Build a Data Privacy Program

Take out data privacy’s grey areas with a quantitative approach to your program.

Executive Brief

Analyst Perspective

Privacy can no longer be subjective. Quantify and measure to drive a more effective privacy program.

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business.

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area.

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business.

Cassandra Cooper Senior Research Analyst, Security, Risk & Compliance Info-Tech Research Group

Executive Summary

Your Challenge

• Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
• With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Common Obstacles

• Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.
• With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.

Info-Tech's Approach

• Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, as a driver of business efficiency.
• Integrate and build by developing a program that promotes:
  • Privacy standards that are established with respect to how information is accessed.
  • Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.

Info-Tech Insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.

Your challenge

This research is designed to help organizations who need to:

• Understand how to adapt and quantify privacy beyond compliance.
• Change the pre-existing perspective on how to assess privacy competency.
• Shift the organization’s view of privacy as the enemy of efficiency and innovation.
• Build an environment that places privacy ownership in the hands of the business.
• Extend the privacy program beyond the privacy team or organizational function.
• Take the ambiguity out of privacy program management.

Data Privacy Program

1. Understand – Collect Privacy Requirements
2. Assess – Conduct a Privacy Gap Analysis
3. Bridge – Build the Privacy Roadmap
4. Implement – Implement and Operationalize

Life after the GDPR

May 2018 saw the introduction of the General Data Protection Regulation across the EU, which has since become somewhat of a global standard when it comes to data protection best practices. However, many organizations still fall short of what is considered “compliant” by GDPR standards.

• 43% of organizations for whom GDPR compliance is of primary concern, consider themselves “moderately compliant.”
• 38% of organizations under GDPR compliancy still reported experiencing a data breach occurring during 2019.
• 94% of organizations that leverage third-party data processors rely on contractual assurances for data safety and protection.
(Source: IAPP, 2019)

Info-Tech Insight

An effective privacy program ensures compliance, but simply being compliant does not mean you have an effective privacy program.

Instead of reactively checking the compliance boxes based on a set of governing laws, develop a privacy framework that proactively anticipates while staying in scope of the needs of your organization.

Understanding privacy vs. security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.

But that is not equivalent to privacy …

Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

Privacy is all about personal data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.

See examples of personal data in the below charts:

True cost of a data breach

An industry outlook

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance and resulting fines and minimizing overall exposure.

86% of data breach costs are associated with REGULATORY FINES

2019 Breach Breakdown

Average data breach costs per compromised record hit an all-time high of $150 in 2019. (Source: IBM Security)

The Data Breach Aftermath

% of abnormal customer turnover per size of data breach

• ›1% Lost $2.8 million
• 1-2% Lost $3.4 million
• 2-3% Lost $4.2 million
• 4% Lost $5.7 million

Data breach resolution times

• Time to Identify 206 days
• Time to Contain 73 days

% of data breach recovery costs over time

• 14% 3 Months
• 41% ‹6 Months
• 67% ‹1 Year
• 11% ›2 Years

Info-Tech’s approach

Scale and quantify privacy in the organization by taking a layered approach to building out a data privacy program in the organization.

• Industry and operating environment of the organization
• Involvement of personal data in business processes
• Acceptable risk
• Data privacy metrics

The Info-Tech Framework

Our approach is modeled on a framework that extends beyond compliance to create a scalable and quantifiable privacy framework.

1. Governing Privacy Laws – Understand which governing privacy laws and frameworks apply to your organization.
2. Data Process Mapping Tool for Business Processes – Create a map of all personal data as it flows throughout the organization’s business processes.
3. Privacy Initiative Prioritization Schema – Prioritize privacy initiatives and build a privacy program timeline.
4. Privacy Metrics – Select your metrics and make them functional for your organization.
5. Privacy Program – Continue to refine your Data Privacy Program.

Info-Tech’s methodology for building a privacy program

Insight summary

Overarching insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach to drive a privacy framework that supports compliance and considers the custom needs of your organization.

Fit privacy to the business.

Contextualize privacy for your organization by involving the business units from day 1; collect requirements that promote cross-collaboration.

Privacy is dynamic.

Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization.

Prioritize and plan together.

Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.

Make it operational.

Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.

Privacy doesn’t live in isolation.

By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.

A good privacy program takes time.

Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk and support the rollout through customized metrics.

Blueprint deliverables

Key deliverable:

• Privacy Framework / Business Unit Framework Tools Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST. Build your gap-closing initiative roadmap and work through cost/effort analysis.

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

• Privacy Program RACI Chart A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.
• Data Process Mapping Tool Full documentation of all business processes that leverage personal data within the organization.
• Data Protection Impact Assessment When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.
• Data Privacy Program Report A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.
• Privacy Policy Templates Internal and external policies around:
  • Data Protection
  • Privacy Notice
  • Cookies
  • Data Retention

Blueprint benefits

IT Benefits

• Identification of information security-specific privacy controls, mapped against governing privacy frameworks (GDPR, CCPA, HIPAA, PIPEDA, NIST).
• Comprehensive inventory of where personal data exists within IT systems at different points during its lifecycle (at rest, in transit).
• Perspective from a privacy lens on IT controls (system and network access, asset management, etc.).
• Assigned ownership for members of the IT team of privacy-IT integration and individual privacy initiatives.

Business Benefits

• Understanding of the scope of privacy within the context of the organization.
• An active role and participation in the integration of privacy requirements as a part of pre-existing operations, as well as net-new operating procedures.
• Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.
• Thorough perspective on how each of the business units’ processes impact and reference personal data.

Data Privacy

• IT / InfoSec
• Senior Leadership
• Business Units

Measure the value of this blueprint

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.

Privacy metrics take your program from a static framework to an operational model.

Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.

Info-Tech’s Privacy Control Categories

Governance Regulatory Compliance Data Processing and Handling Data Subject Requests Privacy by Design Notices and Consent

Incident Response Privacy Risk Assessments Information Security Third-Party Management Awareness and Training Program Measurement

Info-Tech Project Value

$72,348 – Average annual salary of a Privacy and Compliance Officer

1,020 hours, $38,250 (initial spend), $7,650 (ongoing spend) – Average total time/cost to completion for the following high-priority privacy-related projects:

• Complete and revise Data Process Mapping Tool (X)
• Develop and document retention policy (X)
• Validate personal data processing procedures (X)
• Develop a privacy framework and roadmap (X)
• Update DSAR request forms
• Review vendor contracts and ensure data transfer agreements are in place
((X) indicates a project or initiative covered by Info-Tech’s Data Privacy Program methodology)

$45,900, 1,020 hours – Estimated cost and time savings from this blueprint

Executive Brief Case Study

DoorDash Data Breach – Fall 2019

INDUSTRY: Food Services
SOURCE: Forbes

Event

• Food delivery service DoorDash announced a data breach impacting 4.9 million users, delivery employees, and merchants in late September 2019.
• PII hacked included name, email, delivery address, phone numbers, passwords, and final four digits of payment cards taken, as well as final four bank account digits for delivery employee and merchants.

Aftermath

• Main backlash highlighted the fact that DoorDash did not detect the breach until more than five months after the date of the breach.
• DoorDash’s press release stated the company would focus on:
  • System access security protocols
  • Ramping up data security
  • Leveraging external expertise to help mitigate future risk

Issue

• Misplaced accountability: there was no ownership when it came to whom within the company had access to PII.
• A lack of stringent third-party vendor management, resulting in contracts that left room for interpretation in terms of who had access to customer PII.
• Ineffective incident response plan, as it took the organization five months to inform customers that the breach had occurred.

Info-Tech’s Resolution

In 2019, data breaches increased globally by over 33%. Within the first quarter alone, 4.1 million records were exposed.

