Build Business-Aligned Privacy Programs for Higher Education Institutions

Embed privacy by design into your business processes and protect high-risk personal data.

EXECUTIVE BRIEF

Analyst Perspective

Executive Summary

Info-Tech Insight

Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect the valuable personal data of students and faculty.

Relevant Legal Obligations and Guidelines

More than 130 countries had put in place legislation to secure the protection of data and privacy

Info-Tech Insight

Higher education institutions increasingly depend on online platforms related to student learning, advising, and management in order to optimize processes and deliver student services at scale. The importance of privacy and data protection is increasingly recognized. Equally concerned is the collection, use and disclosure of personal information to third parties without prior notice or consent from students and faculties.

Typical Business Processes of a Higher Education Institution

Usually, there are three types of business processes supporting the operations of a higher education institution: defining processes, shared processes and enabling processes.

Defining Capabilities

• Recruitment (Undergrad, Graduate Studies)
• Admission (Undergrad, Graduate)
• Student Enrollment (Enrollment, Financial Aid)
• Instruction & Research (Teaching & Learning, Research)
• Graduation (Graduation, Transcripts)
• Advancement (Alumni Relations, Fundraising)

Shared Capabilities

• Student Administration (Student progression, Record maintenance)
• Student Support Services (Athletics, Career Development)
• Academic Admin (Academic Year Scheduling, Policy Admin)

Enabling Capabilities

• Facilities & Property Mgmt.
• Finance Mgmt.
• Human Resources
• IT
• Legal Services
• Government, Public, and Stakeholders
• Governance, Risk, and Compliance

Privacy is all about personal data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. Conversely, an effective privacy program allows access to information based on regulatory guidance and appropriate measures.

Examples of personal data include:

Privacy and Security Are Among the Top Concerns

Privacy and cybersecurity together are the #2 issue education institutions will be facing in 2023 based on EDUCAUSE’s recent report “Top 10 IT Issues, 2023: Foundation Models.”

Source: EDUCAUSE, 2022.

Privacy Policies Are Not Fully Understood

ECAR's 2019 survey of US students found that less than half of them believed they benefited from their institution's privacy and security policies, and even fewer students reported understanding how their institution used their personal data. *

*ECAR, 2019.

Transparency and Communication Are Key

Case Study:

In March 2020, in response to a proposal to adopt facial recognition for security surveillance at UCLA, students from 36 campuses protested, in person and via online petitions, against the use of facial recognition systems. The pushback from students and the community led UCLA and about 50 other colleges and universities to promise not to use facial recognition technology on their campuses.*

*Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.

Info-Tech Insight

To foster trust and cooperation, higher education institutions should communicate how and why they collect and use students' personal information.

True Cost of a Data Breach

An industry outlook

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance issues and resulting fines and minimizing overall exposure.

86% of data breach costs are associated with REGULATORY fines

* All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records Source: Proteus-Cyber, 2019.

Top challenges organizations face in building an effective privacy program

The struggle to get a comprehensive data protection and privacy program in place across an entire organization is one of the main challenges for data protection and privacy officers.

Info-Tech Insight

Creating a comprehensive, organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

Why Is Privacy Important for Higher Education Institutions?

• Legal Obligations
  • Failure to comply with privacy laws and regulations can result in serious legal penalties, liability, fines, and other unpleasant consequences.
• Reputation & Relationships
  • A data breach can seriously damage a school's reputation. Privacy violations, or even inappropriate privacy practices, can affect a school's relationships with parents, applicants, donors, alumni, and others.
• Finances
  • Data breaches and privacy violations can lead to costly lawsuits, large damages payments, and costly and onerous legal requirements.
• Time and Resources
  • A robust privacy program requires considerable investment in terms of time and resources, which are usually underestimated.
• Student and Employee Wellbeing
  • Privacy protection violations or personal data leaks could cause serious harm to students, faculty, and employees economically, mentally, and sometimes physically.

Embed Privacy Into Data Lifecycle Protection

Two of the main tasks of personal protection in the higher education section are to identify high-risk personal information categories and embed privacy-by-design principles into the data lifecycle.

Examples of high-risk personal information types Biometrics Fingerprints Facial geometry Voice signature Healthcare information Drugs taken Special needs assessment Scholarships Ethnicity Academic results Financial Bank account Identity information SSN Passports Driver’s license

Info-Tech’s Privacy Program Methodology

The below image is a visual representation of Info-Tech’s Privacy Framework. This includes high-level governance items as well as more tactically defined areas. See an overview below.

Info-Tech’s methodology for building a privacy program

Insight summary

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Privacy Program RACI Chart

A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.

Data Process Mapping Tool

Full documentation of all business processes that leverage personal data within the organization.

Data Protection Impact Assessment

When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.

Data Privacy Program Report

A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.

Privacy Policy Templates

Internal and external policies around:

• Privacy Notice – Higher Education
• Data Processing Agreement
• Data Breach Handling Process
• Data Retention Policy

Key deliverable:

Privacy Framework/ Business Unit Framework Tools

Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST.

