Industry Coverage icon

Build Business-Aligned Privacy Programs for Higher Education Institutions

Embed privacy by design into your business processes and protect high-risk personal data.

Unlock a Free Sample
  • Higher education institutions have increased pressure in ensuring personal data protection for students and faculties in the new digital era, especially protecting sensitive information such as health data, biometrics data, etc.
  • Privacy teams are having a difficult time conveying the legal obligations and privacy protection principles and providing actionable guidance to business partners.
  • One institution may have more than one IT department. Decentralized and fractional systems lead to inconsistent policies and procedures.

Our Advice

Critical Insight

  • Students are wary of privacy risks and value privacy protections. So should the leaders at the education institutions. Embed privacy-by-design principles into your business processes and data lifecycle to protect valuable personal data for students and faculty.

Impact and Result

  • Establish a holistic and integrated privacy program that embeds privacy by design principles into the business processes.
  • Partner with business departments by speaking a language it can understand and providing tools it can implement.
  • Gain the visibility of personal data processing activities and prioritize personal data protection initiatives.
  • Create privacy policies, standards and procedures that are established with respect to how information is collected, processed, shared, and protected within the data lifecycle.

Build Business-Aligned Privacy Programs for Higher Education Institutions Research & Tools

1. Build Business-Aligned Privacy Programs for Higher Education Institutions Deck – Help education institutions to embed privacy by design principles into the data management lifecycle to protect data subject rights.

Establish a holistic and integrated privacy program that embeds privacy by design principles into the business processes.

Create privacy policies, standards and procedures that are established with respect to how information is collected, processed, shared, and protected within the data lifecycle.

2. Student Privacy Notice Template – A best-of-breed template to help education institutions to build a clear, concise, and compelling privacy notice.

The student privacy notice template articulates the core components of a privacy notice.

Unlock a Free Sample

Workshop: Build Business-Aligned Privacy Programs for Higher Education Institutions

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Collect Privacy Requirements

The Purpose

  • Identify the driving forces behind the privacy program.
  • Understand privacy governance.
  • Assign ownership of privacy.

Key Benefits Achieved

Privacy requirements documented and privacy governance structure established.

Activities

Outputs

1.1

Define and Document Drivers

  • Business context and drivers behind privacy program
1.2

Establish Privacy Governance Structure

1.3

Build Privacy RACI

  • Data privacy RACI chart
1.4

Define Personal Data Scope

1.5

Build Risk Map

Module 2: Conduct a Privacy Gap Analysis

The Purpose

  • Understand the methodology behind the Data Process Mapping Tool
  • Assess risks and map out your data breach response process
  • Work through the threshold assessment and DPIA process

Key Benefits Achieved

Privacy program gap areas identified

Activities

Outputs

2.1

Conduct interviews and complete Data Process Mapping Tool

  • Data Process Mapping Tool draft
2.2

Compare compliance and regulatory requirements with current privacy practices of the organization

  • Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
2.3

Identify gap areas

2.4

Review the DPIA process and identify whether threshold assessment or full DPIA is required

Module 3: Build the Privacy Roadmap

The Purpose

  • Identify where high-priority gaps exist in current privacy practices
  • Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
  • Further refine resourcing estimates

Key Benefits Achieved

Gap initiatives identified and prioritized

Activities

Outputs

3.1

Complete business unit gap analysis; consolidate inputs from interviews

  • Privacy Framework Tool
3.2

Apply variables to privacy initiatives

3.3

Create a visual privacy roadmap

3.4

Define and refine the effort map; validate costing and resourcing

  • Data privacy roadmap and prioritized set of initiatives

Module 4: Implement and Operationalize

The Purpose

  • Complete the roadmap
  • Establish metrics that map to the needs of the organization
  • Implement and integrate metrics into operations

Key Benefits Achieved

Privacy program roadmap completed

Activities

Outputs

4.1

Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program

  • Completed data privacy roadmap
4.2

Operationalize metrics

4.3

Input all outputs from into the Data Privacy Report

4.4

Summarize and build an executive presentation

4.5

Set checkpoints and drive continuous improvement

  • Data Privacy Program Report document

Build Business-Aligned Privacy Programs for Higher Education Institutions

Build Business-Aligned Privacy Programs for Higher Education Institutions

Embed privacy by design into your business processes and protect high-risk personal data.

EXECUTIVE BRIEF

Analyst Perspective

Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions.

Alan Tang

College students are living in environments that increasingly require regular interaction with information technology and data.

Students are aware of data protection risks and take privacy seriously. Some personal identifiers, such as email addresses, can be easily replaced. But biometric information such as fingerprints and facial geometry scans are unique. Students' strong belief in the protection of sensitive personal information stems from a desire to protect themselves from privacy risks and harm that may last for the rest of their lives.

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage. Students care about their data privacy, and this concern is increasing.

This leaves leaders in the education section questioning what exactly privacy involves and how to make it scalable for their respective institutes. As the general public begins to take back control over data privacy, so too should education institutions by taking a tactical, measurable approach to privacy and the business.

Alan Tang
Principal Research Director, Security & Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • Higher education institutions are under increased pressure to ensure personal data protection for students and faculty in the new digital era, especially to protect sensitive information such as health data, biometrics data, etc.
  • Privacy teams are having a difficult time conveying the legal obligations and privacy protection principles and providing actionable guidance to business partners.
  • One institution may have more than one IT department. Decentralized and fractional systems lead to inconsistent policies and procedures.
  • Privacy policies often ineffectively convey how institutions use data, which often leads students to misunderstand their institutions' data practices.
  • Throughout the digitalization process, access controls have not been properly implemented. Documents and files that were traditionally locked in the cabinets are now accessible to almost everyone within the organization.
  • Privacy teams are struggling to obtain sufficient resources and budget.
  • It takes a long time to make changes and implement new policies and procedures.
  • Establish a holistic and integrated privacy program that embeds privacy-by-design principles into the business processes.
  • Partner with business departments by speaking a language they can understand and providing tools they can implement.
  • Gain the visibility of personal data processing activities and prioritize personal data protection initiatives.
  • Create privacy policies, standards, and procedures that are established with respect to how information is collected, processed, shared, and protected within the data lifecycle.

Info-Tech Insight

Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect the valuable personal data of students and faculty.

Relevant Legal Obligations and Guidelines

The image contains a screenshot of the world that highlights the countries that have had to put in place legislation to secure protection of data and privacy.

More than 130 countries had put in place legislation to secure the protection of data and privacy

Info-Tech Insight

Higher education institutions increasingly depend on online platforms related to student learning, advising, and management in order to optimize processes and deliver student services at scale. The importance of privacy and data protection is increasingly recognized. Equally concerned is the collection, use and disclosure of personal information to third parties without prior notice or consent from students and faculties.

Typical Business Processes of a Higher Education Institution

Usually, there are three types of business processes supporting the operations of a higher education institution: defining processes, shared processes and enabling processes.

