[Privacy] Four Steps to Achieve your Effective Data Privacy Program

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business. 

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area. 

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business. 

Four Steps to Achieve your Effective Data Privacy Program

Privacy vs. Security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.

But that is not equivalent to privacy …

Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

Privacy : Personal Data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.

See examples of personal data in the below charts: 

A Quiantitative Approach

Use risk and a metrics-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.

	1. Collect Privacy Requirements	2. Conduct a Privacy Gap Analysis
Phase Action Items	Define and document drivers Establish privacy governance structure Build a privacy RACI chart Define personal data scope Build a risk map	Complete the Data Process Mapping Tool Compare compliance and regulatory requirements with gap analysis Assess and categorize privacy gap initiatives
Phase Outcomes	•      Documented business and IT drivers for the privacy program •      High-level understanding of how privacy is perceived in the organization •      Completed Data Privacy Program RACI Chart	•      Data Process Mapping Tool detailing all business processes that involve personal data •      Privacy maturity ranking (Privacy Framework Tool) •      Identification of compliance or regulatory privacy gaps

	3. Build the Privacy Roadmap	4. Implement and Operationalize
Phase Action Items	Finalize privacy gap initiatives Prioritize initiatives based on cost, effort, risk, and business value Set firm dates for launch and execution of privacy initiatives Assign ownership for initiatives	Establish a set of metrics for the Data Privacy Program Operationalize metrics Set checkpoints to drive continuous improvement
Phase Outcomes	• Completed Privacy Framework Tool • Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment	• Customized set of privacy metrics • Tasks to operationalize privacy metrics • Data Privacy Report document • Performance monitoring scheduled checkpoints

Privacy Controls with Metrics

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.

Privacy metrics take your program from a static framework to an operational model.

Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.  

Privacy Control Categories: (from Info-Tech)

1. Governance
2. Regulatory Compliance
3. Data Processing and Handling
4. Data Subject Requests
5. Privacy by Design
6. Notices and Consent
7. Incident Response
8. Privacy Risk Assessments
9. Information Security
10. Third-Party Management
11. Awareness and Training
12. Program Measurement

Privacy Law

 

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.

The CCPA empowers California residents with enforceable rights over the personal information they generate every day online.

GDPR

CCPA vs GDPR vs CPRA

The CPRA is an amendment to the CCPA and is effectively a part of the larger California Consumer Privacy Act. These two regulations are not separate, and should not be handled as such, or ignored in favor of the other. The CPRA grants two more privacy rights to California residents.

Aspect	CCPA	CPRA
Consumer Rights	– Right to access personal data- Right to delete dataRight to opt out of the sale of personal data	– Enhanced rights from CCPA-Right to correct inaccurate personal data- Right to limit the use of sensitive personal information (e.g., precise geolocation, race, health data)
Business Obligations	– Provide clear notices about data collection and use-Offer opt-out mechanisms- Ensure data security	– Builds on CCPA requirements- Conduct regular risk assessments- Limit data retention periods- Implement more stringent data protection measures
Enforcement	California Attorney General	– California Privacy Protection Agency (CPPA)- The Attorney General retains some enforcement authority
Operational Dates	Effective January 1, 2020	– Effective December 16, 2020- Provisions operative January 1, 2023]- Enforcement began July 1, 2023

Likewise, while the CCPA and the EU’s General Data Privacy Regulation (GDPR) share many components and have similar purposes, the requirements under each are not the same. Companies must take care to identify their privacy compliance needs and requirements, and then adopt the policies and practices they need to satisfy regulatory obligations. Complying with both the CCPA and GDPR involves more than complying with one or the other.

PIPEDA

PIPEDA Self-Assessment Tool

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/

Tools

Scytale: https://scytale.ai/pricing/

OneTrust : https://www.onetrust.com/solutions/ccpa-compliance/

Scrut: https://www.scrut.io/solutions/ccpa

Usercentrics.com

www.osano.com 

Free Cookie Consent 

• Free: USD 0/month for 1 user, 1 domain, and up to 5,000 visitors/month

Ketch

• Ketch Free: USD 0

Orrick’s CCPA Readiness Assessment Tool consists of five sections with questions covering the Scope of the CCPA, Notice to California Residents, CCPA California Residents Rights, Vendor Management and Contracting, and additional considerations.

References