Preventing a data breach is just one outcome of implementing an effective privacy program, amongst an understanding of:

• Where every bit of personal information resides
• Who has access to which personal information
• All security controls necessary to protect personal information
• The retention times for different types of PII

Build a Data Privacy Program leverages a simple four-step process:

1. Collect Privacy Requirements
2. Conduct a Gap Analysis
3. Build the Privacy Roadmap
4. Implement and Operationalize

Looking through the global data breach lens

33% increase in the number of data breach incidents from the first half of 2019

Info-Tech Solution

Every case is different, however, across the spectrum of breaches during 2019, we can spot common trends.

In many cases, external parties informed the company of the leaked data, exposing the underlying lack of privacy program monitoring in place within the organization itself.

By developing a structured privacy program, you know:

• Where data is in the organization
• Who is accessing it
• How it’s being leveraged and maintained

Should the event of a breach occur, you can take back control of the resolution process, and minimize reputational damage.

Executives are increasingly concerned about data breaches

Hefty fines and reputational damage are two of the primary setbacks incurred following a publicized data breach.

$3.92 million (USD) | Average total cost of data breach

7.9 billion | Number of records exposed in the first 9 months of 2019

279 days | Time between occurrence and containment of data breach

Hacking | Top breach type for number of incidents incurred

Senior management and executives now acknowledge privacy and security as some of the biggest risks to the business. Previously, the entire scope of privacy would fall upon IT professionals to manage and control.

High-profile cyberattacks and data breaches, such as Capitol One in 2019, have brought the issue of privacy to the forefront of executives’ minds. Regulatory obligations to notify the public of breaches and pay significant fines for noncompliance have also pushed executives to be more concerned than ever before.

Info-Tech Insight

Data breaches shouldn’t just concern senior leadership and management; involving and educating your organization at all levels encourages a tightly woven, privacy-centric operating model. (Source: IBM Security)

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Phase 1

• Call #1: Scope requirements, drivers, objectives, and challenges.
• Call #2: Build out privacy ownership using the RACI chart.

Phase 2

• Call #3: Review results of data process mapping business unit interviews.
• Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps.

Phase 3

• Call #5: Determine cost and effort ratio of gap initiatives.
• Call #6: Build out additional privacy collateral (notice, policy, etc.).

Phase 4

• Call #7: Review standard privacy metrics and customize for your organization.
• Call #8: Establish and document performance monitoring schedule.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com1-888-670-8889

Build a Privacy Program

Phase 1

Collect Privacy Requirements

This phase will walk you through the following activities:

• Identify the driving forces behind the privacy program
• Understand privacy governance
• Assign ownership of privacy

This phase involves the following participants:

• Privacy Officer/privacy team
• Senior management representation (optional)
• Relevant business unit privacy champions
• InfoSec representative
• IT representative

Info-Tech’s Privacy Program Methodology

The below image is a visual representation of Info-Tech’s Privacy Framework. This includes high-level governance items as well as more tactically defined areas. See an overview below.

The current state of privacy law

A perspective on the proliferation of privacy law

Download this tool | Info-Tech’s Privacy Framework Tool includes a best-practice comparison of GDPR, CCPA, PIPEDA, HIPAA, and the newly released NIST Privacy Framework, mapped to a set of operational privacy controls.

1.1 Define and document the data privacy program drivers

Input: Optional: Ask core team members to brainstorm a list of key privacy program drivers and objectives

Output: Documented list of privacy program drivers, Documented list of privacy objectives, Level-setting on understanding of privacy from core team

Materials: Whiteboard/flip charts, Sticky notes, Pen/marker

Participants: Privacy Officer, Senior management team, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Bring together relevant stakeholders from the organization. This can include those mentioned on the previous slides (Legal, HR, Privacy, etc.) and those who handle personal data regularly (Marketing, IT, Sales, etc.).
2. Using sticky notes, have each stakeholder write one driver for the privacy program.
   • These may vary from concerns about customers to the push of regulatory obligations.
3. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list and clarify any unusual or unclear drivers.
4. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
   • For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage as well.
5. Review the final priority of the drivers and confirm current status.

Privacy-by-design is no longer a "nice to have"

Integrate the key principles behind PbD to embed privacy in the operations of the organization and minimize business disruption.

1. Proactive, not reactive. Preventative, not remedial.
2. Privacy as the default setting.
3. Privacy embedded into design.
4. Full functionality; positive-sum not zero-sum.
5. End-to-end security; full lifecycle protection.
6. Visibility and transparency; keep it open.
7. Respect for user-privacy; keep it user-centric.
(Source: IPC Privacy by Design)

Download this research | Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT research.

Determine the primary owners of the privacy program

The privacy program must include multiple stakeholders for it to be successful. It’s integral to assign clear lines of ownership to build and effectively manage the program. Without defined ownership, privacy initiatives can easily fall between the cracks and issues may not be handled effectively.

Privacy Department

• In the most privacy-mature organizations, a dedicated privacy function exists that heads up all privacy initiatives.
• This does involve coordinating with all other relevant departments, but privacy is centrally managed by one group.

Legal, Compliance, Audit

• In many organizations without a dedicated privacy team, it often falls to Legal, Compliance, and/or Audit to take the privacy mantle.
• Since many privacy programs are being driven by the increase of privacy regulations, these groups often become huge proponents of implementing privacy within the organization.

Human Resources

• Occasionally the HR department will take on the privacy program.
• This is the case for organizations that do not have a dedicated legal counsel and where most personal data held by the organization is that of the employees.

InfoSec or IT

• Privacy can also be owned by the security team. Many still think of security and privacy as being the same thing and it is not uncommon to conflate these two functions into one team.
• However, it is worth noting again that these two are different and many privacy initiatives go beyond security controls.

Info-Tech Insight

If not already mandated by governing privacy laws, consider appointing a privacy officer to formalize privacy ownership in the organization.

Define the governance structure of the privacy program

A successful privacy program will be structured in a way that best fits the needs of your organization. Minimize disruption to ensure a successful adaptation and launch.

1. Centralized
   • One central group manages the entire privacy program. They may direct other groups in terms of certain actions or initiatives, but privacy is centrally managed and reported on by one group.
   • This works well for large organizations to manage and track all privacy efforts, but it can become very bureaucratic.
2. Decentralized
   • Privacy is distributed to the rest of the organization, often in the lower tiers. The expectation here is that there is a bottom-to-top discussion of privacy while allowing for a flatter structure.
   • This works well with highly privacy-aware employees who can make the correct decisions at their respective levels. However, it can be difficult to track compliance.
3. Hybrid
   • Aspects of centralized and decentralized programs are combined to get the best of both structures; for example, one group or individual may track all privacy efforts in the organization, but each business unit can choose how to implement them. Another method is to have a designated privacy representative in each business unit.

Info-Tech Insight

While there may be one individual or group designated to manage the privacy program, privacy is everyone’s responsibility. Employees will have to perform the necessary actions such as limiting their personal data collection or anonymizing data. The success of the program will rely on everyone understanding how to put privacy first.

Evaluate a centralized governance model

This is an example of a centralized organizational structure for managing privacy. In this case, there is a dedicated privacy team that directs all the other departments in terms of their personal data management.

The centralized model is a more traditional structure for privacy in the organization and promotes the idea that one group is entirely accountable for the proliferation of privacy within the organization. This structure requires regular reporting and communication between the different groups.

Advantages

• Central tracking of privacy initiatives and adherence leads to better compliance tracking.
• The creation of a dedicated privacy team usually indicates leadership support for the program.