Defining Capabilities

  • Recruitment (Undergrad, Graduate Studies)
  • Admission (Undergrad, Graduate)
  • Student Enrollment (Enrollment, Financial Aid)
  • Instruction & Research (Teaching & Learning, Research)
  • Graduation (Graduation, Transcripts)
  • Advancement (Alumni Relations, Fundraising)

Shared Capabilities

  • Student Administration (Student progression, Record maintenance)
  • Student Support Services (Athletics, Career Development)
  • Academic Admin (Academic Year Scheduling, Policy Admin)

Enabling Capabilities

  • Facilities & Property Mgmt.
  • Finance Mgmt.
  • Human Resources
  • IT
  • Legal Services
  • Government, Public, and Stakeholders
  • Governance, Risk, and Compliance

Privacy is all about personal data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. Conversely, an effective privacy program allows access to information based on regulatory guidance and appropriate measures.

Examples of personal data include:

Traditional PII:

Personally identifiable information

Personal Data:

Any information relating to an identified or identifiable person

Sensitive Personal Data:

Special categories of personal data (some regulations, like GDPR, expand their scope to include these)

Full name (if not common)

Enrollment status

Biometrics data: Retinal scans, voice signatures, or facial geometry

Home address

Grade level

Health information: Patient identification number or health records

Date of birth

Dates of attendance

Political opinions

Social security number

Degrees, honors, and awards received

Trade union membership

Banking information

Location data

Sexual orientation and/or gender identity

Passport number

Photograph

Religious and/or philosophical beliefs

Etc.

Etc.

Ethnic origin and/or race

Privacy and Security Are Among the Top Concerns

Privacy and cybersecurity together are the #2 issue education institutions will be facing in 2023 based on EDUCAUSE’s recent report “Top 10 IT Issues, 2023: Foundation Models.”

The image contains a screenshot of EDUCAUSE's report.

Source: EDUCAUSE, 2022.

Privacy Policies Are Not Fully Understood

ECAR's 2019 survey of US students found that less than half of them believed they benefited from their institution's privacy and security policies, and even fewer students reported understanding how their institution used their personal data. *

The image contains two graphs to demonstrate how privacy policies are not fully understood. The left graph demonstrates the percentage of student believed they benefited from their institution's privacy and security polices are 45%. The right graph demonstrates that 44% of students understand how their institution used their personal data.
*ECAR, 2019.

Transparency and Communication Are Key

Case Study:

In March 2020, in response to a proposal to adopt facial recognition for security surveillance at UCLA, students from 36 campuses protested, in person and via online petitions, against the use of facial recognition systems. The pushback from students and the community led UCLA and about 50 other colleges and universities to promise not to use facial recognition technology on their campuses.*

*Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.

Info-Tech Insight

To foster trust and cooperation, higher education institutions should communicate how and why they collect and use students' personal information.

True Cost of a Data Breach

An industry outlook

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance issues and resulting fines and minimizing overall exposure.

86% of data breach costs are associated with REGULATORY fines

The image contains a screenshot of a pie graph that demonstrates an industry outlook.

Healthcare*

Government

Financial Services

Education

Estimated Cost of Exposure:

$841.41

Estimated Cost of Exposure:

$114.75

Estimated Cost of Exposure:

$188.05

Estimated Cost of Exposure:

$207.75

* All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records Source: Proteus-Cyber, 2019.

Top challenges organizations face in building an effective privacy program

The struggle to get a comprehensive data protection and privacy program in place across an entire organization is one of the main challenges for data protection and privacy officers.

The image contains a screenshot of the Top Challenges to Achieving an Effective Data Protection and Privacy Program.

Info-Tech Insight

Creating a comprehensive, organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

Why Is Privacy Important for Higher Education Institutions?

  • Legal Obligations
    • Failure to comply with privacy laws and regulations can result in serious legal penalties, liability, fines, and other unpleasant consequences.
  • Reputation & Relationships
    • A data breach can seriously damage a school's reputation. Privacy violations, or even inappropriate privacy practices, can affect a school's relationships with parents, applicants, donors, alumni, and others.
  • Finances
    • Data breaches and privacy violations can lead to costly lawsuits, large damages payments, and costly and onerous legal requirements.
  • Time and Resources
    • A robust privacy program requires considerable investment in terms of time and resources, which are usually underestimated.
  • Student and Employee Wellbeing
    • Privacy protection violations or personal data leaks could cause serious harm to students, faculty, and employees economically, mentally, and sometimes physically.

Embed Privacy Into Data Lifecycle Protection

Two of the main tasks of personal protection in the higher education section are to identify high-risk personal information categories and embed privacy-by-design principles into the data lifecycle.

Examples of high-risk personal information types

  • Biometrics
    • Fingerprints
    • Facial geometry
    • Voice signature
  • Healthcare information
    • Drugs taken
    • Special needs assessment
  • Scholarships
    • Ethnicity
    • Academic results
  • Financial
    • Bank account
  • Identity information
    • SSN
    • Passports
    • Driver’s license
The image contains a screenshot of the data lifecyle.

Info-Tech’s Privacy Program Methodology

The below image is a visual representation of Info-Tech’s Privacy Framework. This includes high-level governance items as well as more tactically defined areas. See an overview below.

The image contains a screenshot of Info-Tech's Privacy Program Methodology.

Info-Tech’s methodology for building a privacy program

1. Collect Privacy Requirements

2. Conduct a Privacy Gap Analysis

3. Build the Privacy Roadmap

4. Implement and Operationalize

Phase Action Items

  1. Define and document drivers
  2. Establish privacy governance structure
  3. Build a privacy RACI chart
  4. Define personal data scope
  5. Build a risk map
  1. Complete the Data Process Mapping Tool
  2. Compare compliance and regulatory requirements with gap analysis
  3. Assess and categorize privacy gap initiatives
  1. Finalize privacy gap initiatives
  2. Prioritize initiatives based on cost, effort, risk, and business value
  3. Set firm dates for launch and execution of privacy initiatives
  4. Assign ownership for initiatives
  1. Establish a set of metrics for the data privacy program
  2. Operationalize metrics
  3. Set checkpoints to drive continuous improvement

Phase Outcomes

  • Documented business and IT drivers for the privacy program
  • High-level understanding of how privacy is perceived in the organization
  • Completed Data Privacy Program RACI Chart
  • Data Process Mapping Tool detailing all business processes that involve personal data
  • Privacy maturity ranking (Privacy Framework Tool)
  • Identification of compliance or regulatory privacy gaps
  • Completed Privacy Framework Tool
  • Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment
  • Customized set of privacy metrics
  • Tasks to operationalize privacy metrics
  • Data Privacy Report document
  • Performance monitoring scheduled checkpoints

Insight summary

Overarching insight

Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect valuable personal data for students and faculty.

