Get Instant Access
to This Blueprint

Security icon

Build a Data Privacy Program

Take out data privacy’s grey areas with a quantitative approach to your program.

  • Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
  • With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Our Advice

Critical Insight

  • Take a quantitative approach to data privacy.
  • Use metrics and a risk-based approach to drive a privacy framework that not only supports compliance but also considers the custom needs of your organization.

Impact and Result

  • Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as not just compliance but also a driver of business efficiency.
  • Integrate and build by developing a program that:
    • Promotes freedom of information and access to this information.
    • Establishes privacy and security standards with respect to access of this information.

Build a Data Privacy Program Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should take a quantitative approach when building your privacy program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Collect privacy requirements

Identify the driving forces behind the privacy program and begin to assign ownership across the organization.

2. Conduct a privacy gap analysis

Understand where personal data lives and how it is handled throughout its lifecycle. Assess your current privacy maturity and begin to identify gaps.

3. Build the privacy roadmap

Identify priority gaps within your current privacy practices and begin to allocate quantifiable cost and effort values to move toward target privacy maturity.

4. Implement and operationalize

Ensure that your program is actionable by selecting relevant metrics and making them operational to support the ongoing development of privacy in the organization.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$115,334


Average $ Saved

31


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Witt Kieffer

Guided Implementation

10/10

$5,199

5

As usual Alan helped align my direction. His advice is very much appreciated.

Centennial College

Guided Implementation

10/10

$47,500

50

Best is the use of the existing blueprints that I can re-use and support received

Opentech Alliance

Workshop

10/10

$649K

60

Partner with other software solutions to have a repository of where to store the information gathered that is more dynamic than using spreadsheets ... Read More

Environmental Defense Fund, Incorporated

Workshop

10/10

$97,499

60

This was my first experience attending a workshop faciliated by InfoTech. I really enjoyed the workshop. I thought the faciliator (Alan Tang) did a... Read More

Packaging Machinery Manufacturers Institute

Guided Implementation

10/10

$6,499

2

Helmerich & Payne, Inc.

Guided Implementation

10/10

$2,469

5

Sage Therapeutics

Guided Implementation

10/10

$31,499

20

Iris is knowledgeable, friendly and experienced. I am pleased to have had the opportunity to connect with her and consider her an ally on all thing... Read More

Bermuda Monetary Authority

Guided Implementation

10/10

$62,999

50

Feeling assured that Alan and InfoTech have the expertise to review our drafts and provide constructive feedback as and when needed that we can act... Read More

Regional Transportation District

Workshop

10/10

$37,799

120

I'm not sure how you put a monetary value on this. I believe that while you can value staff time, it is hard to put a value on the effects of deve... Read More

Donor Network West

Guided Implementation

10/10

$37,799

14

Alan really knows the Privacy law arena and is invaluable in the guidance that he gives. I leave each session feeling like I have a good handle on ... Read More

Florida State College at Jacksonville

Workshop

10/10

N/A

50

The workshops get the work done much faster and gets everybody on board with what needs to be done.

Bermuda Monetary Authority

Guided Implementation

9/10

$62,999

50

Post workshop having Alan available to call and offer guidance and expertise has been great, he is a guide and a sounding board, offering practical... Read More

Bermuda Monetary Authority

Guided Implementation

9/10

$62,999

20

Alan is great, he provides guidance that I can actually apply. I look forward to engaging further with Alan.

State of South Dakota Bureau of Information and Telecommunications

Guided Implementation

8/10

N/A

N/A

Incredibly valuable guidance on our Privacy Operations roadmap! Still too early to estimate the time and financial impact but we anticipate it will... Read More

KIND

Guided Implementation

9/10

$31,499

10

Marquette University

Guided Implementation

9/10

N/A

N/A

Alan, was very knowledgeable and provided good insight. His follow through was outstanding. At this point, it is difficult to determine how much ... Read More

Government of Bermuda

Workshop

8/10

$1.17M

20

Best - getting so much done in only a few days while still allowing everyone to express concerns, opinions, advice, and even frustrations. Worst... Read More

Wiss, Janney, Elstner Associates, Inc.

