Build a Data Privacy Program
Take out data privacy’s grey areas with a quantitative approach to your program.
Contributors
- Alan Tang, Security Professional
- Salvador Barragan, Director of Records & Information Governance, Pekin Insurance
Your Challenge
- Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
- With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.
Our Advice
Critical Insight
- Take a quantitative approach to data privacy.
- Use metrics and a risk-based approach to drive a privacy framework that not only supports compliance but also considers the custom needs of your organization.
Impact and Result
- Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as not just compliance but also a driver of business efficiency.
- Integrate and build by developing a program that:
- Promotes freedom of information and access to this information.
- Establishes privacy and security standards with respect to access of this information.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should take a quantitative approach when building your privacy program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Collect privacy requirements
Identify the driving forces behind the privacy program and begin to assign ownership across the organization.
2. Conduct a privacy gap analysis
Understand where personal data lives and how it is handled throughout its lifecycle. Assess your current privacy maturity and begin to identify gaps.
3. Build the privacy roadmap
Identify priority gaps within your current privacy practices and begin to allocate quantifiable cost and effort values to move toward target privacy maturity.
4. Implement and operationalize
Ensure that your program is actionable by selecting relevant metrics and making them operational to support the ongoing development of privacy in the organization.
Guided Implementations
This guided implementation is an eight call advisory process.
Guided Implementation #1 - Collect privacy requirements
Call #1 - Scope requirements, drivers, objectives, and challenges.
Call #2 - Build out privacy ownership using the RACI chart.
Guided Implementation #2 - Conduct a privacy gap analysis
Call #1 - Review results of data process mapping business unit interviews.
Call #2 - Delve into the Privacy Framework Tool to identify and evaluate gaps.
Guided Implementation #3 - Build the privacy roadmap
Call #1 - Determine cost and effort ratio of gap initiatives.
Call #2 - Build out additional privacy collateral (notice, policy, etc.).
Guided Implementation #4 - Implement and operationalize
Call #1 - Review standard privacy metrics and customize for your organization.
Call #2 - Establish and document performance monitoring schedule.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Collect Privacy Requirements
The Purpose
- Understand the key drivers behind privacy in your operating context and begin to assign ownership.
Key Benefits Achieved
- Level-setting between IT and the business with respect to privacy best practices.
- High-level understanding of risk associated with personal data collected by the organization.
Activities
Outputs
Define and document program drivers.
- Business context and drivers behind privacy program
Establish privacy governance structure and define scope.
Build privacy RACI chart.
- Privacy RACI chart
Build the risk map.
Module 2: Conduct a Privacy Gap Analysis
The Purpose
- Connect with each of the business units with respect to current privacy practices and gain insight into how personal data is handled throughout the organization.
Key Benefits Achieved
- Alignment with business unit privacy champions
- Understanding of current state of privacy in the organization
- Uncovered gaps in the organization’s privacy practices
Activities
Outputs
Conduct interviews and complete Data Mapping Tool.
- Data Mapping Tool draft
Compare compliance and regulatory requirements with current privacy practices of the organization.
- Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
Identify gap areas.
Review the DPIA process and identify whether threshold assessment or full DPIA is required.
- Optional: Walk-through of DPIA tool
Module 3: Build the Privacy Roadmap
The Purpose
- Ensure that the privacy program is functional and caters to the environment assessed over days 1 and 2 by building a custom-fit privacy initiative implementation roadmap.
Key Benefits Achieved
- Quantitative prioritization of each of the privacy gap closing initiatives
- High-level initiative implementation roadmap
Activities
Outputs
Complete business unit gap analysis; consolidate inputs from day 2 interviews.
Apply variables to privacy initiatives.
- Privacy Framework Tool
Create a visual privacy roadmap.
- Privacy roadmap and prioritized set of initiatives
Define and refine the effort map; validate costing and resourcing.
Module 4: Implement and Operationalize
The Purpose
This portion of the workshop ensures that the privacy program can be put into action and moves beyond static policies to foster the integration of privacy metrics across the organization.
Key Benefits Achieved
A full set of privacy metrics, as well as tactics to implement and monitor on an ongoing basis.
Activities
Outputs
Review outputs from days 1-3.
- Completed Privacy Roadmap
- Completed Data Mapping Tool
- Review of any outstanding privacy collateral (Privacy Notice, Data Protection Policy, etc.)
Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program.
- Privacy Program Report document
Operationalize metrics.
Input all outputs from days 1-3 into the Data Privacy Report.
Summarize and build an executive presentation.
Set checkpoints and drive continuous improvement.
Module 5: Next Steps and Wrap-Up (Offsite)
The Purpose
Ensure privacy program is functional and any final aspects are included in the report back to senior leadership team.
Key Benefits Achieved
Strategic alignment of the privacy program and its objectives with those of the business and senior leadership.
Activities
Outputs
Consolidate and schedule any outstanding business unit interviews.
Complete in-progress deliverables from previous four days.
Set up review time for workshop deliverables to discuss next steps.
Operationalize metrics.