Fit privacy to the business.

Contextualize privacy for your organization by involving the business units from day one; collect requirements that promote cross-collaboration.

Privacy is dynamic.

Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization.

Prioritize and plan together.

Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.

Make it operational.

Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.

Privacy doesn’t live in isolation.

By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.

A good privacy program takes time.

Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk, and support the rollout through customized metrics.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Privacy Program RACI Chart

A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.

Data Process Mapping Tool

Full documentation of all business processes that leverage personal data within the organization.

Data Protection Impact Assessment

When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.

Data Privacy Program Report

A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.

Privacy Policy Templates

Internal and external policies around:

  • Privacy Notice – Higher Education
  • Data Processing Agreement
  • Data Breach Handling Process
  • Data Retention Policy

Key deliverable:

Privacy Framework/ Business Unit Framework Tools

Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST.

Build your gap-closing initiative roadmap and work through cost/effort analysis.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

Phase 1 Phase 2 Phase 3 Phase 4

Call #1: Scope requirements, drivers, objectives, and challenges.

Call #2: Build out privacy ownership using the RACI chart.

Call #3: Review results of data process mapping business unit interviews.

Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps.

Call #5: Determine cost and effort ratio of gap initiatives.

Call #6: Build out additional privacy collateral (notice, policy, etc.).

Call #7: Review standard privacy metrics and customize for your organization.

Call #8: Establish and document performance monitoring schedule.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5

Collect Privacy Requirements

Conduct a Privacy Gap Analysis

Build the Privacy Roadmap

Implement and Operationalize

Next Steps and
Wrap-Up (offsite)

Activities

1.1 Define and document program drivers

1.2 Establish privacy governance structure and define scope

1.3 Build the data privacy RACI chart

1.4 Build the risk map

2.1 Conduct interviews and complete Data Process Mapping Tool

2.2 Compare compliance and regulatory requirements with current privacy practices of the organization

2.3 Identify gap areas

2.4 Review the DPIA process and identify whether threshold assessment or full DPIA is required

3.1 Complete business unit gap analysis; consolidate inputs from Day 2 interviews

3.2 Apply variables to privacy initiatives

3.3 Create a visual privacy roadmap

3.4 Define and refine the effort map; validate costing and resourcing

4.1 Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program

4.2 Operationalize metrics

4.3 Input all outputs from Days 1-3 into the Data Privacy Report

4.4 Summarize and build an executive presentation

4.5 Set checkpoints and drive continuous improvement

5.1 Consolidate and schedule any outstanding business unit interviews

5.2 Complete in-progress deliverables from previous four days

5.3 Set up review time for workshop deliverables to discuss next steps

Deliverables

  1. Business context and drivers behind privacy program
  2. Data privacy RACI chart
  1. Data Process Mapping Tool draft
  2. Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
  3. Optional: Walk-through of DPIA tool
  1. Privacy Framework Tool
  2. Data privacy roadmap and prioritized set of initiatives
  1. Completed data privacy roadmap
  2. Completed Data Process Mapping Tool
  3. Review of any outstanding privacy collateral (Privacy Notice, Data Protection Policy, etc.)
  4. Data Privacy Program Report document

Phase 1

Collect Privacy Requirements

Phase 1 Phase 2 Phase 3 Phase 4

1.1 Define and Document Drivers

1.2 Establish Privacy Governance Structure

1.3 Build Privacy RACI

1.4.1 Define Personal Data Scope

1.4.2 Build Risk Map

2.1 Complete Data Process Mapping Tool

2.2 Compare Compliance and Regulatory Requirements for Gap Analysis

2.3 Analyze the Risk of Data Breaches

2.4 Conduct DPIA Threshold Assessment

3.1 Complete Business Unit Gap Analysis

3.2 Develop Cost Estimates

3.3 Define Alignment and Privacy Risk

3.4.1 Apply Variables to Privacy Initiatives

3.4.2 Assign Cost and Effort Values

3.5 Create a Visual Map

3.6.1 Define the Effort Map

3.6.2 Refine the Effort Map

3.7 Create the Visual Roadmap

3.8 Revise Cost and Effort Table

4.1 Establish Metrics

4.2 Operationalize Metrics

4.3 Set Checkpoints and Drive Continuous Improvement

This phase will walk you through the following activities:

  • Identify the driving forces behind the privacy program
  • Understand privacy governance
  • Assign ownership of privacy

This phase involves the following participants:

  • Privacy officer/privacy team
  • Senior management representation (optional)
  • Relevant business unit privacy champions
  • InfoSec representative
  • IT representative

1.1 Define and document the data privacy program drivers

1 hour

  1. Bring together relevant stakeholders from the organization. This can include Legal, HR, and Privacy teams, as well as others who handle personal data regularly (Marketing, IT, Sales, etc.).
  2. Using sticky notes, have each stakeholder write one driver for the privacy program.
    1. These may vary from concerns about customers to the push of regulatory obligations.
  3. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list, and clarify any unusual or unclear drivers.
  4. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
    1. For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage as well.
  5. Review the final priority of the drivers and confirm current status.
Input Output
  • Optional: Ask core team members to brainstorm a list of key privacy program drivers and objectives
  • Documented list of privacy program drivers
  • Documented list of privacy objectives
  • Level-setting on understanding of privacy from core team
Materials Participants
  • Whiteboard/flip charts
  • Sticky notes
  • Pen/marker
  • Privacy officer
  • Senior management team
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Privacy by design is no longer a "nice to have"

Integrate the key principles behind privacy by design to embed privacy in the operations of the organization and minimize business disruption.

  1. Proactive, not reactive. Preventative, not remedial.
  2. Privacy as the default setting.
  3. Privacy embedded into design.
  4. Full functionality; positive-sum not zero-sum.
  5. End-to-end security; full lifecycle protection.
  6. Visibility and transparency; keep it open.
  7. Respect for user-privacy; keep it user-centric.
Source: IPC Privacy by Design

Download this research

Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT research.

Determine the primary owners of the privacy program

The privacy program must include multiple stakeholders for it to be successful. It’s integral to assign clear lines of ownership to build and effectively manage the program. Without defined ownership, privacy initiatives can easily fall between the cracks, and issues may not be handled effectively.

Privacy Department

Legal, Compliance, Audit

Human Resources

InfoSec or IT

  • In the most privacy-mature organizations, a dedicated privacy function exists that heads up all privacy initiatives.
  • This does involve coordinating with all other relevant departments, but privacy is centrally managed by one group.
  • In many organizations without a dedicated privacy team, it often falls to Legal, Compliance, and/or Audit to take the privacy mantle.
  • Since many privacy programs are being driven by the increase of privacy regulations, these groups often become huge proponents of implementing privacy within the organization.
  • Occasionally the HR department will take on the privacy program.
  • This is the case for organizations that do not have a dedicated legal counsel and where most personal data held by the organization is that of the employees.
  • Privacy can also be owned by the security team. Many still think of security and privacy as being the same thing, and it is not uncommon to conflate these two functions into one team.
  • However, it is worth noting again that these two are different and many privacy initiatives go beyond security controls.