Guided Implementation

10/10

$29,609

20

Alan is awesome - he helped to establish our roadmap that gives us a trajectory to succeed. I truly appreciate Alan's help!

Beckman Coulter, Inc.

Guided Implementation

10/10

$31,499

N/A

While still new on approach and hard to estimate, I can see value already.

Metropolitan School District of Lawrence Township

Guided Implementation

10/10

$2,519

5

Understood our challenges and was able to provide actionable data to back future discussions.

Helmerich & Payne, Inc.

Guided Implementation

10/10

$2,393

5

Colorado Housing And Finance Authority

Workshop

9/10

N/A

14

Best: Opportunity to have conversations with our Exec team and key staff on privacy related topics with the expertise of Alan Tang delivering key ... Read More

Packaging Machinery Manufacturers Institute

Guided Implementation

9/10

$12,599

2

Platte River Power Authority

Workshop

10/10

$34,649

100

The best part of the workshop is the roadmap to a data privacy program. In addition, although the resources are available for a self-guided impleme... Read More

OCM Boces / Central New York Regional Information Center

Guided Implementation

8/10

N/A

N/A

Best - learning that such a credentialed expert was part of the Info-Tech team and accessible to us for guidance. Also best - Actual guidance! ... Read More

The Regional Municipality of Peel

Guided Implementation

9/10

$2,000

5

Bermuda Monetary Authority

Workshop

9/10

N/A

N/A

Regarding the estimated savings in cost and time, it is impossible to provide an estimate until we have a full understanding of the work involved. ... Read More

St. Cloud State University

Guided Implementation

10/10

$2,479

2

Great to have a resource with deep expertise and knowledge in the subject matter. The example document included after the meeting was especially he... Read More

Jet Support Services, Inc.

Guided Implementation

10/10

N/A

N/A

British Columbia Transit

Guided Implementation

9/10

$25,000

10


Workshop: Build a Data Privacy Program

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Collect Privacy Requirements

The Purpose

  • Understand the key drivers behind privacy in your operating context and begin to assign ownership.

Key Benefits Achieved

  • Level-setting between IT and the business with respect to privacy best practices.
  • High-level understanding of risk associated with personal data collected by the organization.

Activities

Outputs

1.1

Define and document program drivers.

  • Business context and drivers behind privacy program
1.2

Establish privacy governance structure and define scope.

1.3

Build privacy RACI chart.

  • Privacy RACI chart
1.4

Build the risk map.

Module 2: Conduct a Privacy Gap Analysis

The Purpose

  • Connect with each of the business units with respect to current privacy practices and gain insight into how personal data is handled throughout the organization.

Key Benefits Achieved

  • Alignment with business unit privacy champions
  • Understanding of current state of privacy in the organization
  • Uncovered gaps in the organization’s privacy practices

Activities

Outputs

2.1

Conduct interviews and complete Data Mapping Tool.

  • Data Mapping Tool draft
2.2

Compare compliance and regulatory requirements with current privacy practices of the organization.

  • Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
2.3

Identify gap areas.

2.4

Review the DPIA process and identify whether threshold assessment or full DPIA is required.

  • Optional: Walk-through of DPIA tool

Module 3: Build the Privacy Roadmap

The Purpose

  • Ensure that the privacy program is functional and caters to the environment assessed over days 1 and 2 by building a custom-fit privacy initiative implementation roadmap.

Key Benefits Achieved

  • Quantitative prioritization of each of the privacy gap closing initiatives
  • High-level initiative implementation roadmap

Activities

Outputs

3.1

Complete business unit gap analysis; consolidate inputs from day 2 interviews.

3.2

Apply variables to privacy initiatives.

  • Privacy Framework Tool
3.3

Create a visual privacy roadmap.

  • Privacy roadmap and prioritized set of initiatives
3.4

Define and refine the effort map; validate costing and resourcing.

Module 4: Implement and Operationalize

The Purpose

This portion of the workshop ensures that the privacy program can be put into action and moves beyond static policies to foster the integration of privacy metrics across the organization.

