Data privacy is a topic that many organizations are addressing. In this post, we will go through several steps that must be taken to implement a data privacy program.
Leadership Sponsor
As with any major initiative, data privacy is going to need the support of leadership. In particular, there will be a need for an advocate on the leadership team who will support the vision of improving data privacy. Who this person is will naturally vary from organization to organization.
The sponsor is not only an advocate but also serves as a medium of communication between the data privacy team and leadership. The sponsor serves as the eyes and ears for the privacy team to help them to avoid pitfalls is deal with concerns that are not shared directly from the leadership team to the privacy team.
Put Someone in Charge
Implementing any program or strategy requires that someone take the lead. Therefore, when it is time to develop a privacy approach someone needs to be in charge. The selection of the leader will naturally vary from one place to the other. The point is that the leadership sponsor needs someone they can talk to directly about the challenges and concerns that may be made at the leadership level.
Depending on the size of the project there might be more than one person identified as a leader. However, it is generally wiser to start small and scale as appropriate.
Examine the Data
Before any action can take place it is important to take an inventory of available data. Another name for this is the compiling of a data catalog. A privacy leader must know what data needs to be held private. Without this information, it is hard to ensure the quality.
Knowing the data works in combination with the policies and procedures that need to be made. For example, if the data includes personal information this will influence how privacy is maintained versus data that does not contain such information.
Compliance Expectations
Knowledge of the data is used concerning compliance expectations. For a corporation, the compliance standard might be GPDR. For other organizations, compliance might be determined by local laws or organizational standards.
Generally, a privacy team must provide evidence that they are implementing and or obeying compliance standards. Therefore, a team might have to document and archive how they comply with regulations in the event of a data breach and or audit.
Assess Risk
Assessing risk helps to inform the privacy team in terms of what sort of policy and or procedures to implement. Fortunately, it is not necessary to develop this risk assessment in a vacuum. There are risk assessment frameworks such as ISO 31000 or ISO 27005. Either of these frameworks or others can help you to determine the level of danger your data is potentially facing.
Create Policies and Procedures
Policies are broad guidelines based on the context in which it is being developed for. Most websites have some sort of privacy policy that explains how and what data is collected along with its purpose. Privacy policies can include an idea of the roles and responsibilities of the data privacy team as well.
Procedures are the steps that need to be taken to fulfill the policies that were created. In other words, data procedures provide step-by-step guidance of policies. For example, if the policy speaks about the importance of only certain people having access to data a procedure for this might be how to set up a password or to seek permission to access a particular database. Essentially, policies inspire procedures.
Controls
Controls are inspired by risk assessment. In this step, you are implementing ways to mitigate risk to data. For example, it might have been uncovered that sensitive data is too easy to access. The control for this example may be to move the data to more secure data or to ensure that the data is password protected.
The main point here is that all of these measures must be integrated and working together. The data catalog and knowledge of compliance inspire the policies and procedures which in turn helps with the development of controls
Training & Monitoring
Now that almost everything is in place it is time to train people on the new privacy rules. The training will be context specific but is critical for getting buy-in to the new system. Without the cooperation of the masses, there is no hope for the success of the program.
After training, the training is assessed through monitoring. Monitoring assesses how well the program is running. It deals with such challenges as whether people are obeying the new procedures that have been implemented. Monitoring also helps in providing feedback in terms of where there might be growth opportunities. No system is perfect and monitoring provides critical information to strengthen the program.
Conclusion
Data privacy can be improved in any organization. The ideas presented here provide information on how to start a data privacy program. Naturally, all of these steps may not work for each organization but many valuable ideas have been shared to support the protection of privacy.