Build your gap-closing initiative roadmap and work through cost/effort analysis.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Collect Privacy Requirements

This phase will walk you through the following activities:

• Identify the driving forces behind the privacy program
• Understand privacy governance
• Assign ownership of privacy

This phase involves the following participants:

• Privacy officer/privacy team
• Senior management representation (optional)
• Relevant business unit privacy champions
• InfoSec representative
• IT representative

1.1 Define and document the data privacy program drivers

1 hour

1. Bring together relevant stakeholders from the organization. This can include Legal, HR, and Privacy teams, as well as others who handle personal data regularly (Marketing, IT, Sales, etc.).
2. Using sticky notes, have each stakeholder write one driver for the privacy program.
   1. These may vary from concerns about customers to the push of regulatory obligations.
3. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list, and clarify any unusual or unclear drivers.
4. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
   1. For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage as well.
5. Review the final priority of the drivers and confirm current status.

Privacy by design is no longer a "nice to have"

Integrate the key principles behind privacy by design to embed privacy in the operations of the organization and minimize business disruption.

1. Proactive, not reactive. Preventative, not remedial.
2. Privacy as the default setting.
3. Privacy embedded into design.
4. Full functionality; positive-sum not zero-sum.
5. End-to-end security; full lifecycle protection.
6. Visibility and transparency; keep it open.
7. Respect for user-privacy; keep it user-centric.

Source: IPC Privacy by Design

Download this research

Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT research.

Determine the primary owners of the privacy program

The privacy program must include multiple stakeholders for it to be successful. It’s integral to assign clear lines of ownership to build and effectively manage the program. Without defined ownership, privacy initiatives can easily fall between the cracks, and issues may not be handled effectively.

Info-Tech Insight

If not already mandated by governing privacy laws, consider appointing a privacy officer to formalize privacy ownership in the organization.

Define the governance structure of the privacy program

A successful privacy program will be structured in a way that best fits the needs of your organization. Minimize disruption to ensure a successful adaptation and launch.

1. Centralized
   • One central group manages the entire privacy program. They may direct other groups in terms of certain actions or initiatives, but privacy is centrally managed and reported on by one group.
   • This works well for large organizations to manage and track all privacy efforts, but it can become very bureaucratic.
2. Decentralized
   • Privacy is distributed to the rest of the organization, often in the lower tiers. The expectation here is that there is a bottom-to-top discussion of privacy while allowing for a flatter structure.
   • This works well with highly privacy-aware employees who can make the correct decisions at their respective levels. However, it can be difficult to track compliance.
3. Hybrid
   • Aspects of centralized and decentralized programs are combined to get the best of both structures; for example, one group or individual may track all privacy efforts in the organization, but each business unit can choose how to implement them. Another method is to have a designated privacy representative in each business unit.

Info-Tech Insight

While there may be one individual or group designated to manage the privacy program, privacy is everyone’s responsibility. Employees will have to perform the necessary actions such as limiting their personal data collection or anonymizing data. The success of the program will rely on everyone understanding how to put privacy first.

Evaluate a centralized governance model

This is an example of a centralized organizational structure for managing privacy. In this case, there is a dedicated privacy team that directs all the other departments in terms of their personal data management.

The centralized model is a more traditional structure for privacy in the organization, and it promotes the idea that one group is entirely accountable for the proliferation of privacy within the organization. This structure requires regular reporting and communication between the different groups.

Evaluate a decentralized governance model

In a decentralized model, we see that it is up to each department to create and form its own respective privacy practices. This can be done with the help of assigned privacy champions within each group. These individuals work with their own teams to integrate privacy within their business processes.

Evaluate a hybrid governance model

These days, many privacy-mature organizations lean toward a privacy center of excellence. This hybrid method combines the best of both centralized and decentralized structures: Centralized privacy for tracking and reporting purposes. Business unit privacy champions assigned to draw ownership and buy-in from the business units. The privacy champions from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the central team.

Organizations that identify as having adopted a hybrid privacy governance model report shorter sales delays (4.6 weeks) when compared against organizations that employ either a fully centralized (9.8 weeks) or decentralized model (7.1 weeks).

Source: Cisco, 2018

1.2 Right-size your privacy governance structure

1 hour

Consider the following when building out your privacy organizational structure.

1. Determine where ownership of the privacy program will be.
   1. Common choices are a dedicated privacy team or the legal, information security, and/or HR departments.
   2. Decide whether a privacy officer is necessary in your organization – some regulations recommend it.
2. Review your current organizational structure to decide which model would be best for your privacy practices: centralized, distributed, or hybrid.
   1. Review the previous examples for how this could be structured. Be mindful that you can set up this structure based on your own unique requirements, for example, two different groups can share ownership of the entire privacy program.
3. Select the appropriate governance structure; document. Make note of significant changes that will need to occur to facilitate implementation of the governance structure.

Info-Tech Best Practice

There is no single perfect governance structure that works for all organizations. Look at your current organizational and governance setup and see which structure fits best. Ask yourself:

Are we already set up in a centralized, distributed, or hybrid structure? Are we looking to implement privacy with new resources or existing employees? What model works best for us to meet our compliance needs?