Disadvantages

• Accountability may be lacking with the other groups, as they may perceive that the privacy team handles everything privacy related.
• It may be difficult to find dedicated privacy professionals to fill an entire team.
• This structure can lead to bureaucracy that slows down response time to certain privacy issues.

Evaluate a decentralized governance model

In a decentralized model, we see that it is up to each department to create and form their own respective privacy practices. This can be done with the help of assigned privacy champions within each group. These individuals work with their own teams to integrate privacy within their business processes.

Advantages

• Privacy reps will provide the expertise of their department or business unit while integrating privacy more seamlessly.
• This allows for better change management within the business, as privacy changes are initiated by a peer instead of an outside group.
• A decentralized structure often works best for organizations with little to no need for regulatory tracking.

Disadvantages

• The lack of centralized tracking and reporting on privacy can quickly lead to the inability to demonstrate regularly adherence.
• Differing views on what privacy means for each group can result in inconsistent processes and standards.

Evaluate a hybrid governance model

These days, many privacy-mature organizations lean toward a privacy center of excellence. This hybrid method combines the best of both centralized and decentralized structures:

• A centralized privacy for tracking and reporting purposes.
• Business unit privacy champions assigned to draw ownership and buy-in from the business units.

The privacy champions from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the central team.

Advantages

• The hybrid structure combines many of the benefits of the centralized and decentralized governance models.

Disadvantages

• Like a decentralized approach, each group may respond to privacy in its own way. However, the center of excellence will assist in ensuring some standardization.

Organizations that identify as having adopted a hybrid privacy governance model report shorter sales delays (4.6 weeks) when compared against organizations that employ either a fully centralized (9.8 weeks) or decentralized model (7.1 weeks).

1.2 Right-size your privacy governance structure

Input: Privacy governance structure models

Output: Future privacy governance structure, Initial understanding of privacy program ownership within the business context of the organization

Materials: Whiteboard/flip charts, Pen/marker

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Consider the following when building out your privacy organizational structure.

1. Determine where ownership of the privacy program will be.
   • Common choices are a dedicated privacy team or the Legal, Information Security, and/or HR departments.
   • Decide whether a privacy officer is necessary in your organization – some regulations recommend it.
2. Review your current organizational structure to decide which model would be best for your privacy practices: centralized, distributed, or hybrid.
   • Review the previous examples for how this could be structured. Be mindful that you can set up this structure based on your own unique requirements, for example, two different groups can share ownership of the entire privacy program.
3. Select the appropriate governance structure; document. Make note of significant changes that will need to occur to facilitate implementation of the governance structure.

Info-Tech Best Practice

There is no one perfect governance structure that works for all organizations. Look at your current organizational and governance setup and see which structure fits best. Ask yourself:
Are we already set up in a centralized, distributed, or hybrid structure? Are we looking to implement privacy with new resources or existing employees? What model works best for us to meet our compliance needs?

1.3 Build out the data privacy RACI chart

30-60 minutes

Input: Documented list of privacy program drivers, Documented list of privacy objectives, Data Privacy Program RACI Chart

Output: Ownership assigned to privacy-related tasks within the organization, Completed privacy RACI document

Materials: Laptop, Whiteboard (optional), Pen/markers (optional)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Amongst your team, level set and discuss what each of the letters within the RACI chart schema mean in the context of your organization.
2. Work through the actions documented in column B of the Data Privacy Program RACI chart.

3. Validate. Review your outputs for each of the Action rows in column C and onward. Does overlap exist between various roles? Do dependencies exist? Will any of the assigned RACI values change with the implementation of the privacy program?
4. Document any notes or amendments made in columns adjacent to the role columns.

Download this tool | Complete this activity by filling in Info-Tech’s Data Privacy Program RACI Chart.

1.4.1 Define the extent of your personal data scope

1 hour

Input: Drivers/outputs from activity 1.1, Solicited input from both IT/InfoSec and business units

Output: High-level list of business processes categorized by data risk, List of business processes coordinated by the organization, List of business processes coordinated by a third-party organization (vendor)

Materials: Whiteboard/flip charts, Sticky notes, Pen/marker

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Divide into groups and give each group member a handful of sticky notes.
2. Ask them to write down as many business units or functional groups as possible for the organization that process (collect, record, use, disseminate, etc.) personal data.
3. Collect each group’s responses and discuss whether the business unit is a data controller, a data processor, or both.
   • Focus on whether the business unit decides the purpose of processing the data or if an external party determines the purpose of processing.
   • Use blue for data controllers and yellow for data processors. If a business unit is both a data controller and a data processor, write the business unit on both a blue and a yellow sticky note.
4. Discuss and aggregate all responses into a final document, listing what is in scope of your privacy program and what is out of scope.

1.4.2 Build your risk map

1 hour

Input: Outputs identified in activity 1.4.1, Business unit leaders’ and champions’ understanding (high-level) of processes that involve personal data

Output: Prioritization of business units for each privacy program activity

Materials: Whiteboard/flip charts, Sticky notes, Pen/whiteboard markers

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Review the data “processed” by data controllers and data processors identified in activity 1.4.1. Identify the relative sensitivity of data these units process.
2. With input from your subject matter experts (SMEs) and IT leaders, organize the business units (BUs) according to the volume of data in their operations.
3. Discuss the overall risk map to prioritize privacy initiatives.
4. Record for future reference.

An effort map is an easy way to communicate with stakeholders how your GDPR initiatives were prioritized.

Info-Tech Insight

Bake in a quantitative element of risk analysis as you create the privacy framework to take away some of the guess work when it comes to prioritizing initiatives and creating your roadmap in Phase 3. Compare and contrast the perspective of your core IT or privacy team and that of the business units when it comes to assigning a volume and risk ranking for each of the business processes.

Build a Privacy Program

Phase 2

Conduct a Privacy Gap Analysis

This phase will walk you through the following activities:

• Understand the methodology behind the Data Process Mapping Tool
• Assess risks and map out your data breach response process
• Work through the threshold assessment and DPIA process

This phase involves the following participants:

• Privacy Officer
• Core privacy team
• Relevant business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

Understand the role of the Data Process Mapping Tool

1 Inventories personal data by business process	2 Identifies gaps in the organization's data processing activities	3 Fulfills regulatory needs (e.g. GDPR)
Name and contact details of the processor, controller, and where applicable, the privacy officer Categories of processing carried out on behalf of the controller Purposes of processing Categories of data subjects and personal data Sensitivity level of personal data Categories of recipients to whom data are or will be disclosed (includes third countries) Retention periods (if possible) Overview of third-country data transfers Technical and organizational security measures	Highlights data processing activities with a high degree of risk due to: Retention periods Sensitivity of data stored Vendor agreements Documentation of procedures around processing activities	The Data Process Mapping Tool closely resembles the Record of Processing register, which is required under Article 30 of the GDPR. The Record of Processing takes a dynamic and comprehensive approach to mapping data’s flow throughout an organization. It acts as a document that demonstrates an organization’s accountability and awareness of how personal data is leveraged. This document inventories the full set of processes in which personal data is collected and processed by the organization.

Determine the appropriate level of granularity with your processing activities

Think about the major business processes that make up your operations and refine by the common set of personal data types within sub-processes.

2.1 Complete the Data Process Mapping Tool

1-1.5 hour per business unit interview

Input: Outputs from activities 1.4.1 and 1.4.2

Output: Understanding of what data is involved in each business processing activity, Potential gap areas

Materials: Data Process Mapping Tool

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Data protection goes beyond understanding where data is stored and how the systems are protected. Use this activity to start defining activities that are involved in processing your data.