Key Benefits Achieved

A full set of privacy metrics, as well as tactics to implement and monitor on an ongoing basis.

Activities

Outputs

4.1

Review outputs from days 1-3.

  • Completed Privacy Roadmap
  • Completed Data Mapping Tool
  • Review of any outstanding privacy collateral (Privacy Notice, Data Protection Policy, etc.)
4.2

Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program.

  • Privacy Program Report document
4.3

Operationalize metrics.

4.4

Input all outputs from days 1-3 into the Data Privacy Report.

4.5

Summarize and build an executive presentation.

4.6

Set checkpoints and drive continuous improvement.

Module 5: Next Steps and Wrap-Up (Offsite)

The Purpose

Ensure privacy program is functional and any final aspects are included in the report back to senior leadership team.

Key Benefits Achieved

Strategic alignment of the privacy program and its objectives with those of the business and senior leadership.

Activities

Outputs

5.1

Consolidate and schedule any outstanding business unit interviews.

5.2

Complete in-progress deliverables from previous four days.

5.3

Set up review time for workshop deliverables to discuss next steps.

5.4

Operationalize metrics.


Build a Data Privacy Program

Take out data privacy’s grey areas with a quantitative approach to your program.

Executive Brief

Analyst Perspective

Privacy can no longer be subjective. Quantify and measure to drive a more effective privacy program.

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business.

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area.

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business.

Picture of analyst Cassandra Cooper Cassandra Cooper
Senior Research Analyst, Security, Risk & Compliance
Info-Tech Research Group

Executive Summary

Your Challenge

  • Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
  • With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Common Obstacles

  • Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.
  • With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.

Info-Tech's Approach

  • Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, as a driver of business efficiency.
  • Integrate and build by developing a program that promotes:
    • Privacy standards that are established with respect to how information is accessed.
    • Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.

Info-Tech Insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.

Your challenge

This research is designed to help organizations who need to:

  • Understand how to adapt and quantify privacy beyond compliance.
  • Change the pre-existing perspective on how to assess privacy competency.
  • Shift the organization’s view of privacy as the enemy of efficiency and innovation.
  • Build an environment that places privacy ownership in the hands of the business.
  • Extend the privacy program beyond the privacy team or organizational function.
  • Take the ambiguity out of privacy program management.

Data Privacy Program

  1. Understand – Collect Privacy Requirements
  2. Assess – Conduct a Privacy Gap Analysis
  3. Bridge – Build the Privacy Roadmap
  4. Implement – Implement and Operationalize

Life after the GDPR

May 2018 saw the introduction of the General Data Protection Regulation across the EU, which has since become somewhat of a global standard when it comes to data protection best practices. However, many organizations still fall short of what is considered “compliant” by GDPR standards.

  • 43% of organizations for whom GDPR compliance is of primary concern, consider themselves “moderately compliant.”
  • 38% of organizations under GDPR compliancy still reported experiencing a data breach occurring during 2019.
  • 94% of organizations that leverage third-party data processors rely on contractual assurances for data safety and protection.
  • (Source: IAPP, 2019)

Info-Tech Insight

An effective privacy program ensures compliance, but simply being compliant does not mean you have an effective privacy program.

Instead of reactively checking the compliance boxes based on a set of governing laws, develop a privacy framework that proactively anticipates while staying in scope of the needs of your organization.

Understanding privacy vs. security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.

But that is not equivalent to privacy …

Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

A purple square titled 'Security' with a blue two-way arrow through the middle titled 'Privacy'.

Privacy is all about personal data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.

See examples of personal data in the below charts:

Traditional PII
Personally Identifiable Information
Personal Data
Any information relating to an identified or identifiable person
Sensitive Personal Data
Special categories of personal data (some regulations, like GDPR, expand their scope to include these)
Full name (if not common) First, middle (if applicable), last name Biometrics data: Retina scans, voice signatures, or facial geometry
Home address IP address Health information: Patient identification number or health records
Date of birth Email address or other online identifier Political opinions
Social security number Social media post Trade union membership
Banking information Location data Sexual orientation
Passport number Photograph Religious or philosophical beliefs
Etc. Etc. Ethnic origin

True cost of a data breach

An industry outlook

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance and resulting fines and minimizing overall exposure.