1.3 Build out the data privacy RACI chart

30-60 minutes

Among your team, level set and discuss what each of the letters within the RACI chart schema means in the context of your organization. Work through the actions documented in column B of the Data Privacy Program RACI Chart. Validate. Review your outputs for each of the Action rows in column C and onward. Does overlap exist between various roles? Do dependencies exist? Will any of the assigned RACI values change with the implementation of the privacy program? Document any notes or amendments made in columns adjacent to the role columns.

Download the Data Privacy Program RACI Chart

1.4.1 Define the extent of your personal data scope

1 hour

1. Divide into groups and give each group member a handful of sticky notes.
2. Ask them to write down as many business units or functional groups as possible that process (collect, record, use, disseminate, etc.) personal data within the organization.
3. Collect each group’s responses and discuss whether the business unit is a data controller, a data processor, or both.
   1. Focus on whether the business unit decides the purpose of processing the data or if an external party determines the purpose of processing.
   2. Use blue for data controllers and yellow for data processors. If a business unit is both a data controller and a data processor, write the business unit on both a blue and a yellow sticky note.
4. Discuss and aggregate all responses into a final document, listing what is in scope of your privacy program and what is out of scope.

1.4.2 Build your risk map

1 hour

Info-Tech Insight

Bake in a quantitative element of risk analysis as you create the privacy framework to take away some of the guess work when it comes to prioritizing initiatives and creating your roadmap in Phase 3. Compare and contrast the perspective of your core IT or privacy team and that of the business units when it comes to assigning a volume and risk ranking for each of the business processes.

Phase 2

Conduct a Privacy Gap Analysis

This phase will walk you through the following activities:

• Understand the methodology behind the Data Process Mapping Tool
• Assess risks and map out your data breach response process
• Work through the threshold assessment and DPIA process

This phase involves the following participants:

• Privacy officer
• Core privacy team
• Relevant business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

Understand the role of the Data Process Mapping Tool

Determine the appropriate level of granularity with your processing activities

Think about the major business processes that make up your operations and refine by the common set of personal data types within sub-processes.

2.1 Complete the Data Process Mapping Tool

1-1.5 hour per business unit interview

Data protection goes beyond understanding where data is stored and how the systems are protected. Use this activity to start defining activities that are involved in processing your data.

1. Using the outputs from activities 1.4.1 and 1.4.2, group all business processes that touch personal data, based on their corresponding business function or unit.
2. Identify a privacy champion for each business unit or the respective business unit leader.
3. Schedule interviews with these individuals and review each of their business processes. Leverage the Data Process Mapping Tool to capture all elements of personal data included in the business processes.
4. Validate responses with members of the core team following each interview.

Download Info-Tech's Data Process Mapping Tool.

Info-Tech Insight

Compare and contrast the Data Process Mapping Tool with any previous documents collected, tailored to data kept in individual systems or applications, to gain a more robust understanding of how personal data interacts with organizational assets.

Examples of Personal Data Associated with Business Processes

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework.

Info-Tech Insight

This best-practice framework will force you to reevaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements.

2.2 Compare compliance and regulatory requirements for gap analysis

2 hours

1. On tab 2 of the Privacy Framework Tool, review each privacy control and determine the current organizational maturity based on the five-point CMMI scale below. Capture any relevant comments, as required:
   1. Initial/Ad hoc
   2. Developing
   3. Defined and Documented
   4. Managed and Measurable
   5. Optimized
2. Define the target state using the same five-point scale.
   1. The target state will be heavily influenced by the requirements gathered in the earlier phase.
3. Wherever there is a gap between the current and target state, document what initiative is needed to close the gap in column N.

Download the Privacy Framework Tool

Perform a high-level gap analysis on your processing activities

Taking a top-down view of a processing activity can often expose gaps in the process.

In the example of an Email-Based Document Exchange process, personal data could be exposed during these sub-processes in red. Optimizing the process, via improved security, with the version in green would address these gaps.

Info-Tech Insight

Knowing is half the battle. Ensure high-level gaps identified via this method are risk-assessed. Add remediation initiatives in the Privacy Framework Tool to contribute toward your defensible compliance position.

Align incident management to relevant regulations

Language within privacy regulations is explicit in requiring notification to the supervisory authority and data subjects in instance of a data breach.

• A key component of a successful privacy program involves a well-developed set of incident response and management procedures.
• Each privacy regulatory framework will establish its own timeframe when it comes to incident response procedures.
• These same frameworks will also support the underlying procedures involved in incident management runbooks that are created, maintained, and updated on a regular basis by the InfoSec or IT teams.
• Info-Tech recommends taking a “best-of-breed” approach in creating an effective incident management response plan:
  • Use relevant regulatory timeframes as a guideline.
  • Involve business unit privacy champions when creating the response plan.
  • Identify all interdependencies and map them out as a part of the validation process.

GDPR – Data subject notification

“In the case of a personal data breach, the controller shall notify without undue delay and, where feasible, not later than 72 hours. […] Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

(Source: General Data Protection Regulation)

CCPA/CPRA – Not defined

Unlike the GDPR, CCPA/CPRA does not define data breach report in timeframes. However, should a breach or other data security incident occur “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” the business can be fined $100-$750 per individual incident, or the full cost incurred of damages. The CPRA adds in new standards for what constitutes a data breach.

