Privacy has become a front-and-center compliance risk in organizations around the world. GDPR (Europe), CCPA (California), APP (Australia), PIPEDA (Canada), PDO (Hong Kong), PIPA (Japan), ECTA (South Africa)…the world of privacy compliance is like a bowl of alphabet soup, yet this list just highlights some of many privacy regulations bearing down on organizations.
The challenge with privacy compliance is that business is dynamic. It changes minute by minute and second by second. Personal data is pervasive across the data and processes of an organization (e.g., employee data, customer data, and sales data). You may have been on top of your privacy obligations at the end of 2019, but the organization has changed significantly over the past few weeks and now also has CCPA compliance to worry about. Processes have changed, the business has changed, employees have changed, third parties have changed, your customers have changed.
Privacy compliance management has to be continuously managed and monitored in organizations. It is not a point in time effort but one that has to be addressed in the context of continuous organizational change. Privacy compliance is about identifying and mitigating the compliance, brand, and business risks associated with processing personal data. It is about managing risks across the full lifecycle of data in an organization and its web of processes, transactions, relationships, and interactions.
Here are 7 habits of highly effective privacy compliance programs to help keep you on track:
1. Appoint a Chief Privacy Officer
Under GDPR this is referred to as a Data Protection/Processing Officer. Someone needs to be in charge to ensure that privacy risk and compliance are addressed across the organizations and their jurisdictions. For large distributed organizations this may require that regional privacy officers be put in place to report to the organization’s global privacy officer.
2. Document data process flows
Foundational to privacy compliance – whether GDPR, CCPA, or many of the others – is the documentation of data process workflows and how personal information (e.g. employees, clients) enters and flows through the organization, is used and accessed in the organization, the disposition and controls in these stages, and the interaction of these workflows across third-party relationships.
3. Define and communicate privacy policies
At the end of the day it is employees (and third parties) at all levels of the organization that interact with personal information. Privacy compliance is more about the front-office of the organization than the back-office function of compliance. Organizations need to ensure they have the right privacy and data protection and use policies in place and that individuals understand these in the context of their role in the organization. Privacy compliance requires organizations to have a clear defensible record of policy management, communications, attestations, reminders, and training activities.
4. Conduct data privacy impact assessments.
Organizations should have a clear understanding of the state of privacy compliance and the risk to personal information in their dynamic environments. This requires that a regular periodic data privacy impact assessment be conducted, as well as triggers to do an assessment between periodic assessments when certain events or risk indicators alarm the organization.
5. Monitor controls and use of personal information
Ongoing monitoring of the environment is critical to ensure that controls are in place and protecting personal information in the environment. This requires that the organization has insight into where personal data is stored and use, monitor for its leakage and inappropriate use and have full audit trails of interactions with personal data.
6. Establishing incident response procedures
The best-laid plans of mice and men will fail. Even the best organizations, with the strongest culture and commitment to privacy and integrity, will have issues. Whether malicious or inadvertent, privacy breaches will happen. It is critical that the organization has clear issue reporting and case management procedures to handle privacy breaches from small to large. Appropriate steps and response plans should be identified ahead of an incident, so the organization knows how to handle it and does not make costly mistakes.
7. Govern third-party relationships
Over half of data breaches come from third parties – contractors, consultants, outsourcers, vendors, temporary workers, service providers, and more. Organizations need to make sure their third parties are compliant as well and follow strict policies and controls that are aligned with the organizations’ privacy policies and controls. Data processors (e.g., third parties) have legal liability under GDPR and other regulations and have direct legal compliance obligations. One additional requirement is the Data Processor cannot use a ‘fourth party’ to process any identifiable personal information without obtaining prior authorization from their client (i.e. the data controller).
The next privacy compliance challenge?
Once these 7 habits are in place for a highly effective privacy compliance program, the next challenge is to keep it current. Privacy compliance (and all of its elements) is a process that needs to be continuously managed in today’s distributed and dynamic organization. It is not a point in time effort, but one that has to be in sync with the business as it evolves, adapts, changes, and morphs.
Business is changing minute-minute and second-by-second. This requires an ongoing function that ensures that each new service or business process that makes use of personal identity information within the organization must take the protection of personal data into consideration when designing new or updating operational processes.
To achieve sustainable privacy compliance, organizations need to have privacy compliance technologies in place that are efficient, effective, and agile to keep up with a dynamic business environment. This is not a point in time effort and requires ongoing diligence to work towards compliance. Doing this in manual processes with documents, spreadsheets, and emails will only lead to gaps, errors, and eventually significant issues of non-compliance resulting in potential penalties.