Info-Tech Insight

If not already mandated by governing privacy laws, consider appointing a privacy officer to formalize privacy ownership in the organization.

Define the governance structure of the privacy program

A successful privacy program will be structured in a way that best fits the needs of your organization. Minimize disruption to ensure a successful adaptation and launch.

  1. Centralized
    • One central group manages the entire privacy program. They may direct other groups in terms of certain actions or initiatives, but privacy is centrally managed and reported on by one group.
    • This works well for large organizations to manage and track all privacy efforts, but it can become very bureaucratic.
  2. Decentralized
    • Privacy is distributed to the rest of the organization, often in the lower tiers. The expectation here is that there is a bottom-to-top discussion of privacy while allowing for a flatter structure.
    • This works well with highly privacy-aware employees who can make the correct decisions at their respective levels. However, it can be difficult to track compliance.
  3. Hybrid
    • Aspects of centralized and decentralized programs are combined to get the best of both structures; for example, one group or individual may track all privacy efforts in the organization, but each business unit can choose how to implement them. Another method is to have a designated privacy representative in each business unit.

Info-Tech Insight

While there may be one individual or group designated to manage the privacy program, privacy is everyone’s responsibility. Employees will have to perform the necessary actions such as limiting their personal data collection or anonymizing data. The success of the program will rely on everyone understanding how to put privacy first.

Evaluate a centralized governance model

This is an example of a centralized organizational structure for managing privacy. In this case, there is a dedicated privacy team that directs all the other departments in terms of their personal data management.

The centralized model is a more traditional structure for privacy in the organization, and it promotes the idea that one group is entirely accountable for the proliferation of privacy within the organization. This structure requires regular reporting and communication between the different groups.

The image contains a screenshot of a centralized governance model.

Advantages

  • Central tracking of privacy initiatives and adherence leads to better compliance tracking.
  • The creation of a dedicated privacy team usually indicates leadership support for the program.

Disadvantages

  • Accountability may be lacking with the other groups, as they may perceive that the privacy team handles everything privacy related.
  • It may be difficult to find dedicated privacy professionals to fill an entire team.
  • This structure can lead to bureaucracy that slows down response time to certain privacy issues.

Evaluate a decentralized governance model

In a decentralized model, we see that it is up to each department to create and form its own respective privacy practices. This can be done with the help of assigned privacy champions within each group. These individuals work with their own teams to integrate privacy within their business processes.

The image contains a screenshot of a decentralized governance model.

Advantages

  • Privacy reps will provide the expertise of their department or business unit while integrating privacy more seamlessly.
  • This allows for better change management within the business, as privacy changes are initiated by a peer instead of an outside group.
  • A decentralized structure often works best for organizations with little to no need for regulatory tracking.

Disadvantages

  • The lack of centralized tracking and reporting on privacy can quickly lead to the inability to demonstrate regular adherence.
  • Differing views on what privacy means for each group can result in inconsistent processes and standards.

Evaluate a hybrid governance model

These days, many privacy-mature organizations lean toward a privacy center of excellence. This hybrid method combines the best of both centralized and decentralized structures:

  • Centralized privacy for tracking and reporting purposes.
  • Business unit privacy champions assigned to draw ownership and buy-in from the business units.

The privacy champions from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the central team.

The image contains a screenshot of a hybrid governance model.

Advantages

  • The hybrid structure combines many of the benefits of the centralized and decentralized governance models.

Disadvantages

  • Like a decentralized approach, each group may respond to privacy in its own way. However, the center of excellence will assist in ensuring some standardization.

Organizations that identify as having adopted a hybrid privacy governance model report shorter sales delays (4.6 weeks) when compared against organizations that employ either a fully centralized (9.8 weeks) or decentralized model (7.1 weeks).

Source: Cisco, 2018

1.2 Right-size your privacy governance structure

1 hour

Consider the following when building out your privacy organizational structure.

  1. Determine where ownership of the privacy program will be.
    1. Common choices are a dedicated privacy team or the legal, information security, and/or HR departments.
    2. Decide whether a privacy officer is necessary in your organization – some regulations recommend it.
  2. Review your current organizational structure to decide which model would be best for your privacy practices: centralized, distributed, or hybrid.
    1. Review the previous examples for how this could be structured. Be mindful that you can set up this structure based on your own unique requirements, for example, two different groups can share ownership of the entire privacy program.
  3. Select the appropriate governance structure; document. Make note of significant changes that will need to occur to facilitate implementation of the governance structure.
Input Output
  • Privacy governance structure models
  • Future privacy governance structure
  • Initial understanding of privacy program ownership within the business context of the organization
Materials Participants
  • Whiteboard/flip charts
  • Pen/marker
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Info-Tech Best Practice

There is no single perfect governance structure that works for all organizations. Look at your current organizational and governance setup and see which structure fits best. Ask yourself:

Are we already set up in a centralized, distributed, or hybrid structure? Are we looking to implement privacy with new resources or existing employees? What model works best for us to meet our compliance needs?

1.3 Build out the data privacy RACI chart

30-60 minutes

  1. Among your team, level set and discuss what each of the letters within the RACI chart schema means in the context of your organization.
  2. Work through the actions documented in column B of the Data Privacy Program RACI Chart.
  3. Validate. Review your outputs for each of the Action rows in column C and onward. Does overlap exist between various roles? Do dependencies exist? Will any of the assigned RACI values change with the implementation of the privacy program?
  4. Document any notes or amendments made in columns adjacent to the role columns.
The image contains a screenshot of the RACI chart.

Download the Data Privacy Program RACI Chart

Input Output
  • Documented list of privacy program drivers
  • Documented list of privacy objectives
  • Data Privacy Program RACI Chart
  • Ownership assigned to privacy-related tasks within the organization
  • Completed privacy RACI document
Materials Participants
  • Laptop
  • Whiteboard (optional)
  • Pen/markers (optional)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

1.4.1 Define the extent of your personal data scope

1 hour

  1. Divide into groups and give each group member a handful of sticky notes.
  2. Ask them to write down as many business units or functional groups as possible that process (collect, record, use, disseminate, etc.) personal data within the organization.
  3. Collect each group’s responses and discuss whether the business unit is a data controller, a data processor, or both.
    1. Focus on whether the business unit decides the purpose of processing the data or if an external party determines the purpose of processing.
    2. Use blue for data controllers and yellow for data processors. If a business unit is both a data controller and a data processor, write the business unit on both a blue and a yellow sticky note.
  4. Discuss and aggregate all responses into a final document, listing what is in scope of your privacy program and what is out of scope.
InputOutput
  • Drivers/outputs from activity 1.1
  • Solicited input from both IT/InfoSec and business units
  • High-level list of business processes categorized by data risk
  • List of business processes coordinated by the organization
  • List of business processes coordinated by a third-party organization (vendor)
MaterialsParticipants
  • Whiteboard/flip charts
  • Sticky notes
  • Pen/marker
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

1.4.2 Build your risk map

1 hour

  1. Review the data “processed” by data controllers and data processors identified in activity 1.4.1. Identify the relative sensitivity of data these units process.
  2. With input from your subject matter experts (SMEs) and IT leaders, organize the business units (BUs) according to the volume of data in their operations.
  3. Discuss the overall risk map to prioritize privacy initiatives.
  4. Record for future reference.

