place, organizations must implement a privacy framework as a foundation for their program. To get started:
- Choose a governance framework: Many organizations deploy privacy programs to address business challenges, such as shifting regulatory requirements, conflicting or changing policies/procedures, duplicate compliance efforts and increased operational costs.
A governance privacy framework (e.g., NIST or ISO) provides the foundation for a sound privacy program and solves many of these challenges, while making it easier to adapt to organizational and
regulatory change. When choosing a framework, the following questions can help narrow the field:
- Who should be involved?
- How will a framework benefit the organization?
- Which business processes may be impacted?
- Which frameworks are already being used within the organization?
- Which regulatory requirements—e.g., HIPAA, California Consumer Privacy Act, GDPR, etc.—should be considered?
- Map your regulations to your framework: If you need to comply with multiple privacy regulations, you will need to map out how they overlap with your framework and each other. This is the time to factor in any other frameworks (e.g., the NIST Cybersecurity Framework, ISO 27001, etc.) the organization uses to make sure everything is aligned. Mapping out control areas and grouping them by regulation and framework helps reduce complexity.
- Tailor your framework to your enterprise: Tailoring your framework to your organization’s specific privacy, risk and regulatory requirements makes the implementation process smoother. This requires modifying controls to align with specific business functions and the operating environment, which will require input from other parts of the business. But working with other teams to integrate your framework should help ensure enterprise-wide adoption.
- Document all control decisions carefully: There may be instances where a specific control does not apply to the organization. It is good practice to document the business reasons for not implementing the control. If appropriate documentation of the reasoning behind the exception is maintained, it will be a resource for any future audits and assessments.
- Communicate any changes/requirements effectively: A key part of successful adoption is communication. It is important to communicate any upcoming changes with core business teams within the organization. Providing appropriate support to the teams that may need to make changes because of the framework adoption is beneficial.
Privacy Program Benefits
Once you successfully install your privacy framework, you must then implement the corresponding controls and set up monitoring for deviations to the privacy policy. At that point, the organization gets to reap all the benefits provided by a privacy program framework. These include:
- Streamlined compliance - efficient application of compliance to privacy requirements.
- Measurable results – solid metrics that contextualize to the company’s risk profile.
- Reduced costs - allows for reduction in duplication.
- Improved risk mitigation - drives efficient management of privacy risk.
- Effective program evaluation - allows the management team to measure effectiveness.
- Alignment with enterprise strategy - ensures the privacy program is truly aligned with business risk.
- Unification of privacy, security and compliance efforts - connects privacy into other facets of the security program.
Establish a Strong Privacy Program
Companies are challenged with understanding and maintaining a sound privacy program, given the prevalence of data and systems and the range of compliance requirements. To foster success, they must:
- Fully understand the types of data processed: Creating strong privacy profiles and deploying data discovery and mapping tools can help.
- Document how privacy aligns with the business mission: Privacy should be a top-down initiative, with marching orders coming from executive management, so everyone understands the importance of privacy to the business.
- Ensure proper protections are aligned to enterprise risk: No two privacy programs are the same; the best programs align with the organization’s goals, data processing capabilities, industry sector, legal/regulatory requirements, etc.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.