(Source: California Consumer Protection Act)

PIPEDA – Breach of security safeguards

Following the occurrence of a breach, organizations must report any breaches in the prescribed form and manner as soon as feasible.

Understand the security incident management framework

For all incident runbooks, follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.

PREPARE

Ensure the appropriate resources are available to best handle an incident.

DETECT

Leverage monitoring controls to actively detect threats.

ANALYZE

Distill real events from false positives.

CONTAIN

Isolate the threat before it can cause additional damage.

ERADICATE

Eliminate the threat from your operating environment.

RECOVER

Restore impacted systems to a normal state of operations.

POST-INCIDENT ACTIVITIES

Conduct a lessons-learned post-mortem analysis.

Process adapted from NIST SP 800-61 Rev. 2

Info-Tech Insight

Document each step of the incident lifecycle. A thorough, comprehensive record will assist in understanding the root cause, allow for faster remediation of any future reoccurrences of the incident, and support any legal escalation. Tracking the cost of work hours helps in determining the overall impact to the organization.

2.3 Analyze the risk of data breaches to your data subjects

30 minutes

Take a client-centric approach to incident management. Understand the risk involved in data breaches beyond your organization and use as inputs as a part of your revised incident response process. Leverage existing runbooks and revise.

Identify each of the following. Validate with team members and document using incident management runbooks. Include data subject risk impact analysis as a step in your incident management runbooks.

1. Type of breach
2. Nature, severity, and volume of personal data
   • Combinations of data are more sensitive
   • Relevancy of situational sensitivity should be considered
3. Ease of identification of individuals
4. Severity of consequences for individuals
   • A trusted recipient does not negate that a breach has occurred
   • Are the resulting consequences permanent?
5. Special characteristics of the individual
6. Number of affected individuals
7. Special characteristics of the data controller

Download this research Develop and Implement a Security Incident Management Program

Define and uphold your post-incident record-keeping requirements

For regulatory purposes, it is crucial that a breach response process is developed and documented both prior to and following an incident.

• Time to identify and time to resolve breach
• Consequences of the breach
• How the breach was remediated and the justified breach response
• Employee training on process
• What took place during the breach
• What personal data was affected
• Causes of the breach

Integrate incident response as a part of security operations

Incident response is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

Next-Gen Security Operations

Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.

Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data, but also provides visibility into your threat landscape.

Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Know the “why” behind your processing activities

A good start to understand the legitimacy of your reasons for data processing stems from the GDPR. Align your reasons for processing with one of the six lawful bases for data processing.

Source: GDPR Article 4(2), 6

Align data classification to privacy law requirements

Organizations can use data discovery and classification as a method to understand their data environment.

Define data classification in the context of your organization

Build out a data classification scheme that fits the operating and regulatory environment of your organization

What is data classification?

Data classification is the process of identifying and classifying data on the basis of sensitivity and the impact the information could have on the company if the data is breached. The classification initiative outlines proper handling procedures for the creation, use, storage, disclosure, and removal of data.

Why do we need it?

With the increase in data and digital advancements in communication and storage (e.g. cloud), it becomes a challenge for organizations to know what data exists and where data lives. A classification scheme must be properly implemented and socialized to help ensure appropriate security measures are applied to protect that data appropriately.

Types of data

Structured

• Highly organized data, often in a relational, easily searchable database.
• E.g. employee numbers stored in a spreadsheet

Unstructured

• Data that is not predefined in format and content; majority of data in most organizations.
• E.g. free text, images, videos, audio files

Semi-structured

• Information not in traditional database but contains some organizational properties.
• E.g. email, XML

Without data classification, an organization treats all information the same.

• Sensitive data may have too little protection.
• Less sensitive data may have too much protection.

Strategically classifying data will allow an organization to implement proper controls where necessary.

Further define risk using the Data Process Mapping Tool

Each of the business processes retained within the Data Process Mapping Tool contains an inherent level of risk based on the volume and sensitivity of data.

• Pull the outputs from the initial risk-mapping activity as you work through populating the Data Process Mapping Tool.
• Categorize each of the business processes based on where they fall within the quadrant, and populate column F within tabs 1 and 2 of the tool.
  • High / Medium / Low
• Identify and make note of the number of processes that fall within each of the three categories. Track areas in which the majority of high vs. low risk processes exist and observe any trends.
• For any processes that remain categorized as High, perform further analysis to validate the classification:
  • Internal Risk Assessment
  • Security Assessment
  • Info-Tech’s Data Protection Impact Assessment Tool

2.4 Complete the DPIA threshold assessment for high-risk business processes

1-2 hours

A data protection impact assessment is used to assess how much private data will be affected by planned processing activities. A DPIA helps ensure that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data.

1. For all identified high-risk processing activities, work through the dynamic questionnaire.
2. Complete one threshold assessment per activity.
3. Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
4. Complete either a Lite or Full version of the DPIA, based on the nature of the process.
5. Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
6. Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance.