The image contains a screenshot of a risk map.

InputOutput
  • Outputs identified in activity 1.4.1
  • Business unit leaders’ and champions’ understanding (high-level) of processes that involve personal data
  • Prioritization of business units for each privacy program activity
MaterialsParticipants
  • Whiteboard/flip charts
  • Sticky notes
  • Pen/whiteboard markers
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Info-Tech Insight

Bake in a quantitative element of risk analysis as you create the privacy framework to take away some of the guess work when it comes to prioritizing initiatives and creating your roadmap in Phase 3. Compare and contrast the perspective of your core IT or privacy team and that of the business units when it comes to assigning a volume and risk ranking for each of the business processes.

Phase 2

Conduct a Privacy Gap Analysis

Phase 1Phase 2Phase 3Phase 4

1.1 Define and Document Drivers

1.2 Establish Privacy Governance Structure

1.3 Build Privacy RACI

1.4.1 Define Personal Data Scope

1.4.2 Build Risk Map

2.1 Complete Data Process Mapping Tool

2.2 Compare Compliance and Regulatory Requirements for Gap Analysis

2.3 Analyze the Risk of Data Breaches

2.4 Conduct DPIA Threshold Assessment

3.1 Complete Business Unit Gap Analysis

3.2 Develop Cost Estimates

3.3 Define Alignment and Privacy Risk

3.4.1 Apply Variables to Privacy Initiatives

3.4.2 Assign Cost and Effort Values

3.5 Create a Visual Map

3.6.1 Define the Effort Map

3.6.2 Refine the Effort Map

3.7 Create the Visual Roadmap

3.8 Revise Cost and Effort Table

4.1 Establish Metrics

4.2 Operationalize Metrics

4.3 Set Checkpoints and Drive Continuous Improvement

This phase will walk you through the following activities:

  • Understand the methodology behind the Data Process Mapping Tool
  • Assess risks and map out your data breach response process
  • Work through the threshold assessment and DPIA process

This phase involves the following participants:

  • Privacy officer
  • Core privacy team
  • Relevant business unit privacy champions
  • InfoSec representative (optional)
  • IT representative (optional)

Understand the role of the Data Process Mapping Tool

1 2 3

Inventories personal data by business process

Identifies gaps in the organization's data processing activities

Fulfills regulatory needs (e.g. GDPR)

  • Name and contact details of the processor, controller, and where applicable, the privacy officer
  • Categories of processing carried out on behalf of the controller
  • Purposes of processing
  • Categories of data subjects and personal data
  • Sensitivity level of personal data
  • Categories of recipients to whom data are or will be disclosed (includes third countries)
  • Retention periods (if possible)
  • Overview of third-country data transfers
  • Technical and organizational security measures

Highlights data processing activities with a high degree of risk due to:

  • Retention periods
  • Sensitivity of data stored
  • Vendor agreements
  • Documentation of procedures around processing activities

The image contains screenshots of the Data Process Mapping Tool.

  • The Data Process Mapping Tool closely resembles the Record of Processing register, which is required under Article 30 of the GDPR.
    • The Record of Processing takes a dynamic and comprehensive approach to mapping data’s flow throughout an organization. It acts as a document that demonstrates an organization’s accountability and awareness of how personal data is leveraged.
  • This document inventories the full set of processes in which personal data is collected and processed by the organization.

Determine the appropriate level of granularity with your processing activities

Think about the major business processes that make up your operations and refine by the common set of personal data types within sub-processes.

The image contains a screenshot example of the processing activity as described in the text above.

2.1 Complete the Data Process Mapping Tool

1-1.5 hour per business unit interview

Data protection goes beyond understanding where data is stored and how the systems are protected. Use this activity to start defining activities that are involved in processing your data.

  1. Using the outputs from activities 1.4.1 and 1.4.2, group all business processes that touch personal data, based on their corresponding business function or unit.
  2. Identify a privacy champion for each business unit or the respective business unit leader.
  3. Schedule interviews with these individuals and review each of their business processes. Leverage the Data Process Mapping Tool to capture all elements of personal data included in the business processes.
  4. Validate responses with members of the core team following each interview.

Download Info-Tech's Data Process Mapping Tool.

InputOutput
  • Outputs from activities 1.4.1 and 1.4.2
  • Understanding of what data is involved in each business processing activity
  • Potential gap areas
MaterialsParticipants
  • Data Process Mapping Tool
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Info-Tech Insight

Compare and contrast the Data Process Mapping Tool with any previous documents collected, tailored to data kept in individual systems or applications, to gain a more robust understanding of how personal data interacts with organizational assets.

Examples of Personal Data Associated with Business Processes

Business Process

Personal Data Types (Examples)

Purpose of Processing

Data Subject Categories

Recruitment, Admission and Enrollment

Personal information (name, grades, gender, age, school, application, financial information, family information, contact, etc.) of undergrad and graduate students

Student recruitment and enrollment

New students and prospects

Instruction & Research

Teaching-, learning-, and research-related personal information

Institutional operations

Students and faculties

Graduation and advancement

Transcripts, alumni relations, fundraising, etc.

Student service

Students

Student administration and support

Student progression, record maintenance, athletics-related information, career development, etc.

Student admin and support

Students

Facilities & Property Mgmt.

Physical access control information, photo, fingerprint, etc.

Campus security and maintenance

Students and faculties

Finance Mgmt.

Bank information, financial aid, etc.

Financial support for students

Students

Human Resources

Employee profile such as name, email, address, gender, age, contact, etc.

Employment management

All employees

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

Domain

Definition

Governance

The overall governing of the privacy program, including the designation of a privacy officer/official, what constitutes personal and private data, and having a data classification scheme.

Regulatory Compliance

The mapping and tracking of regulatory obligations as they pertain to data privacy. Regulations have been one of the biggest drivers of privacy initiatives in recent years, and the ability to demonstrate compliance is essential.

Data Process and Handling

The documentation and process creation of how personal data is being collected and used – and for what purposes.

Incident Response

The plans outlining what actions need to take place in case of a data breach, including when to notify affected individuals and relevant authorities.

Privacy Risk Assessments

The building and use of assessments to determine how much privacy risk is associated with specific projects.