1. Using the outputs from activities 1.4.1 and 1.4.2, group all business processes that touch personal data, based on their corresponding business function or unit.
2. Identify a privacy champion for each business unit or the respective business unit leader.
3. Schedule interviews with these individuals and review each of their business processes. Leverage the Data Process Mapping Tool to capture all elements of personal data included in the business processes.
4. Validate responses with members of the core team following each interview.

Download this tool | Complete this activity by filling in Info-Tech's Data Process Mapping Tool.

Info-Tech Insight

Compare and contrast the Data Process Mapping Tool with any previous documents collected, tailored to data kept in individual systems or applications, to gain a more robust understanding of how personal data interacts with organizational assets.

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework.

Info-Tech Insight

This best-practice framework will force you to re-evaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements.

2.2 Compare compliance and regulatory requirements for gap analysis

2 hours

Input: Knowledge of which privacy frameworks or laws apply to your organization

Output: Understanding of compliance and/or relevant privacy law requirements, Best-practice privacy controls mapped against organization’s current and target privacy controls, Existing gap areas

Materials: Privacy Framework Tool

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. On tab 2 of the Privacy Framework Tool, review each privacy control and determine the current organizational maturity based on the five-point CMMI scale below. Capture any relevant comments, as required.
   1. Initial/Ad hoc
   2. Developing
   3. Define and Documented
   4. Managed and Measurable
   5. Optimized
2. Define the target state using the same five-point scale.
   • The target state will be heavily influenced by the requirements gathered in the earlier phase.
3. Wherever there is a gap between the current and target state, document what initiative is needed to close the gap in column N.

Download this tool | Complete this activity by filling in Info-Tech's Privacy Framework Tool.

Perform a high-level gap analysis on your processing activities

Taking a top-down view of a processing activity can often expose gaps in the process.

In the example of an Email-Based Document Exchange process, personal data could be exposed during these sub-processes in red. Optimizing the process, via improved security, with the version in green would address these gaps.

Info-Tech Insight

Knowing is half the battle. Ensure high-level gaps identified via this method are risk-assessed. Add remediation initiatives in the Privacy Framework Tool to contribute towards your defensible compliance position.

Align incident management to relevant regulations

Language within privacy regulations is explicit in requiring notification to the supervisory authority and data subjects in instance of a data breach.

• A key component of a successful privacy program involves a well-developed set of incident response and management procedures.
• Each privacy regulatory framework will establish its own timeframe when it comes to incident response procedures.
• These same frameworks will also support the underlying procedures involved in incident management runbooks that are created, maintained, and updated on a regular basis by the InfoSec or IT teams.
• Info-Tech recommends taking a “best-of-breed” approach in creating an effective incident management response plan:
  • Use relevant regulatory timeframes as a guideline.
  • Involve business unit privacy champions when creating the response plan.
  • Identify all interdependencies and map out as a part of the validation process.

GDPR – Data subject notification

“In the case of a personal data breach, the controller shall notify without undue delay and, where feasible, not later than 72 hours. […] Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” (Source: General Data Protection Regulation)

CCPA/CPRA – Not defined

Unlike the GDPR, CCPA/CPRA does not define data breach reporting timeframes. However, should a breach or other data security incident occur “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” the business can be fined $100-$750 per individual incident, or the full cost incurred of damages. The CPRA adds in new standards for what constitutes a data breach.

PIPEDA – Breach of security safeguards

Following the occurrence of a breach, organizations must report any breaches in the prescribed form and manner as soon as feasible.

Understand the security incident management framework

For all incident runbooks follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.

1. PREPARE
   Ensure the appropriate resources are available to best handle an incident.
2. DETECT
   Leverage monitoring controls to actively detect threats.
3. ANALYSIS
   Distill real events from false positives.
4. CONTAIN
   Isolate the threat before it can cause additional damage.
5. ERADICATE
   Eliminate the threat from your operating environment.
6. RECOVER
   Restore impacted systems to a normal state of operations.
7. POST-INCIDENT ACTIVITIES
   Conduct a lessons-learned post-mortem analysis.
(Process adapted from NIST SP 800-61 Rev. 2)

Info-Tech Insight

Document each step of the incident lifecycle. A thorough, comprehensive record will assist in understanding the root cause, allow for faster remediation of any future reoccurrences of the incident, and support any legal escalation. Tracking the cost of work hours helps in determining the overall impact to the organization.

2.3 Analyze the risk of data breaches to your data subjects

30 minutes

Input: Understanding of incident management process, Current runbooks to leverage as a basis for activity

Output: Inputs for revised incident management runbooks, Understanding of impact of data breaches on your data subjects

Materials: Sticky notes, Markers, Whiteboard/chart paper

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Take a client-centric approach to incident management. Understand the risk involved in data breaches beyond your organization and use as inputs as a part of your revised incident response process. Leverage existing runbooks and revise.

Identify each of the following. Validate with team members and document using incident management runbooks. Include data subject risk impact analysis as a step in your incident management runbooks.

1. Type of breach
2. Nature, severity, and volume of personal data
   • Combinations of data are more sensitive
   • Relevancy of situational sensitivity should be considered
3. Ease of identification of individuals
4. Severity of consequences for individuals
   • A trusted recipient does not negate that a breach has occurred
   • Are the resulting consequences permanent?
5. Special characteristics of the individual
6. Number of affected individuals
7. Special characteristics of the data controller

Download this research | Leverage Info-Tech’s research Develop and Implement a Security Incident Management Program.

Define and uphold your post-incident record keeping requirements

For regulatory purposes it is crucial that a breach response process is developed and documented both prior to and following an incident.

• Causes of the breach
• Time to identify and time to resolve breach
• Consequences of the breach
• What personal data was affected
• How the breach was remediated and the justified breach response
• What took place during the breach
• Employee training on process

Integrate incident response as a part of security operations

Incident response is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

	Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.	Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
	Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data, but also provides visibility into your threat landscape.	Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Know the “why” behind your processing activities

A good start to understand the legitimacy of your reasons for data processing stems from the GDPR. Align your reasons for processing with one of the six lawful bases for data processing.

1. Consent
   • Permission to process for specific purposes.
   • Notice must be clearly distinguishable, intelligible, in plain language, and freely given.
   • Proof and documentation is required.
2. Performance of a Contract
   • Data subject must be a party of the contract and want to enter into the contract.
3. Legal Obligation
   • Narrow interpretation that applies to the legal obligation of European Union and member state laws only.
4. Vital Interests
   • The interest of the data subject or another natural person.
   • Interpreted as a necessity for survival and if no other basis of processing is available.
5. Public Interest or Official Authority
   • Determined by the member state.
   • E.g. administration of justice, tax collection, conducting a census.
6. Legitimate Interest
   • Data subjects’ interest must be balanced with the controllers’ interest.
   • Data subjects must be informed of controllers’ legitimate interest.

Align data classification to privacy law requirements

Organizations can use data discovery and classification as a method to understand their data environment.

1. Require data discovery & classification

   Organizations that have existing data classification can leverage their previous effort to align the scheme to personal data.
   • The following slide details how your organization can adjust existing data classification tiers to align with personal data sensitivity.
   Organizations that do NOT have existing data classification should create a tiered scheme that addresses all types of data (e.g. organizational and personal). Four steps of this project:
   • Formalize your program – determine the classification scheme
   • Discover the data – benefits and challenges of data
   • Classify the data – continuation of discovery
   • Plan for implementation – identify metrics

2. Have a sound understanding of your data environment

   Validate and continue finalizing the Data Process Mapping Tool.

Align your data types based on data classification in the organization

Download this research | Leverage Info-Tech’s research Discover and Classify Your Data.

Define data classification in the context of your organization

Build out a data classification scheme that fits the operating and regulatory environment of your organization

What is data classification?