Download Info-Tech’s DPIA tool

Leverage Info-Tech’s security framework to document your security controls

A Best-of-Breed Information Security Framework

INFO-TECH’S SECURITY FRAMEWORK

• ISO 27000 series

Comprehensive standard providing best practices associated with each control

• CIS – Critical Security Controls

A concise list of 20 controls and sub-controls for actionable cyber defense

• COBIT 5

A process and principle structured security best-practice framework

• NIST SP800-53

Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations

Info-Tech’s information security framework and maturity model methodology

In general, organizations are required or expected to implement appropriate risk-based technical and organizational measures to ensure the ongoing confidentiality, integrity, availability of personal data.

• The controller and the processor shall provide
  • Appropriate technical and organizational measures
• To ensure
  • A level of security appropriate to the risk
• Taking into account
  • The state of the art
  • Costs of implementation
  • The nature, scope, context, purposes of processing

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your information security program while maturing from reactive to strategic information security management.

Phase 3

Build the Privacy Roadmap

This phase will walk you through the following activities:

• Identify where high-priority gaps exist in current privacy practices
• Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
• Further refine resourcing estimates

This phase involves the following participants:

• Privacy officer
• Core privacy team
• Select business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

3.1 Complete the privacy gap analysis exercise for individual business units

1-1.5 hours per business unit

After you’ve identified each of the key gap areas within your organization’s current privacy framework and supporting processes, walk business unit privacy champions through the maturity gap analysis (tab 2) for the following four areas:

• Data Processing and Handling
• Data Subject Requests
• Privacy by Design
• Notices and Consent

1. Provide each business unit with a copy of the Privacy Analysis by Business Unit Tool.
2. Fill out this tool using the same approach used for the larger framework.
3. After completion, meet with the privacy champion from each business unit to discuss results. Compare maturity gaps with those of the overall Privacy Framework Tool.
4. Identify which of the four areas and supporting controls had significantly different privacy gaps and gap-closing initiatives.
5. Include all the supporting initiatives as part of tab 4 in the overall Privacy Framework Tool.

Download Info-Tech’s Privacy Analysis by Business Unit Tool

3.2 Develop cost estimates for privacy initiative list

1 hour

1. Leverage the full list of privacy initiatives, including any collected during activity 3.1.
2. Look to Info-Tech’s industry standards (Manufacturing, Retail, Healthcare, Financial Services) as a guideline when you determine a range for the following input categories for your organization:

• Initial Cost
  • The cost to implement the initiative, including the purchase of any new solutions or resources.
• Ongoing Cost (Annual)
  • The ongoing cost to maintain the initiative, which can be in the form of subscription or maintenance fees.
  • This cost is often estimated at 20% of the initial cost.
• Initial Staffing (Hours)
  • The number of hours of assigned resources needed to bring the initiative to completion.
• Ongoing Staff in Hours (per week)
  • Any expected regular maintenance required after implementation (e.g. to monitor a privacy tracking solution or to respond to data subject requests).

Download Info-Tech’s Privacy Framework Tool

3.3 Define alignment and privacy risk for the org.

30 minutes

Continue standardizing variables, including “Alignment With Business” and “Privacy Risk Reduction.” On tab 4 of the Privacy Framework Tool, select “High,” “Medium,” or “Low” values for the following:

Alignment to Business

• Identify which initiatives directly align with the organization’s senior leadership team goals.

Privacy Risk Reduction

• This is a key variable in how you prioritize the initiatives.
• Privacy risk can be viewed in many ways: risk posed to data subjects’ rights, the financial consequences associated with a risk, likelihood of a breach, or other relevant criteria.
• The ways each organization looks at privacy risk will be different. Many will look at how a breach of privacy impacts the organization from a reputation or cost perspective, rather than through the rights of the data subject.

3.4.1 Apply variables to privacy initiatives

2 hours

Continue to build out the privacy initiative prioritization list on tab 4 of the Privacy Framework Tool by aligning bucket cost and benefit ranges based on your organization.

1. Apply the cost and benefit variables to each of the initiatives.
   
2. Copy and paste the initiatives from tab 2, Privacy Framework, into tab 4, Initiative Prioritization, under “Planned Initiatives.” If desired, consolidate similar initiatives into larger projects.
3. Copy and paste any initiatives from the Privacy Analysis by Business Unit Tool here as well.
4. For each initiative, assign the cost, effort, and benefit of each of the different initiatives. This will provide an overall cost/effort rating based on the combination of all the cost and staffing variables put together. This scale ranges from 1 to 12.
5. Optional: Consider building an effort map using the cost/effort rating and the risk reduction benefit. This can be a useful exercise to visualize how your initiatives are distributed in terms of cost and benefit.

3.4.2 Assign specific cost and effort values

1 hour

If you are aware of exact costs or efforts required for an initiative, you can enter it on the right side of the table on tab 4, Initiative Prioritization.

1. When entering “High,” “Medium,” or “Low” values for the cost and effort, you may be aware of the specific cost rather than using the large estimation buckets – if so, enter this on the right side of the table.
   1. The cells in blue are auto-calculating what the initiative will cost based on the “High,” “Medium,” or “Low” value and the multiplier you chose earlier.
   2. If you put in a specific cost or effort value in the white cells, your input will overwrite the estimate in the calculations.