Notices and Consent

The use of notices to inform data subjects of how their information is being used, with processes built in to capture their consent to how their information is collected, shared, and/or used.

Data Subject Requests

The establishment of processes that allow data subjects to make requests to delete, modify, or gain access to their data. This can correspond with rights guaranteed by various regulations.

Privacy by Design

integration of privacy into all operations, particularly within systems and applications, to ensure privacy is the default throughout the entire process.

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

Domain

Definition

Information Security

The use of security controls to protect personal data.

Third-Party Management

The management of the privacy risks that exist when working with external third parties, vendors, and other entities, as they may process or interact with the personal data the organization holds.

Awareness and Training

The use of training to ensure that employees are aware of their privacy responsibilities, including the handling and use of personal data.

Program Measurement

The active measurement of the entire privacy program to demonstrate successes and weaknesses within the larger program. Can be used to communicate the status of the program with other stakeholders.

The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework.

Info-Tech Insight

This best-practice framework will force you to reevaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements.

2.2 Compare compliance and regulatory requirements for gap analysis

2 hours

  1. On tab 2 of the Privacy Framework Tool, review each privacy control and determine the current organizational maturity based on the five-point CMMI scale below. Capture any relevant comments, as required:
    1. Initial/Ad hoc
    2. Developing
    3. Defined and Documented
    4. Managed and Measurable
    5. Optimized
  2. Define the target state using the same five-point scale.
    1. The target state will be heavily influenced by the requirements gathered in the earlier phase.
  3. Wherever there is a gap between the current and target state, document what initiative is needed to close the gap in column N.

Download the Privacy Framework Tool

InputOutput
  • Knowledge of which privacy frameworks or laws apply to your organization
  • Understanding of compliance and/or relevant privacy law requirements
  • Best-practice privacy controls mapped against organization’s current and target privacy controls
  • Existing gap areas
MaterialsParticipants
  • Privacy Framework Tool
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Perform a high-level gap analysis on your processing activities

Taking a top-down view of a processing activity can often expose gaps in the process.

In the example of an Email-Based Document Exchange process, personal data could be exposed during these sub-processes in red. Optimizing the process, via improved security, with the version in green would address these gaps.

The image contains a screenshot of the Email-Based Document Exchange.

Info-Tech Insight

Knowing is half the battle. Ensure high-level gaps identified via this method are risk-assessed. Add remediation initiatives in the Privacy Framework Tool to contribute toward your defensible compliance position.

Align incident management to relevant regulations

Language within privacy regulations is explicit in requiring notification to the supervisory authority and data subjects in instance of a data breach.

  • A key component of a successful privacy program involves a well-developed set of incident response and management procedures.
  • Each privacy regulatory framework will establish its own timeframe when it comes to incident response procedures.
  • These same frameworks will also support the underlying procedures involved in incident management runbooks that are created, maintained, and updated on a regular basis by the InfoSec or IT teams.
  • Info-Tech recommends taking a “best-of-breed” approach in creating an effective incident management response plan:
    • Use relevant regulatory timeframes as a guideline.
    • Involve business unit privacy champions when creating the response plan.
    • Identify all interdependencies and map them out as a part of the validation process.

GDPR – Data subject notification

“In the case of a personal data breach, the controller shall notify without undue delay and, where feasible, not later than 72 hours. […] Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

(Source: General Data Protection Regulation)

CCPA/CPRA – Not defined

Unlike the GDPR, CCPA/CPRA does not define data breach report in timeframes. However, should a breach or other data security incident occur “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” the business can be fined $100-$750 per individual incident, or the full cost incurred of damages. The CPRA adds in new standards for what constitutes a data breach.

(Source: California Consumer Protection Act)

PIPEDA – Breach of security safeguards

Following the occurrence of a breach, organizations must report any breaches in the prescribed form and manner as soon as feasible.

Understand the security incident management framework

For all incident runbooks, follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.

PREPARE

Ensure the appropriate resources are available to best handle an incident.

DETECT

Leverage monitoring controls to actively detect threats.

ANALYZE

Distill real events from false positives.

CONTAIN

Isolate the threat before it can cause additional damage.

ERADICATE

Eliminate the threat from your operating environment.

RECOVER

Restore impacted systems to a normal state of operations.

POST-INCIDENT ACTIVITIES

Conduct a lessons-learned post-mortem analysis.

Process adapted from NIST SP 800-61 Rev. 2

Info-Tech Insight

Document each step of the incident lifecycle. A thorough, comprehensive record will assist in understanding the root cause, allow for faster remediation of any future reoccurrences of the incident, and support any legal escalation. Tracking the cost of work hours helps in determining the overall impact to the organization.

2.3 Analyze the risk of data breaches to your data subjects

30 minutes

Take a client-centric approach to incident management. Understand the risk involved in data breaches beyond your organization and use as inputs as a part of your revised incident response process. Leverage existing runbooks and revise.

Identify each of the following. Validate with team members and document using incident management runbooks. Include data subject risk impact analysis as a step in your incident management runbooks.

  1. Type of breach
  2. Nature, severity, and volume of personal data
    • Combinations of data are more sensitive
    • Relevancy of situational sensitivity should be considered
  3. Ease of identification of individuals
  4. Severity of consequences for individuals
    • A trusted recipient does not negate that a breach has occurred
    • Are the resulting consequences permanent?
  5. Special characteristics of the individual
  6. Number of affected individuals
  7. Special characteristics of the data controller
InputOutput
  • Understanding of incident management process
  • Current runbooks to leverage as a basis for activity
  • Inputs for revised incident management runbooks
  • Understanding of impact of data breaches on your data subjects
MaterialsParticipants
  • Sticky notes
  • Markers
  • Whiteboard/chart paper
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Download this research Develop and Implement a Security Incident Management Program

Define and uphold your post-incident record-keeping requirements

For regulatory purposes, it is crucial that a breach response process is developed and documented both prior to and following an incident.

  • Time to identify and time to resolve breach
  • Consequences of the breach
  • How the breach was remediated and the justified breach response
  • Employee training on process
  • What took place during the breach
  • What personal data was affected
  • Causes of the breach

Integrate incident response as a part of security operations

Incident response is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

Next-Gen Security Operations

Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.

Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data, but also provides visibility into your threat landscape.

Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Know the “why” behind your processing activities

A good start to understand the legitimacy of your reasons for data processing stems from the GDPR. Align your reasons for processing with one of the six lawful bases for data processing.