86% of data breach costs are associated with REGULATORY FINES

A pie graph of data breach consequences and the percentage of breaches that they are associated with. 'Regulatory Fines' takes up 86%.
Healthcare (All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records)
Estimated Cost of Exposure: $841.41
Government
Estimated Cost of Exposure: $114.75
Financial Services
Estimated Cost of Exposure: $188.05
Education
Estimated Cost of Exposure: $207.75
(Source: Proteus-Cyber)

2019 Breach Breakdown

A graph documenting the per-record cost of data breaches by industry. Healthcare is at the top with over $400 in losses per record, followed by 'Financial' with just over $200. The least affected, with under $100 in losses per record is 'Public', followed by 'Research' and 'Retail' with just over $100.

Average data breach costs per compromised record hit an all-time high of $150 in 2019. (Source: IBM Security)

The Data Breach Aftermath

% of abnormal customer turnover per size of data breach
  • ›1% Lost $2.8 million
  • 1-2% Lost $3.4 million
  • 2-3% Lost $4.2 million
  • 4% Lost $5.7 million
Data breach resolution times
  • Time to Identify 206 days
  • Time to Contain 73 days
% of data breach recovery costs over time
  • 14% 3 Months
  • 41% ‹6 Months
  • 67% ‹1 Year
  • 11% ›2 Years

Info-Tech’s approach

Scale and quantify privacy in the organization by taking a layered approach to building out a data privacy program in the organization.

  • Industry and operating environment of the organization
  • Involvement of personal data in business processes
  • Acceptable risk
  • Data privacy metrics

Data Privacy Thought Model align with organization, prioritize personal data, identify gaps, create roadmap

The Info-Tech Framework

Our approach is modeled on a framework that extends beyond compliance to create a scalable and quantifiable privacy framework.

  1. Governing Privacy Laws – Understand which governing privacy laws and frameworks apply to your organization.
  2. Data Process Mapping Tool for Business Processes – Create a map of all personal data as it flows throughout the organization’s business processes.
  3. Privacy Initiative Prioritization SchemaPrioritize privacy initiatives and build a privacy program timeline.
  4. Privacy MetricsSelect your metrics and make them functional for your organization.
  5. Privacy Program – Continue to refine your Data Privacy Program.

Info-Tech’s methodology for building a privacy program

1. Collect Privacy Requirements

2. Conduct a Privacy Gap Analysis

3. Build the Privacy Roadmap

4. Implement and Operationalize

Phase Action Items

  1. Define and document drivers
  2. Establish privacy governance structure
  3. Build a privacy RACI chart
  4. Define personal data scope
  5. Build a risk map
  1. Complete the Data Process Mapping Tool
  2. Compare compliance and regulatory requirements with gap analysis
  3. Assess and categorize privacy gap initiatives
  1. Finalize privacy gap initiatives
  2. Prioritize initiatives based on cost, effort, risk, and business value
  3. Set firm dates for launch and execution of privacy initiatives
  4. Assign ownership for initiatives
  1. Establish a set of metrics for the Data Privacy Program
  2. Operationalize metrics
  3. Set checkpoints to drive continuous improvement

Phase Outcomes

  • Documented business and IT drivers for the privacy program
  • High-level understanding of how privacy is perceived in the organization
  • Completed Data Privacy Program RACI Chart
  • Data Process Mapping Tool detailing all business processes that involve personal data
  • Privacy maturity ranking (Privacy Framework Tool)
  • Identification of compliance or regulatory privacy gaps
  • Completed Privacy Framework Tool
  • Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment
  • Customized set of privacy metrics
  • Tasks to operationalize privacy metrics
  • Data Privacy Report document
  • Performance monitoring scheduled checkpoints

Insight summary

Overarching insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach to drive a privacy framework that supports compliance and considers the custom needs of your organization.

Fit privacy to the business.

Contextualize privacy for your organization by involving the business units from day 1; collect requirements that promote cross-collaboration.

Privacy is dynamic.

Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization.

Prioritize and plan together.

Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.

Make it operational.

Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.

Privacy doesn’t live in isolation.

By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.

A good privacy program takes time.

Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk and support the rollout through customized metrics.

Blueprint deliverables

Key deliverable:

  • Privacy Framework / Business Unit Framework Tools Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST. Build your gap-closing initiative roadmap and work through cost/effort analysis.

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

  • Privacy Program RACI Chart A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.
  • Data Process Mapping Tool Full documentation of all business processes that leverage personal data within the organization.
  • Data Protection Impact Assessment When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.
  • Data Privacy Program Report A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.
  • Privacy Policy Templates Internal and external policies around:
    • Data Protection
    • Privacy Notice
    • Cookies
    • Data Retention

Blueprint benefits

IT Benefits

  • Identification of information security-specific privacy controls, mapped against governing privacy frameworks (GDPR, CCPA, HIPAA, PIPEDA, NIST).
  • Comprehensive inventory of where personal data exists within IT systems at different points during its lifecycle (at rest, in transit).
  • Perspective from a privacy lens on IT controls (system and network access, asset management, etc.).
  • Assigned ownership for members of the IT team of privacy-IT integration and individual privacy initiatives.

Business Benefits

  • Understanding of the scope of privacy within the context of the organization.
  • An active role and participation in the integration of privacy requirements as a part of pre-existing operations, as well as net-new operating procedures.
  • Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.
  • Thorough perspective on how each of the business units’ processes impact and reference personal data.

Data Privacy

  • IT / InfoSec
  • Senior Leadership
  • Business Units

Measure the value of this blueprint

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.

Privacy metrics take your program from a static framework to an operational model.

Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.

Info-Tech’s Privacy Control Categories

  1. Governance
  2. Regulatory Compliance
  3. Data Processing and Handling
  4. Data Subject Requests
  5. Privacy by Design
  6. Notices and Consent
  1. Incident Response
  2. Privacy Risk Assessments
  3. Information Security
  4. Third-Party Management
  5. Awareness and Training
  6. Program Measurement
Screenshots used as illustration for 12 categories of privacy controls

Info-Tech Project Value

$72,348 – Average annual salary of a Privacy and Compliance Officer

1,020 hours, $38,250 (initial spend), $7,650 (ongoing spend) – Average total time/cost to completion for the following high-priority privacy-related projects:

  • Complete and revise Data Process Mapping Tool (X)
  • Develop and document retention policy (X)
  • Validate personal data processing procedures (X)
  • Develop a privacy framework and roadmap (X)
  • Update DSAR request forms
  • Review vendor contracts and ensure data transfer agreements are in place
  • ((X) indicates a project or initiative covered by Info-Tech’s Data Privacy Program methodology)

$45,900, 1,020 hoursEstimated cost and time savings from this blueprint

Executive Brief Case Study

DoorDash Data Breach – Fall 2019

INDUSTRY: Food Services
SOURCE: Forbes

Event

  • Food delivery service DoorDash announced a data breach impacting 4.9 million users, delivery employees, and merchants in late September 2019.
  • PII hacked included name, email, delivery address, phone numbers, passwords, and final four digits of payment cards taken, as well as final four bank account digits for delivery employee and merchants.

Aftermath

  • Main backlash highlighted the fact that DoorDash did not detect the breach until more than five months after the date of the breach.
  • DoorDash’s press release stated the company would focus on:
    • System access security protocols
    • Ramping up data security
    • Leveraging external expertise to help mitigate future risk

Issue

  • Misplaced accountability: there was no ownership when it came to whom within the company had access to PII.
  • A lack of stringent third-party vendor management, resulting in contracts that left room for interpretation in terms of who had access to customer PII.
  • Ineffective incident response plan, as it took the organization five months to inform customers that the breach had occurred.

Info-Tech’s Resolution

In 2019, data breaches increased globally by over 33%. Within the first quarter alone, 4.1 million records were exposed.