Data classification is the process of identifying and classifying data on the basis of sensitivity and the impact the information could have on the company if the data is breached. The classification initiative outlines proper handling procedures for the creation, use, storage, disclosure, and removal of data.

Why do we need it?

With the increase in data and digital advancements in communication and storage (e.g. cloud), it becomes a challenge for organizations to know what data exists and where data lives. A classification scheme must be properly implemented and socialized to help ensure appropriate security measures are applied to protect that data appropriately.

Types of data

Structured

• Highly organized data, often in a relational, easily searchable database.
• E.g. employee numbers stored in a spreadsheet

Unstructured

• Data that is not pre-defined in format and content; majority of data in most organizations.
• E.g. free text, images, videos, audio files

Semi-structured

• Information not in traditional database but contains some organizational properties.
• E.g. email, XML

Without data classification, an organization treats all information the same. Sensitive data may have too little protection. Less sensitive data may have too much protection. Strategically classifying data will allow an organization to implement proper controls where necessary.

Further define risk using the Data Process Mapping Tool

Each of the business processes retained within the Data Process Mapping Tool contains an inherent level of risk based on the volume and sensitivity of data.

1. Pull the outputs from the initial risk-mapping activity as you work through populating the Data Process Mapping Tool.
2. Categorize each of the business processes, based on where they fall within the quadrant, and populate column F within tabs 1 and 2 of the tool.
   • High / Medium / Low
3. Identify and make note of the number of processes that fall within each of the three categories. Track areas in which the majority of high vs. low-risk processes exist and observe any trends.
4. For any processes that remain categorized as “High,” perform further analysis to validate the classification:
   • Internal Risk Assessment
   • Security Assessment
   • Info-Tech’s Data Protection Impact Assessment Tool

2.4 Complete the DPIA threshold assessment for high-risk business processes

1-2 hours

Input: Outputs identified in activity 1.4.2

Output: Analysis of high-risk business processes, Understanding of impact of data involved in processing activities

Materials: Data Protection Impact Assessment Tool

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

A data protection impact assessment is used to assess how much private data will be affected by planned processing activities. A DPIA helps to ensure that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data.

1. For all identified high-risk processing activities, work through the dynamic questionnaire.
2. Complete one threshold assessment per activity.
3. Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
4. Complete either a Lite or Full version of the DPIA, based on the nature of the process.
5. Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
6. Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps towards compliance.

Download this tool | Complete this activity by filling out Info-Tech's DPIA Tool.

Leverage Info-Tech’s security framework to document your security controls

A Best-of-Breed Information Security Framework

INFO-TECH'S SECURITY FRAMEWORK

• ISO 27000 series
  Comprehensive standard providing best practices associated with each control
• CIS – Critical Security Controls
  Comprised of a concise list of 20 controls and sub-controls for actionable cyber defence
• COBIT 5
  A process and principle structured security best-practice framework
• NIST SP800-53
  Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations

Info-Tech’s information security framework and maturity model methodology

Info-Tech’s comprehensive framework begins by defining security strategy based on five security components and related subcomponents.

Information Security Framework

Governance

• Context and Leadership
  • Information Security Charter
  • Information Security Organizational Structure
  • Culture and Awareness
• Evaluation and Direction
  • Security Risk Management
  • Security Policies
  • Security and Communication
• Compliance, Audit, and Review
  • Security Compliance
  • Internal Security Audit
  • External Security Audit
  • Management Review of Security

Management

• Prevention
  • Identity Security
    • Identity and Access Management
  • Data Security
    • Hardware Asset Management
    • Data Security & Privacy
  • Infrastructure Security
    • Network Security
    • Endpoint Security
    • Malicious Code
    • Application Security
    • Vulnerability Management
    • Cryptography Management
    • Physical Security
    • Cloud Security
  • HR Security
    • HR Security
  • Change and Support
    • Configuration and Change Management
    • Vendor Management
• Detection
  • Security and Threat Detection
  • Log and Event Management
• Response and Recovery
  • Security Incident Management
  • Security eDiscovery and Forensics
  • Information Security in BCM
  • Backup and Recovery
• Measurement
  • Metrics Program
  • Continuous Improvement

• Identity and Access Management
  • Understand how access to sensitive data and PII is being monitored and controlled.
• Data Security & Privacy
  • Define the difference between security and privacy from a personal data processing standpoint.
• HR Security
  • Develop standard procedures around data processing as it pertains to your HR team and activities.
• Vendor Management
  • Create structure around management of vendor contracts when it involves data processing by third parties.
• Security Incident Management
  • Map out the incident response process, validate, and update runbooks.

Build a Privacy Program

Phase 3

Build the Privacy Roadmap

This phase will walk you through the following activities:

• Identify where high-priority gaps exist in current privacy practices
• Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
• Further refine resourcing estimates

This phase involves the following participants:

• Privacy Officer
• Core privacy team
• Select business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

3.1 Complete the privacy gap analysis exercise for individual business units

Input: Level-setting meeting with each of the business unit privacy champions

Output: Analysis of privacy gaps on a business-unit level, Additional privacy gaps present on an organizational level

Materials: Privacy Analysis by Business Unit Tool, Privacy Framework Tool

Participants: Privacy Officer, Core privacy team, Relevant business unit privacy champions

After you’ve identified each of the key gap areas within your organization’s current privacy framework and supporting processes, walk business unit privacy champions through the maturity gap analysis (tab 2) for the following four areas:

• Data Processing and Handling
• Data Subject Requests
• Privacy by Design
• Notices and Consent

1. Provide each business unit with a copy of the Privacy Analysis by Business Unit Tool.
2. Fill out this tool using the same approach used for the larger framework.
3. After completion, meet with the privacy champion from each business unit to discuss results. Compare maturity gaps with those of the overall Privacy Framework Tool.
4. Identify which of the four areas and supporting controls had significantly different privacy gaps and gap-closing initiatives.
5. Include all the supporting initiatives as part of tab 4 in the overall Privacy Framework Tool.

Download this tool | Complete this activity by filling out Info-Tech's Privacy Analysis by Business Unit Tool..

3.2 Develop cost estimates for privacy initiative list

1 hour

Input: Privacy Framework Tool (tab 2), Privacy gap initiative outputs from activity 3.1

Output: Cost and resource scheme for organization, Input cost range to present to senior management with respect to privacy initiatives

Materials: Privacy Framework Tool (tab 4)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Leverage the full list of privacy initiatives, including any collected during activity 3.1.
2. Look to Info-Tech’s industry standards (Manufacturing, Retail, Healthcare, Financial Services) as a guideline when you determine a range for the following input categories for your organization:

Initial Cost

• The cost to implement the initiative, including the purchase of any new solutions or resources.

Ongoing Cost (Annual)

• The ongoing cost to maintain the initiative, which can be in the form of subscription or maintenance fees.
• This cost is often estimated at 20% of the initial cost.

Initial Staffing (Hours)

• The number of hours of assigned resources needed to bring the initiative to completion.

Ongoing Staff in Hours (per week)

• Any expected regular maintenance required after implementation (e.g. to monitor a privacy tracking solution or to respond to data subject requests).

Download this tool | Complete this activity by filling out Info-Tech's Privacy Framework Tool.

3.3 Define alignment and privacy risk for the org.

30 minutes

Input: Privacy Framework Tool (tab 2), Privacy gap initiative outputs from activity 3.1

Output: Alignment and privacy risk scheme for organization, Input for prioritization of initiatives

Materials: Privacy Framework Tool (tab 4)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Continue standardizing variables, including “Alignment With Business” and “Privacy Risk Reduction.” On tab 4 of the Privacy Framework Tool, select “High,” “Medium,” or “Low” values for the following:

Alignment to Business

• Identify which initiatives directly align with the organization’s senior leadership team goals.