1. Consent
  • Permission to process for specific purposes.
  • Notice must be clearly distinguishable, intelligible, in plain language, and freely given.
  • Proof and documentation are required.
2. Performance of a Contract
  • Data subject must be a party of the contract and want to enter into the contract.
3. Legal Obligation
  • Narrow interpretation that applies to the legal obligation of European Union and member state laws only.
4. Vital Interests
  • The interest of the data subject or another natural person.
  • Interpreted as a necessity for survival and if no other basis of processing is available.
5. Public Interest or Official Authority
  • Determined by the member state.
  • E.g. administration of justice, tax collection, conducting a census
6.Legitimate Interest
  • Data subjects’ interest must be balanced with the controllers’ interest.
  • Data subjects must be informed of controllers’ legitimate interest.
Source: GDPR Article 4(2), 6

Align data classification to privacy law requirements

Organizations can use data discovery and classification as a method to understand their data environment.

1. Require data discovery & classification

Organizations that have existing data classification can leverage their previous effort to align the scheme to personal data.

  • The following slide details how your organization can adjust existing data classification tiers to align with personal data sensitivity.

Organizations that do NOT have existing data classification should create a tiered scheme that addresses all types of data (e.g. organizational and personal). Four steps of this project:

  • Formalize your program – determine the classification scheme
  • Discover the data – benefits and challenges of data
  • Classify the data – continuation of discovery
  • Plan for implementation – identify metrics

Align your data types based on data classification in the organization

The image contains a screenshot of a data classification triangle.

Download this research

Leverage Info-Tech’s research Discover and Classify Your Data

2. Have a sound understanding of your data environment

Validate and continue finalizing the Data Process Mapping Tool.

Define data classification in the context of your organization

Build out a data classification scheme that fits the operating and regulatory environment of your organization

What is data classification?

Data classification is the process of identifying and classifying data on the basis of sensitivity and the impact the information could have on the company if the data is breached. The classification initiative outlines proper handling procedures for the creation, use, storage, disclosure, and removal of data.

Why do we need it?

With the increase in data and digital advancements in communication and storage (e.g. cloud), it becomes a challenge for organizations to know what data exists and where data lives. A classification scheme must be properly implemented and socialized to help ensure appropriate security measures are applied to protect that data appropriately.

Types of data

Structured

  • Highly organized data, often in a relational, easily searchable database.
  • E.g. employee numbers stored in a spreadsheet

Unstructured

  • Data that is not predefined in format and content; majority of data in most organizations.
  • E.g. free text, images, videos, audio files

Semi-structured

  • Information not in traditional database but contains some organizational properties.
  • E.g. email, XML

Without data classification, an organization treats all information the same.

  • Sensitive data may have too little protection.
  • Less sensitive data may have too much protection.

Strategically classifying data will allow an organization to implement proper controls where necessary.

Further define risk using the Data Process Mapping Tool

Each of the business processes retained within the Data Process Mapping Tool contains an inherent level of risk based on the volume and sensitivity of data.

  • Pull the outputs from the initial risk-mapping activity as you work through populating the Data Process Mapping Tool.
  • Categorize each of the business processes based on where they fall within the quadrant, and populate column F within tabs 1 and 2 of the tool.
    • High / Medium / Low
  • Identify and make note of the number of processes that fall within each of the three categories. Track areas in which the majority of high vs. low risk processes exist and observe any trends.
  • For any processes that remain categorized as High, perform further analysis to validate the classification:
    • Internal Risk Assessment
    • Security Assessment
    • Info-Tech’s Data Protection Impact Assessment Tool

2.4 Complete the DPIA threshold assessment for high-risk business processes

1-2 hours

A data protection impact assessment is used to assess how much private data will be affected by planned processing activities. A DPIA helps ensure that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data.

  1. For all identified high-risk processing activities, work through the dynamic questionnaire.
  2. Complete one threshold assessment per activity.
  3. Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
  4. Complete either a Lite or Full version of the DPIA, based on the nature of the process.
  5. Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
  6. Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance.

Download Info-Tech’s DPIA tool

Input Output
  • Outputs identified in activity 1.4.2
  • Analysis of high-risk business processes
  • Understanding of impact of data involved in processing activities
Materials Participants
  • Data Protection Impact Assessment Tool
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Leverage Info-Tech’s security framework to document your security controls

A Best-of-Breed Information Security Framework

INFO-TECH’S SECURITY FRAMEWORK

  • ISO 27000 series
  • Comprehensive standard providing best practices associated with each control

  • CIS – Critical Security Controls
  • A concise list of 20 controls and sub-controls for actionable cyber defense

  • COBIT 5
  • A process and principle structured security best-practice framework

  • NIST SP800-53
  • Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations

Info-Tech’s information security framework and maturity model methodology

In general, organizations are required or expected to implement appropriate risk-based technical and organizational measures to ensure the ongoing confidentiality, integrity, availability of personal data.

  • The controller and the processor shall provide
    • Appropriate technical and organizational measures
  • To ensure
    • A level of security appropriate to the risk
  • Taking into account
    • The state of the art
    • Costs of implementation
    • The nature, scope, context, purposes of processing

The image contains a screenshot of the framework and methodology as described in the above text.

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your information security program while maturing from reactive to strategic information security management.

Phase 3

Build the Privacy Roadmap

Phase 1Phase 2Phase 3Phase 4

1.1 Define and Document Drivers

1.2 Establish Privacy Governance Structure

1.3 Build Privacy RACI

1.4.1 Define Personal Data Scope

1.4.2 Build Risk Map

2.1 Complete Data Process Mapping Tool

2.2 Compare Compliance and Regulatory Requirements for Gap Analysis

2.3 Analyze the Risk of Data Breaches

2.4 Conduct DPIA Threshold Assessment

3.1 Complete Business Unit Gap Analysis

3.2 Develop Cost Estimates

3.3 Define Alignment and Privacy Risk

3.4.1 Apply Variables to Privacy Initiatives

3.4.2 Assign Cost and Effort Values

3.5 Create a Visual Map

3.6.1 Define the Effort Map

3.6.2 Refine the Effort Map

3.7 Create the Visual Roadmap

3.8 Revise Cost and Effort Table

4.1 Establish Metrics

4.2 Operationalize Metrics

4.3 Set Checkpoints and Drive Continuous Improvement

This phase will walk you through the following activities:

  • Identify where high-priority gaps exist in current privacy practices
  • Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
  • Further refine resourcing estimates

This phase involves the following participants:

  • Privacy officer
  • Core privacy team
  • Select business unit privacy champions
  • InfoSec representative (optional)
  • IT representative (optional)

3.1 Complete the privacy gap analysis exercise for individual business units

1-1.5 hours per business unit

After you’ve identified each of the key gap areas within your organization’s current privacy framework and supporting processes, walk business unit privacy champions through the maturity gap analysis (tab 2) for the following four areas:

  • Data Processing and Handling
  • Data Subject Requests
  • Privacy by Design
  • Notices and Consent
  1. Provide each business unit with a copy of the Privacy Analysis by Business Unit Tool.
  2. Fill out this tool using the same approach used for the larger framework.
  3. After completion, meet with the privacy champion from each business unit to discuss results. Compare maturity gaps with those of the overall Privacy Framework Tool.
  4. Identify which of the four areas and supporting controls had significantly different privacy gaps and gap-closing initiatives.
  5. Include all the supporting initiatives as part of tab 4 in the overall Privacy Framework Tool.