Note: This will be useful in populating the “Cost and Effort Estimates Table” on tab 6. It will provide an overall estimate of costs and effort associated with implementing a privacy program. The more accurate the data you enter in the tool, the more accurate the final estimates will be.

3.5 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 4 in the Privacy Framework Tool.

1. Establish the axes and colors for your effort map:
   1. X-axis represents the Privacy Benefit value from column J
   2. Y-axis represents the Cost/Effort value from column H
   3. Sticky note color is determined using the Alignment to Business value from column I
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

3.6.1 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of governing privacy law (GDPR, CCPA, HIPAA, etc.) and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

3.6.2 Refine the effort map’s visual output

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5 and 3.6.1.
   1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
   2. Leverage the following 0-4 Execution Wave scale:
      1. Underway –Initiatives that are already underway
      2. Must Do – Initiatives that must happen right away
      3. Should Do – Initiatives that should happen but need more time/support
      4. Could Do – Initiatives that are not a priority
      5. Won’t Do – Initiatives that likely won’t be carried out
3. Indicate the granular level for each execution wave using the A-Z scale.
   1. Use the lettering to track dependencies between initiatives.
      1. If one must take place before another, ensure that its letter comes first alphabetically.
      2. If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

3.7 Create the visual roadmap

1 hour

If enough information around current and immediate future project resourcing is available, use the Gantt chart in tab 5 to document the exact start and end times of each initiative. This may be difficult to do immediately after prioritization, as there may be many considerations as to where these projects fit alongside existing action plans and strategies.

1. Work with team members to first identify start dates for mandatory privacy initiatives (governed by privacy law).
2. Refer to cost and effort estimates provided in tab 4 as you begin to populate start and end dates for each individual privacy initiative. Work in sequential order based on assigned Execution Waves.
3. Assign ownership to each initiative. Ensure that each assigned owner is provided with relevant documentation to keep track of initiative (project) progress.

3.8 Revise and assess the cost and effort table

30 minutes

1. Refer to the Cost and Effort Table on tab 6. The table will populate with an estimate of your overall costs based on the data input into the Initiative Prioritization tab.
2. Costs are broken out based on the execution waves with a full total tabulated at the bottom. For each of the waves, you will be able to see the total dollar cost and total effort requirement based on:
   1. The cost of initial implementation to establish the privacy program.
   2. The ongoing annual cost, describing the costs and effort required to maintain the program.
   3. A rough total of these costs over a specified number of years. The number of years can be changed on the initiative prioritization tab (tab 4).
3. Based on the results, revise if necessary. Keep in mind that these totals will be the driving points put forward to the senior leadership team when sourcing resources for the privacy program.
4. Document final total costs and total efforts for each execution wave within your executive presentation. Identify areas on which to focus to obtain buy-in from your senior management team.

* Bear in mind that these numbers are solely estimates of previously input data. The total may be higher than expected.

Implementation Example – Be Transparent

Key Components of a Privacy Notice

1. The identity of the organization
2. What personal data you collect
3. Why you collect this personal data
4. How you collect personal data
5. How you use personal data
6. How you share personal data with third parties
7. How you store personal data
8. Personal data cross-border transfers
9. How you protect data
10. How you treat children’s personal data
11. Your data subjects' rights
12. Contact details

Info-Tech Insight

Your privacy notice explains your commitment to the data subject. Make sure it’s accessible at the beginning of all data collection activities.

Implementation Example – Vendor Risk Management

End-to-End Third-Party Privacy Risk Management

1. Pre-Contract
   • Due diligence check
2. Signing of Contract
   • Data processing agreement
3. Post-Contract
   • Continuous monitoring
   • Regular check or audit
4. Termination of Contract
   • Data deletion
   • Access deprovisioning

Core components of a DPA

• Defined data processing roles
• Defined contract processing
• Processing instructions
• Sub-processor
• Security controls
• Data breach notification and handling
• Data secrecy and staff awareness and training
• Data subject request
• Compliance demonstration
• Cross-border transfer
• Termination of Service
• Liability and indemnity

According to the Ponemon Institute (2018): 61% of organizations experienced a data breach caused by their supply chain in 2018; only 29% of organizations believe a third-party vendor would notify them of a data breach; only 28% of organizations believe they will be notified when a third-party shares data with an nth party.

Info-Tech Insight

Many organizations know that they need to secure their supply chain but struggle with finding the right level of due diligence. An end-to-end third-party privacy risk management process should be established to protect the shared data.

Implementation Example - Data Retention

Some business leaders will perceive indefinite retention as a benefit for business intelligence reasons (there’s always another potential use for data). However useful it may be, unnecessary personal data will cause additional headaches in the event of a breach.

Info-Tech Insight

Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to purge the secondary, tertiary, etc. instances on a regular basis.

Phase 4

Implement and Operationalize

This phase will walk you through the following activities:

• Establish metrics that map to the needs of the organization
• Implement and integrate metrics into operations

This phase involves the following participants:

• Privacy officer/privacy team
• Senior management representation (optional)
• InfoSec representative
• IT representative

Make your privacy program functional

Effective metrics add value by reflecting the current business environment and forecasting for the future

As you begin to establish relevant metrics to guide the data privacy program, document and classify based on the associated set of privacy controls and category. Use Info-Tech’s Data Privacy Program Report template as your repository.