Privacy Risk Reduction

• This is a key variable in how you prioritize the initiatives.
• Privacy risk can be viewed in many ways: risk posed to data subjects’ rights, the financial consequences associated with a risk, likelihood of a breach, or other relevant criteria.
• The ways each organization looks at privacy risk will be different. Many will look at how a breach of privacy impacts the organization from a reputation or cost perspective, rather than through the rights of the data subject.

3.4.1 Apply variables to privacy initiatives

2 hours

Input: Outputs from activities 3.2 and 3.3

Output: Alignment and privacy risk scheme for organization, Input for prioritization of initiatives

Materials: Privacy Framework Tool (tab 4)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Continue to build out the privacy initiative prioritization list on tab 4 of the Privacy Framework Tool by aligning bucket cost and benefit ranges based on your organization.

1. Apply the cost and benefit variables to each of the initiatives.
2. Copy and paste the initiatives from tab 2, Privacy Framework, into tab 4, Initiative Prioritization, under “Planned Initiatives.” If desired, consolidate similar initiatives into larger projects.
3. Copy and paste any initiatives from the Privacy Analysis by Business Unit Tool here as well.
4. For each initiative, assign the cost, effort, and benefit of each of the different initiatives. This will provide an overall cost/effort rating based on the combination of all the cost and staffing variables put together. This scale ranges from 1 to 12.
5. Optional: Consider building an effort map using the cost/effort rating and the risk reduction benefit. This can be a useful exercise to visualize how your initiatives are distributed in terms of cost and benefit.

3.4.2 Assign specific cost and effort values

1 hour

Input: Outputs from activities 3.2, 3.3 and 3.4.1

Output: Specific cost estimates for privacy gap-closing initiatives, Specific resource allocation estimates for privacy gap-closing initiatives

Materials: Privacy Framework Tool (tab 4)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

If you are aware of exact costs or efforts required for an initiative, you can enter it on the right side of the table on tab 4, Initiative Prioritization.

1. When entering “High,” “Medium,” or “Low” values for the cost and effort, you may be aware of the specific cost rather than using the large estimation buckets – if so, enter this on the right side of the table.
   1. The cells in blue are auto-calculating what the initiative will cost based on the “High,” “Medium,” or “Low” value and the multiplier you chose earlier.
   2. If you put in a specific cost or effort value in the white cells, your input will overwrite the estimate in the calculations.

Note: This will be useful in populating the “Cost and Effort Estimates Table” on tab 6. It will provide an overall estimate of costs and effort associated with implementing a privacy program. The more accurate the data you enter in the tool, the more accurate the final estimates will be.

3.5 Create a visual effort map for your organization

1 hour

Input: Outputs from activities 3.4.1 and 3.4.2

Output: High-level prioritization for each of the privacy gap-closing initiatives, Visual representation of quantitative values

Materials: Privacy Framework Tool (tab 4), Sticky notes, Markers, Whiteboard

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 4 in the Privacy Framework Tool.

1. Establish the axes and colors for your effort map:
   1. X-axis represents the Privacy Benefit value from column J
   2. Y-axis represents the Cost/Effort value from column H
   3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

3.6.1 Refine the effort map’s visual output

1 hour

Input: Outputs from activity 3.5

Output: Prioritization for each of the privacy gap-closing initiatives, First execution wave of gap-closing initiatives

Materials: Privacy Framework Tool (tab 4), Sticky notes, Sticky dots, Markers, Whiteboard

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of governing privacy law (GDPR, CCPA, HIPAA, etc.) and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

3.6.2 Refine the effort map’s visual output

30 minutes

Input: Outputs from activity 3.6.1

Output: Prioritization for each of the privacy gap-closing initiatives, First execution wave of gap-closing initiatives

Materials: Privacy Framework Tool (tab 4), Sticky notes, Sticky dots, Markers, Whiteboard

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5 and 3.6.1.
   1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
   2. Leverage the following 0-4 Execution Wave scale:
      0. Underway –Initiatives that are already underway
      1. Must Do – Initiatives that must happen right away
      2. Should Do – Initiatives that should happen but need more time/support
      3. Could Do – Initiatives that are not a priority
      4. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the a-z scale.
   • Use the lettering to track dependencies between initiatives.
     • If one must take place before another, ensure that its letter comes first alphabetically.
     • If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

3.7 Create the visual roadmap

1 hour

Input: Outputs from activity 3.6.2

Output: Start and end dates for privacy initiatives, Staffing resource ownership for privacy initiatives, Gantt chart version of the privacy initiative roadmap

Materials: Privacy Framework Tool (tab 5)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

If enough information around current and immediate future project resourcing is available, use the Gantt chart in tab 5 to document the exact start and end times of each initiative. This may be difficult to do immediately after prioritization as there may be many considerations as to where these projects fit alongside existing action plans and strategies.

1. Work with team members to first identify start dates for mandatory privacy initiatives (governed by privacy law).
2. Refer to cost and effort estimates provided in tab 4 as you begin to populate start and end dates for each individual privacy initiative. Work in sequential order based on assigned Execution Waves.
3. Assign ownership to each initiative. Ensure that each assigned owner is provided with relevant documentation to keep track of initiative (project) progress.

3.8 Revise and assess the cost and effort table

30 minutes

Input: Outputs from activity 3.6.2, Outputs from activity 3.7

Output: Total and ongoing cost resource allocation for privacy initiatives, Total and ongoing staffing resource hour allocation for privacy initiatives

Materials: Privacy Framework Tool (tab 5)

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Refer to the Cost and Effort Table on tab 6. The table will populate with an estimate of your overall costs based on the data input into the Initiative Prioritization tab.
2. Costs are broken out based on the execution waves with a full total tabulated at the bottom. For each of the waves, you will be able to see the total dollar cost and total effort requirement based on:
   • The cost of initial implementation to establish the privacy program.
   • The ongoing annual cost, describing the costs and effort required to maintain the program.
   • A rough total of these costs over a specified number of years. The number of years can be changed on the initiative prioritization tab (tab 4).
3. Based on the results, revise if necessary. Keep in mind that these totals will be the driving points put forward to the senior leadership team when sourcing resources for the privacy program.
4. Document final total costs and total efforts for each execution wave within your executive presentation. Identify areas on which to focus to obtain buy-in from your senior management team.
* Bear in mind that these numbers are solely estimates of previously input data. The total may be higher than expected.

Develop supporting privacy documentation

Fast track external privacy documentation to satisfy the data privacy requirements of your end users.

Privacy Notice Template – External Facing

• An external privacy notice “at or before the point of collection” is required as a part of certain privacy regulations, including the CCPA, to inform consumers of the types of personal information being collected and how it will be used.
• Best practice for organizations looking to adopt a privacy program is to provide users or customers with a clear and comprehensive privacy notice prior to or upon first point of collection of personal data for reference.
• The privacy notice should inform users/customers how their personal data is being used, stored, and shared, and outline their individual rights as users.

Cookie Policy Template

• If your company website is using cookies for any purpose, use this template to document it.
• GDPR notes that cookies are personal data and that a cookie policy must be separate from a privacy notice.

Develop supporting privacy documentation

Customize any internal and/or organizational privacy documentation to remain compliant and encourage standardization of processes.

Data Retention Policy Template – Internal

• Document the high-level retention requirements outlined in this policy.
• Leverage the outputs from the Data Process Mapping Tool in Phase 3 to be consistent with all retention periods for different types of data across the organization
• Be mindful that a privacy-by-design focus indicates that data should be retained for as short a time period as possible. Once it’s been retained for the requisite time period, processes should exist to anonymize or erase the data.

