Security icon

Build a Data Privacy Program

Take out data privacy’s grey areas with a quantitative approach to your program.

Get Instant Access to this Blueprint


  • Alan Tang, Security Professional
  • Salvador Barragan, Director of Records & Information Governance, Pekin Insurance

Your Challenge

  • Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
  • With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Our Advice

Critical Insight

  • Take a quantitative approach to data privacy.
  • Use metrics and a risk-based approach to drive a privacy framework that not only supports compliance but also considers the custom needs of your organization.

Impact and Result

  • Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as not just compliance but also a driver of business efficiency.
  • Integrate and build by developing a program that:
    • Promotes freedom of information and access to this information.
    • Establishes privacy and security standards with respect to access of this information.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should take a quantitative approach when building your privacy program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Collect privacy requirements

Identify the driving forces behind the privacy program and begin to assign ownership across the organization.

2. Conduct a privacy gap analysis

Understand where personal data lives and how it is handled throughout its lifecycle. Assess your current privacy maturity and begin to identify gaps.

3. Build the privacy roadmap

Identify priority gaps within your current privacy practices and begin to allocate quantifiable cost and effort values to move toward target privacy maturity.

4. Implement and operationalize

Ensure that your program is actionable by selecting relevant metrics and making them operational to support the ongoing development of privacy in the organization.

Guided Implementations

This guided implementation is an eight call advisory process.

Guided Implementation #1 - Collect privacy requirements

Call #1 - Scope requirements, drivers, objectives, and challenges.
Call #2 - Build out privacy ownership using the RACI chart.

Guided Implementation #2 - Conduct a privacy gap analysis

Call #1 - Review results of data process mapping business unit interviews.
Call #2 - Delve into the Privacy Framework Tool to identify and evaluate gaps.

Guided Implementation #3 - Build the privacy roadmap

Call #1 - Determine cost and effort ratio of gap initiatives.
Call #2 - Build out additional privacy collateral (notice, policy, etc.).

Guided Implementation #4 - Implement and operationalize

Call #1 - Review standard privacy metrics and customize for your organization.
Call #2 - Establish and document performance monitoring schedule.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Collect Privacy Requirements

The Purpose

  • Understand the key drivers behind privacy in your operating context and begin to assign ownership.

Key Benefits Achieved

  • Level-setting between IT and the business with respect to privacy best practices.
  • High-level understanding of risk associated with personal data collected by the organization.




Define and document program drivers.

  • Business context and drivers behind privacy program

Establish privacy governance structure and define scope.


Build privacy RACI chart.

  • Privacy RACI chart

Build the risk map.

Module 2: Conduct a Privacy Gap Analysis

The Purpose

  • Connect with each of the business units with respect to current privacy practices and gain insight into how personal data is handled throughout the organization.

Key Benefits Achieved

  • Alignment with business unit privacy champions
  • Understanding of current state of privacy in the organization
  • Uncovered gaps in the organization’s privacy practices




Conduct interviews and complete Data Mapping Tool.

  • Data Mapping Tool draft

Compare compliance and regulatory requirements with current privacy practices of the organization.

  • Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards

Identify gap areas.


Review the DPIA process and identify whether threshold assessment or full DPIA is required.

  • Optional: Walk-through of DPIA tool

Module 3: Build the Privacy Roadmap

The Purpose

  • Ensure that the privacy program is functional and caters to the environment assessed over days 1 and 2 by building a custom-fit privacy initiative implementation roadmap.

Key Benefits Achieved

  • Quantitative prioritization of each of the privacy gap closing initiatives
  • High-level initiative implementation roadmap




Complete business unit gap analysis; consolidate inputs from day 2 interviews.


Apply variables to privacy initiatives.

  • Privacy Framework Tool

Create a visual privacy roadmap.

  • Privacy roadmap and prioritized set of initiatives

Define and refine the effort map; validate costing and resourcing.

Module 4: Implement and Operationalize

The Purpose

This portion of the workshop ensures that the privacy program can be put into action and moves beyond static policies to foster the integration of privacy metrics across the organization.

Key Benefits Achieved

A full set of privacy metrics, as well as tactics to implement and monitor on an ongoing basis.




Review outputs from days 1-3.

  • Completed Privacy Roadmap
  • Completed Data Mapping Tool
  • Review of any outstanding privacy collateral (Privacy Notice, Data Protection Policy, etc.)

Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program.

  • Privacy Program Report document

Operationalize metrics.


Input all outputs from days 1-3 into the Data Privacy Report.


Summarize and build an executive presentation.


Set checkpoints and drive continuous improvement.

Module 5: Next Steps and Wrap-Up (Offsite)

The Purpose

Ensure privacy program is functional and any final aspects are included in the report back to senior leadership team.

Key Benefits Achieved

Strategic alignment of the privacy program and its objectives with those of the business and senior leadership.




Consolidate and schedule any outstanding business unit interviews.


Complete in-progress deliverables from previous four days.


Set up review time for workshop deliverables to discuss next steps.


Operationalize metrics.

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019