Source: IAPP, “Privacy Program Management”

Match metrics to privacy controls

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls

Match metrics to privacy controls (cont.)

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls.

4.1 Define privacy metrics for the organization

1 hour

1. Based on the metrics provided by Info-Tech as a part of the data privacy program framework, identify which ones best suit the current needs of the organization and future privacy goals.
2. Limit this selection to two to three metrics per tactical privacy area (selected from the 12 control categories in the Privacy Framework). Ask yourself: What do you want to know most about your privacy program? What do you want to show to others?
   1. For many privacy regulations, the need to demonstrate adherence is crucial, and metrics will play a large role in this regard.
   2. Beyond regulations, what are the privacy areas you want to track? What are the areas that senior management wants to track?
3. For the selected metrics, discuss the target that you would like to achieve.
   1. This will likely change over time, but identifying a target helps to add context and goals to your privacy program.
   2. Consider selecting an immediate-term target and a stretch-goal target that represents a mature state for the privacy program.
   3. Document targets within the Data Privacy Program Report.

Download Info-Tech’s Data Privacy Program Report

Info-Tech Insight

Don’t focus on industry benchmarks for privacy – your privacy requirements will be unique and continue to evolve over time. Similarly, even the metric targets can change over time. What was once considered a “good” target can become “bad” in the future. Privacy will continue to evolve just as the business continues to change.

4.2 Align and prioritize privacy metrics

1 hour

Fast-track external privacy documentation to satisfy the data privacy requirements of your end users.

1. Write out the metrics selected in activity 4.2 on sticky notes.
2. Divide whiteboard into 12 columns, each one corresponding to a category of privacy controls from the Privacy Framework Tool.
3. Place metric stickies under appropriate privacy category.
4. Reference prioritized initiatives from the Privacy Framework Tool (Execution Wave 1) and write each initiative on the whiteboard next to a corresponding metric.
5. Metrics should directly correlate to tracking progress of the initiative. Some initiatives may map to multiple metrics; make note of this in the Data Privacy Program Report.
6. For any Wave 1 initiatives that do not have an assigned metric, revisit activity 4.1 and ensure that a supporting metric is modified or a new metric is established.
7. As the program matures, complete these activity for additional Execution Waves and align metrics accordingly.

Download Info-Tech’s Data Privacy Program Report

Develop and implement your metric lifecycle

Increase the credibility of the privacy program by analyzing and reporting on metrics on a regular basis.

• A key factor in ensuring integration of the privacy program throughout the organization is presenting the business benefits of the program to the entire organization, and specifically to the executive leadership group.
• Privacy is not a “one-and-done” project. Even after establishing metrics and implementing metric tracking as a part of the program, progress should be assessed.
• This is the key step in establishing a metric lifecycle, ensuring that your metrics are continuously monitored and reviewed to meet the needs of the privacy program.
• The final factor is ensuring that the metrics used to gauge the privacy program directly align to the organization’s business goals and support achieving these objectives. This helps to obtain requisite buy-in and support from executive leadership.

Analysis and Monitoring Categories

1. Compliance
   • Ensure that the organization meets compliance obligations.
   • Examples include audit management, self-monitoring, security/system management, and risk management.
2. Regulatory/Legal
   • Ensure that the organization meets any legally imposed regulations to which it is subject.
3. PEST
   • Ensure that the organization’s approach to privacy and the privacy program align with both the external and internal operating environment, and consider any political, social, economic, and technological factors (PEST).

Source: IAPP, “Privacy Program Management”

Quantify privacy by tracking ROI

The final step in maturing and delivering value through the privacy program is achieved by demonstrating positive return on investment to your leadership team.

• As privacy becomes the norm within organizations globally, the relationship that exists between high-accountability, privacy-mature organizations and organizational performance becomes increasingly easy to track.
• Business and IT leaders attribute privacy management practices to:
  • Increased competitive advantage
  • Positive compliance records
  • Innovation gains
  • Operational agility
  • Reduced sales delays
  • Increased customer loyalty and brand reputation

Privacy ROI worldwide

1. United Kingdom (3.5x)
2. Brazil (3.5x)
3. Mexico (3.5x)

$1.00 spent = $2.70 privacy ROI

Organizations that have dedicated time and resources to maturing privacy best practices are already experiencing positive ROI from their efforts.

4.3 Create and deliver the Data Privacy Program Report

1-2 hours

1. Using all the privacy outputs collected from Phases 1-4, create your executive presentation by leveraging the Data Privacy Program Report.
2. Focus on the key outputs that your senior management team will want to know:
   1. What are the high-priority “must-do’s”? Regulatory or governance requirements.
   2. What are the associated costs?
   3. What are the resourcing requirements?
   4. What is the required level of ongoing maintenance?
   5. How will this be tracked?
   6. Who takes ownership or the program and relevant initiatives?

Summary of Accomplishment

A clear path toward proactive privacy management

Higher education institutions are increasingly relying on online student learning, advice, and management platforms to streamline processes and deliver student services at scale.

In a perfect world, the summary of accomplishment would state that you’ve solved the data privacy problem within your organization, and you’ll never be the subject of headline news as having fallen victim to a data breach.