Data Protection Policy Template – Internal

• Document your data protection requirements, including why information is collected, stored, and used, along with any additional obligations.
• Draw on the drivers defined in Phase 1 of this project, as they will form many of the requirements needed for this policy.
• Note: This document is meant for internal use (i.e. employees) and not for data subjects, who would instead be reviewing a Privacy Notice (see previous slide).

Build a Privacy Program

Phase 4

Implement and Operationalize

This phase will walk you through the following activities:

• Establish metrics that map to the needs of the organization
• Implement and integrate metrics into operations

This phase involves the following participants:

• Privacy Officer/privacy team
• Senior management representation (optional)
• InfoSec representative
• IT representative

Make your privacy program functional

Effective metrics add value by reflecting the current business environment and forecasting for the future

As you begin to establish relevant metrics to guide the data privacy program, document and classify based on the associated set of privacy controls and category. Use Info-Tech’s Data Privacy Program Report template as your repository.

1. Create a measurable privacy program
   Metrics take your privacy program from static documentation to a functional operation. Ensure that each task populated within the data privacy framework Gantt chart is supported by corresponding metrics.
2. Use metrics to help integrate privacy in the organization
   Remove the fear factor associated with privacy by leveraging the language of your business unit champions as you create a metrics program that they can understand and integrate.
3. Choose metrics that make sense and align to your business requirements
   Select metrics that make sense for the group you’re reporting up to and ensure that the metrics are business-relevant and support strategic initiatives and the direction of the organization.
4. Be selective with the number of metrics
   “More” does not mean more effective. Limit the metrics selected for the privacy program. One of the obstacles in obtaining buy-in stems from how lengthy and complex privacy can be to implement – don’t make it harder than it has to be!

Match metrics to privacy controls

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls

1. Governance
   • Average privacy document age
   • Frequency of privacy policy reviews
   • Percentage of personal data accounted for through data classification
   • Reduction in time to report
   • Reduction in time to disclosure
2. Regulatory Compliance
   • Frequency of review of current regulations
   • Number of external regulatory obligations in scope
   • Frequency of new regulation integration
3. Data Processing and Handling
   • % of high-sensitivity solutions with encryption, anonymization, pseudonymization capabilities
   • % of high-sensitivity solutions with monitored audit trails
   • % of personal data covered by regulatory retention periods
   • % of all data currently classified vs. unclassified
4. Data Subject Requests
   • Number of data subject requests received (monthly, quarterly, yearly)
   • Average time to respond to DSARs
   • Number of DSARs un-responded vs. responded
5. Privacy by Design
   • % of projects that include PbD during planning phase
   • % of processes (current) within the organization that include PbD
   • % of high-risk projects (current) that include PbD in the planning phase
6. Notices and Consent
   • % of data collection processes that do not capture consent
   • Average time to respond to data subject’s request to withdraw consent

Match metrics to privacy controls (cont.)

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls

7. Incident Response
   • Average cost of an incident
   • Number of incidents tracked (origin, org. unit, project, security level)
   • Mean time to initiate incident response
   • Mean time to complete incident response
8. Privacy Risk Assessments
   • Number of completed privacy risk assessments
   • Frequency of DPIAs/PIAs performed
   • Privacy risk score or ratio
9. Information Security
   • % of privacy or security incidents that are notifiable breaches
   • Frequency of testing performed on security controls
   • % of data-at-rest covered by security controls
   • % of data-in-transit covered by security controls
10. Third-Party Management
    • Frequency of vendor contract review or touchpoints
    • Number of data transfer agreements in place (current) for external vendors
    • Number of vendors validated (i.e. SOC2 reports)
    • % of personal data retained by vendors
11. Awareness and Training
    • Number of days between onboarding and completion of privacy/ security training
    • % of privacy personnel with privacy certifications
    • % of staff receiving privacy training
    • Frequency of in-house privacy training programs
12. Program Measurement
    • Average number of metrics achieved upon review (or % of metrics tracked)
    • % of metrics that directly support business strategy
    • Frequency of privacy program review
    • Frequency of privacy committee meetings

4.1 Define privacy metrics for the organization

1 hour

Input: Metrics from previous two slides

Output: Selected set of metrics, Understanding of the organization’s key privacy priorities, Initiatives identified during Phase 3

Materials: Data Privacy Program Report

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Based on the metrics provided by Info-Tech as a part of the data privacy program framework, identify which ones best suit the current needs of the organization and future privacy goals.
2. Limit selection this to two to three metrics per tactical privacy area (selected from the 12 control categories in the Privacy Framework). Ask yourself: What do you want to know most about your privacy program? What do you want to show to others?
   1. For many privacy regulations, the need to demonstrate adherence is crucial and metrics will play a large role in this regard.
   2. Beyond regulations, what are the privacy areas you want to track? What are the areas that senior management wants to track?
3. For the selected metrics, discuss the target that you would like to achieve.
   1. This will likely change over time, but identifying a target helps to add context and goals to your privacy program.
   2. Consider selecting an immediate-term target and a stretch-goal target that represents a mature state for the privacy program.
   3. Document targets within the Data Privacy Program Report.

Info-Tech Insight

Don’t focus on industry benchmarks for privacy – your privacy requirements will be unique and continue to evolve over time. Similarly, even the metric targets can change over time. What was once considered a “good” target can become “bad” in the future. Privacy will continue to evolve just as the business continues to change.

Download this tool | Make note of selected privacy metrics in the Data Privacy Program Report template.

4.2 Align and prioritize privacy metrics

1 hour

Input: Outputs from Privacy Framework Tool, Metrics selected from activity 4.1

Output: Implementation plan for metrics, Operationalization techniques, Prioritized metrics roadmap

Materials: Data Privacy Program Report, Sticky notes, Whiteboard, Markers

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Write out the metrics selected in activity 4.2 on sticky notes.
2. Divide whiteboard into 12 columns, each one corresponding to a category of privacy controls from the Privacy Framework Tool.
3. Place metric stickies under appropriate privacy category.
4. Reference prioritized initiatives from the Privacy Framework Tool (Execution Wave 1) and write each initiative on the whiteboard next to a corresponding metric.
   • Metrics should directly correlate to tracking progress of the initiative. Some initiatives may map to multiple metrics; make note of this in the Data Privacy Program Report.
5. For any Wave 1 initiatives that do not have an assigned metrics, revisit activity 4.1 and ensure that a supporting metric is modified or a new metric is established.
6. As the program matures, complete these activities for additional Execution Waves and align metrics accordingly.

Download this tool | Make note of selected privacy metrics in the Data Privacy Program Report.

Develop and implement your metric lifecycle

Increase the credibility of the privacy program by analyzing and reporting on metrics on a regular basis.

• A key factor in ensuring integration of the privacy program throughout the organization is presenting the business benefits of the program to the entire organization, and specifically to the executive leadership group.
• Privacy is not a “one-and-done” project. Even after establishing metrics and implementing metric tracking as a part of the program, progress should be assessed
• This is the key step in establishing a metric lifecycle, ensuring that your metrics are continuously monitored and reviewed to meet the needs of the privacy program.
• The final factor is ensuring that the metrics used to gauge the privacy program directly align to the organization’s business goals and support achieving these objectives. This helps to obtain requisite buy-in and support from executive leadership leadership.

Analysis and Monitoring Categories

1. Compliance
• Ensure that the organization meets compliance obligations.
• Examples include audit management, self-monitoring, security/system management, and risk management.
2. Regulatory/Legal
• Ensure that the organization meet any legally imposed regulations to which it is subject.
3. PEST
• Ensure that organization’s approach to privacy and the privacy program align with both the external and internal operating environment, and consider any political, social, economic, and technological factors (PEST).
(Source: IAPP, “Privacy Program Management”)

Quantify privacy by tracking ROI

The final step in maturing and delivering value through the privacy program is achieved by demonstrating positive return on investment to your leadership team.