Preventing a data breach is just one outcome of implementing an effective privacy program, amongst an understanding of:

  • Where every bit of personal information resides
  • Who has access to which personal information
  • All security controls necessary to protect personal information
  • The retention times for different types of PII

Build a Data Privacy Program leverages a simple four-step process:

  1. Collect Privacy Requirements
  2. Conduct a Gap Analysis
  3. Build the Privacy Roadmap
  4. Implement and Operationalize

Looking through the global data breach lens

33% increase in the number of data breach incidents from the first half of 2019

Info-Tech Solution

Every case is different, however, across the spectrum of breaches during 2019, we can spot common trends.

In many cases, external parties informed the company of the leaked data, exposing the underlying lack of privacy program monitoring in place within the organization itself.

By developing a structured privacy program, you know:

  • Where data is in the organization
  • Who is accessing it
  • How it’s being leveraged and maintained

Should the event of a breach occur, you can take back control of the resolution process, and minimize reputational damage.

Company Name Industry # of Records Exposed Incident Details Date of Occurrence
Marriott-Starwood Hospitality 383 million Hack Late December/Early January 2019
500px Social Media 14.8 million Hack – data leak through website February 15
Facebook Social Media 540 million Unprotected server April 3
Chtrbox (Instagram) Social Media 49 million Leaked database May 20
Canva Design Platform 139 million Hack May 24
First American Financial Services 885 million Data leak through website June
CapitalOne Financial Services 100 million Hack July 29
Bulgarian National Revenue Agency Government/Taxation 5 million Hack July 17
Suprema Biometrics 1 million Unencrypted database September
LifeLabs Healthcare 15 million Ransomware October (reported November 1)
(Source: RiskBased Security)

Executives are increasingly concerned about data breaches

Hefty fines and reputational damage are two of the primary setbacks incurred following a publicized data breach.

$3.92 million (USD) | Average total cost of data breach

7.9 billion | Number of records exposed in the first 9 months of 2019

279 days | Time between occurrence and containment of data breach

Hacking | Top breach type for number of incidents incurred

Senior management and executives now acknowledge privacy and security as some of the biggest risks to the business. Previously, the entire scope of privacy would fall upon IT professionals to manage and control.

High-profile cyberattacks and data breaches, such as Capitol One in 2019, have brought the issue of privacy to the forefront of executives’ minds. Regulatory obligations to notify the public of breaches and pay significant fines for noncompliance have also pushed executives to be more concerned than ever before.

Info-Tech Insight

Data breaches shouldn’t just concern senior leadership and management; involving and educating your organization at all levels encourages a tightly woven, privacy-centric operating model. (Source: IBM Security)

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Guided Implementation

Workshop

Consulting

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Phase 1

  • Call #1: Scope requirements, drivers, objectives, and challenges.
  • Call #2: Build out privacy ownership using the RACI chart.
  • Phase 2

  • Call #3: Review results of data process mapping business unit interviews.
  • Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps.
  • Phase 3

  • Call #5: Determine cost and effort ratio of gap initiatives.
  • Call #6: Build out additional privacy collateral (notice, policy, etc.).
  • Phase 4

  • Call #7: Review standard privacy metrics and customize for your organization.
  • Call #8: Establish and document performance monitoring schedule.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.5/10
Overall Impact

$115,334
Average $ Saved

31
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Collect privacy requirements
  • Call 1: Scope requirements, drivers, objectives, and challenges.
  • Call 2: Build out privacy ownership using the RACI chart.

Guided Implementation 2: Conduct a privacy gap analysis
  • Call 1: Review results of data process mapping business unit interviews.
  • Call 2: Delve into the Privacy Framework Tool to identify and evaluate gaps.

Guided Implementation 3: Build the privacy roadmap
  • Call 1: Determine cost and effort ratio of gap initiatives.
  • Call 2: Build out additional privacy collateral (notice, policy, etc.).

Guided Implementation 4: Implement and operationalize
  • Call 1: Review standard privacy metrics and customize for your organization.
  • Call 2: Establish and document performance monitoring schedule.

Author

Cassandra Cooper

Contributors

  • Alan Tang, Security Professional
  • Salvador Barragan, Director of Records & Information Governance, Pekin Insurance
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019