The reality is that an effective data privacy program is ongoing, constantly evolving to fit within the surrounding digital and societal landscape. You’ve laid the foundation in working through the Data Process Mapping Tool and understanding how privacy is currently applied within the scope of your organization. By leveraging the outputs from this tool, as well as the maturity gaps identified as a part of the Privacy Framework set of exercises, you’ve begun to create a forward-looking data privacy roadmap.

Established metrics and a set of steps to achieve operationalization position your data privacy program for success by moving beyond static policies and procedures. By focusing on monitoring and assessing how the program captures and supports data privacy, you create a dynamic and adaptable framework.

And while even the strongest of data privacy programs are not bulletproof vests when it comes to preventing data breaches, by developing a flexible and customized data privacy program, your organization significantly strengthens its ability to recover from data privacy incidents and reduces its overall risk of exposure.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Research Contributors and Experts

	Amalia Barthel Lecturer and Advisor, Privacy SME – private practice CIPM, CPIT, PMP, CRISC, CISM University of Toronto		Cat Coode Data Privacy Consultant, Fractional Data Privacy Officer, Speaker Binary Tattoo		Paul Hinds, CISA, CISM, CRISC, CDPSE Security Privacy Advisor Northwestern University
	Mark Roman B.Math, MBA, PMP Managing Partner Info-Tech Research Group		Mark Maby Research Director for Higher Education Info-Tech Research Group		Mark Hoeting Executive Counselor Info-Tech Research Group

Bibliography

Aberdeen and Liaison. “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare.” Aberdeen Group, 2018. Web. January 2019.
Accenture. “How Global Organizations Approach the Challenge of Protecting Personal Data.” Accenture and Ponemon Institute,2009. Web. January 2019.
California Consumer Protection Act of 2018. 2018. Web. November 2019.
Cavoukian, Ann. “Privacy by Design, The 7 Foundational Principles.” IPC Privacy by Design, January 2011. Web. 14 January 2020.
Centrify and Ponemon Institute. “The Impact of Data Breaches on Reputation & Share Value.” Centrify and Ponemon Institute, May 2017. Web. January 2019.
CIGI & Ipsos. “2018 CIGI-Ipsos Global Survey on Internet Security and Trust.” Centre for International Governance Innovation, 2018. Web. January 2019.
“Cisco 2018 Privacy Maturity Benchmark Study.” Cisco, January 2018. Web. January 2020.
“Cisco 2019 Privacy Maturity Benchmark Study.” Cisco, January 2019. Web. January 2020.
“Cisco 2020 Privacy Maturity Benchmark Study.” Cisco, January 2020. Web. January 2020.
“Data Protection & Privacy Officer Priorities.” CPO Magazine, 2020.
Densmore, Russell. “Privacy Program Management: Tools for Managing Privacy Within Your Organization.” IAPP, 2019.
“DoorDash Reports Data Breach Impacting 5 Million Customers.” Security Magazine, 27 September 2019. Web. November 2019.
Forbes. “DoorDash Data Breach Compromises 4.9 Million People.” Forbes, 26 September 2019. Web. December 2019.
General Data Protection Regulation. Chapters 1-11. May 2018. Web. November 2019.
Gierdowski, Dana C. ECAR Study of Undergraduate Students and Information Technology, 2019. Research report. Louisville, CO: ECAR, October 2019.
Government of Canada. “The Personal Information Protection Electronic Documents Act.” April 2000. Web. November 2019.
Grajek, Susan. “Top 10 IT Issues, 2023: Foundation Models.” Educause, Oct. 2022.
HIPAA of 1996. US Department of Health & Human Services. 1996. Web. January 2020.
Hodge, Rae. “2019 Data Breach Hall of Fame: These were the biggest data breaches of the year.” CNET, 27 December 2019. Web. January 2020.
“IAPP-EY Annual Privacy Governance Report 2019.” IAPP, 2019. Web. December 2019.
IBM Security. “Cost of a Data Breach Report, 2019.” IBM, January 2020. Web. January 2020.
ISACA and TITUS. “GDPR: The End of the Beginning.” ISACA, 2018. Web. January 2019.
Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.
NIST. "Computer Security Incident Handling Guide." NIST, SP800-61 Rev. 2, August 2101. Web. November 2019.
NIST. “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST, 16 January 2020. Web. January 2020.
PIPEDA of 2000. The Government of Canada, 2000. Web. October 2019.
Proteus. “Privacy Research Database; Breach Calculator.” Proteus-Cyber. Web. December 2019.
Protiviti and North Carolina State University’s ERM Initiative. “Executive Perspectives on Top Risks for 2018: Key Issues Being Discussed in the Boardroom and C-Suite.” Protiviti and North Carolina State University’s ERM Initiative, 2017. Web. January 2019.
PwC. “The Anxious Optimist in the Corner Office.” 21st CEO Survey. PwC, 2018. Web. January 2019.
“Q3 2019 Data Breach QuickView Report.” RiskBased Security, 12 November 2019. Web. December 2019.
“Study: Mature Privacy Programs Experience Higher ROI.” IAPP, 27 January 2020. Web. January 2020.