• As privacy becomes the norm within organizations globally, the relationship that exists between high-accountability, privacy-mature organizations and organizational performance becomes increasingly easy to track.
• Business and IT leaders attribute privacy management practices to:
  • Increased competitive advantage
  • Positive compliance records
  • Innovation gains
  • Operational agility
  • Reduced sales delays
  • Increased customer loyalty and brand reputation

Privacy ROI worldwide

1. United Kingdom (3.5x)
2. Brazil (3.3x)
3. Mexico (3.3x)

$1.00 spent = $2.70 Privacy ROI

Organizations that have dedicated time and resources to maturing privacy best practices are already experiencing positive ROI from their efforts.

4.3 Create and deliver the Data Privacy Program Report

1-2 hours

Input: Privacy initiatives, Roadmap (Phase 3), Outputs from activities 4.1 and 4.2

Output: Full Data Privacy Program Report and executive presentation

Materials: Data Privacy Program Report

Participants: Privacy Officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1. Using all the privacy outputs collected from Phases 1-4, create your executive presentation by leveraging the Data Privacy Program Report.
2. Focus on the key outputs that your senior management team will want to know:
   • What are the high-priority “Must Do’s”? Regulatory or governance requirements.
   • What are the associated costs?
   • What are the resourcing requirements?
   • What is the required level of ongoing maintenance?
   • How will this be tracked?
   • Who takes ownership or the program and relevant initiatives?

Summary of Accomplishment

A clear path toward proactive privacy management

In a perfect world, the summary of accomplishment would state that you’ve solved the data privacy problem within your organization and you’ll never be the subject of headline news as having fallen victim to a data breach.

The reality is that an effective data privacy program is ongoing, constantly evolving to fit within the surrounding digital and societal landscape. You’ve laid the foundation in working through the Data Process Mapping Tool and understanding how privacy is currently applied within the scope of your organization. By leveraging the outputs from this tool, as well as the maturity gaps identified as a part of the Privacy Framework set of exercises, you’ve begun to create a forward-looking data privacy roadmap.

Established metrics and a set of steps to achieve operationalization position your data privacy program for success by moving beyond static policies and procedures. By focusing on monitoring and assessing how the program captures and supports data privacy, you create a dynamic and adaptable framework.

And while even the strongest of data privacy programs are not bulletproof vests when it comes to preventing data breaches, by developing a flexible and customized data privacy program, your organization significantly strengthens its ability to recover from data privacy incidents and reduces its overall risk of exposure.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

• Develop the Data Process Mapping Tool During an onsite engagement, Info-Tech analysts will guide the interviews conducted with each of the business unit champions. The outputs will enable a clearer perspective on how personal data is handled throughout the organization.
• Conduct a privacy gap analysis An Info-Tech analyst will guide the discussion around current state of privacy in the organization, aligned to Info-Tech’s best-practice Privacy Framework. Compare current and future states to prioritize gap-closing initiatives.

Research Contributors and Experts

Aaron Shum
Security Practice Lead
Info-Tech Research Group

Aaron Shum is a Practice Lead in the Security, Risk & Compliance team at Info-Tech Research Group. With 20+ years of experience across IT, InfoSec, and Data Privacy, he currently specializes in helping organizations implement comprehensive information security and cybersecurity programs and comply with data privacy regulations such as the European Union's General Data Protection Regulation.

Aaron holds a bachelor’s degree in Computer Science from the University of Toronto and is an ISO 27001 Lead Implementer and MCP, in addition to being a CIPP/E, CIPT, and CIPM.

Salvador Barragon
Director of Information Governance
Pekin Insurance

Salvador Barragon is an advisor, executive, and author with over 15 years’ experience in information governance. He serves as a board advisor for the executive cybersecurity program at University of South Florida and is the current director of Information Governance for Pekin Insurance. Previously, Salvador held the title of Director of Information Governance and Records at the International Monetary Fund and Inter-American Development Bank.

Related Info-Tech Research

• Fast Track Your GDPR Compliance Efforts

  Quickly address regulatory requirements, even after the deadline.

• Comply With the California Consumer Privacy Act

  Formalize your business-wide operationalization of CCPA.

• Discover and Classify Your Data

  Provide your data with the protection it deserves.

Bibliography

Aberdeen and Liaison. “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare.” Aberdeen Group, 2018. Web. January 2019.

Accenture. “How Global Organizations Approach the Challenge of Protecting Personal Data.” Accenture and Ponemon Institute, 2009. Web. January 2019.

California Consumer Protection Act of 2018. 2018. Web. November 2019.

Cavoukian, Ann. “Privacy by Design, The 7 Foundational Principles.” IPC Privacy by Design, January 2011. Web. 14 January 2020.

Centrify and Ponemon Institute. “The Impact of Data Breaches on Reputation & Share Value.” Centrify and Ponemon Institute, May 2017. Web. January 2019.

CIGI & Ipsos. “2018 CIGI-Ipsos Global Survey on Internet Security and Trust.” Centre for International Governance Innovation, 2018. Web. January 2019.

“Cisco 2018 Privacy Maturity Benchmark Study.” Cisco, January 2018. Web. January 2020.

“Cisco 2019 Privacy Maturity Benchmark Study.” Cisco, January 2019. Web. January 2020.

“Cisco 2020 Privacy Maturity Benchmark Study.” Cisco, January 2020. Web. January 2020.

Densmore, Russell. “Privacy Program Management: Tools for Managing Privacy Within Your Organization.” IAPP, 2019.

“DoorDash Reports Data Breach Impacting 5 Million Customers.” Security Magazine, 27 September 2019. Web. November 2019.

Forbes. “DoorDash Data Breach Compromises 4.9 Million People.” Forbes, 26 September 2019. Web. December 2019.

General Data Protection Regulation. Chapters 1-11. May 2018. Web. November 2019.

Government of Canada. “The Personal Information Protection Electronic Documents Act.” April 2000. Web. November 2019.

HIPAA of 1996. US Department of Health & Human Services. 1996. Web. January 2020.

Hodge, Rae. “2019 Data Breach Hall of Fame: These were the biggest data breaches of the year.” CNET, 27 December 2019. Web. January 2020.

“IAPP-EY Annual Privacy Governance Report 2019.” IAPP, 2019. Web. December 2019.

IBM Security. “Cost of a Data Breach Report, 2019.” IBM, January 2020. Web. January 2020.

ISACA and TITUS. “GDPR: The End of the Beginning.” ISACA, 2018. Web. January 2019.

NIST. "Computer Security Incident Handling Guide." NIST, SP800-61 Rev. 2, August 2101. Web. November 2019.

NIST. “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST, 16 January 2020. Web. January 2020.

PIPEDA of 2000. The Government of Canada, 2000. Web. October 2019.

Proteus. “Privacy Research Database; Breach Calculator.” Proteus-Cyber. Web. December 2019.

Protiviti and North Carolina State University’s ERM Initiative. “Executive Perspectives on Top Risks for 2018: Key Issues Being Discussed in the Boardroom and C-Suite.” Protiviti and North Carolina State University’s ERM Initiative, 2017. Web. January 2019.

PwC. “The Anxious Optimist in the Corner Office.” 21st CEO Survey. PwC, 2018. Web. January 2019.

“Q3 2019 Data Breach QuickView Report.” RiskBased Security, 12 November 2019. Web. December 2019.

“Study: Mature Privacy Programs Experience Higher ROI.” IAPP, 27 January 2020. Web. January 2020.