Download Info-Tech’s Privacy Analysis by Business Unit Tool

Input Output
  • Level-setting meeting with each of the business unit privacy champions
  • Analysis of privacy gaps on a business-unit level
  • Additional privacy gaps present on an organizational level
Materials Participants
  • Privacy Analysis by Business Unit Tool
  • Privacy Framework Tool
  • Privacy officer
  • Core privacy team
  • Relevant business unit privacy champions

3.2 Develop cost estimates for privacy initiative list

1 hour

  1. Leverage the full list of privacy initiatives, including any collected during activity 3.1.
  2. Look to Info-Tech’s industry standards (Manufacturing, Retail, Healthcare, Financial Services) as a guideline when you determine a range for the following input categories for your organization:
  • Initial Cost
    • The cost to implement the initiative, including the purchase of any new solutions or resources.
  • Ongoing Cost (Annual)
    • The ongoing cost to maintain the initiative, which can be in the form of subscription or maintenance fees.
    • This cost is often estimated at 20% of the initial cost.
  • Initial Staffing (Hours)
    • The number of hours of assigned resources needed to bring the initiative to completion.
  • Ongoing Staff in Hours (per week)
    • Any expected regular maintenance required after implementation (e.g. to monitor a privacy tracking solution or to respond to data subject requests).

Download Info-Tech’s Privacy Framework Tool

InputOutput
  • Privacy Framework Tool (tab 2)
  • Privacy gap initiative outputs from activity 3.1
  • Cost and resource scheme for organization
  • Input cost range to present to senior management with respect to privacy initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.3 Define alignment and privacy risk for the org.

30 minutes

Continue standardizing variables, including “Alignment With Business” and “Privacy Risk Reduction.” On tab 4 of the Privacy Framework Tool, select “High,” “Medium,” or “Low” values for the following:

Alignment to Business

  • Identify which initiatives directly align with the organization’s senior leadership team goals.

Privacy Risk Reduction

  • This is a key variable in how you prioritize the initiatives.
  • Privacy risk can be viewed in many ways: risk posed to data subjects’ rights, the financial consequences associated with a risk, likelihood of a breach, or other relevant criteria.
  • The ways each organization looks at privacy risk will be different. Many will look at how a breach of privacy impacts the organization from a reputation or cost perspective, rather than through the rights of the data subject.

The image contains a screenshot of the Privacy Framework Tool, tab 4.

InputOutput
  • Privacy Framework Tool (tab 2)
  • Privacy gap initiative outputs from activity 3.1
  • Alignment and privacy risk scheme for organization
  • Input for prioritization of initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.4.1 Apply variables to privacy initiatives

2 hours

Continue to build out the privacy initiative prioritization list on tab 4 of the Privacy Framework Tool by aligning bucket cost and benefit ranges based on your organization.

  1. Apply the cost and benefit variables to each of the initiatives.
  2. Copy and paste the initiatives from tab 2, Privacy Framework, into tab 4, Initiative Prioritization, under “Planned Initiatives.” If desired, consolidate similar initiatives into larger projects.
  3. Copy and paste any initiatives from the Privacy Analysis by Business Unit Tool here as well.
  4. For each initiative, assign the cost, effort, and benefit of each of the different initiatives. This will provide an overall cost/effort rating based on the combination of all the cost and staffing variables put together. This scale ranges from 1 to 12.
  5. Optional: Consider building an effort map using the cost/effort rating and the risk reduction benefit. This can be a useful exercise to visualize how your initiatives are distributed in terms of cost and benefit.

The image contains a screenshot of the Privacy Framework Tool, tab 4.

InputOutput
  • Outputs from activities 3.2 and 3.3
  • Alignment and privacy risk scheme for organization
  • Input for prioritization of initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.4.2 Assign specific cost and effort values

1 hour

If you are aware of exact costs or efforts required for an initiative, you can enter it on the right side of the table on tab 4, Initiative Prioritization.

  1. When entering “High,” “Medium,” or “Low” values for the cost and effort, you may be aware of the specific cost rather than using the large estimation buckets – if so, enter this on the right side of the table.
    1. The cells in blue are auto-calculating what the initiative will cost based on the “High,” “Medium,” or “Low” value and the multiplier you chose earlier.
    2. If you put in a specific cost or effort value in the white cells, your input will overwrite the estimate in the calculations.

Note: This will be useful in populating the “Cost and Effort Estimates Table” on tab 6. It will provide an overall estimate of costs and effort associated with implementing a privacy program. The more accurate the data you enter in the tool, the more accurate the final estimates will be.

The image contains a screenshot of the Cost and Effort Estimates Table.

InputOutput
  • Outputs from activities 3.2, 3.3, and 3.4.1
  • Specific cost estimates for privacy gap-closing initiatives
  • Specific resource allocation estimates for privacy gap-closing initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.5 Create a visual effort map for your organization

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 4 in the Privacy Framework Tool.

  1. Establish the axes and colors for your effort map:
    1. X-axis represents the Privacy Benefit value from column J
    2. Y-axis represents the Cost/Effort value from column H
    3. Sticky note color is determined using the Alignment to Business value from column I
  2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
  3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

The image contains a screenshot of the visual effort map.

InputOutput
  • Outputs from activities 3.4.1 and 3.4.2
  • High-level prioritization for each of the privacy gap-closing initiatives
  • Visual representation of quantitative values
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Sticky notes
  • Markers
  • Whiteboard
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.6.1 Refine the effort map’s visual output

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

  1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of governing privacy law (GDPR, CCPA, HIPAA, etc.) and mark with a sticky dot.
  2. Document these initiatives as Execution Wave 1.

The image contains a screenshot of the refined visual effort map.

InputOutput
  • Outputs from activity 3.5
  • Prioritization for each of the privacy gap-closing initiatives
  • First execution wave of gap-closing initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Sticky notes
  • Sticky dots
  • Markers
  • Whiteboard
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.6.2 Refine the effort map’s visual output

30 minutes

  1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
  2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5 and 3.6.1.
    1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
    2. Leverage the following 0-4 Execution Wave scale:
      1. Underway –Initiatives that are already underway
      2. Must Do – Initiatives that must happen right away
      3. Should Do – Initiatives that should happen but need more time/support
      4. Could Do – Initiatives that are not a priority
      5. Won’t Do – Initiatives that likely won’t be carried out
  3. Indicate the granular level for each execution wave using the A-Z scale.
    1. Use the lettering to track dependencies between initiatives.
      1. If one must take place before another, ensure that its letter comes first alphabetically.
      2. If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

The image contains a screenshot example of the activity described in the text above.

Input

Output

  • Outputs from activity 3.6.1
  • Prioritization for each of the privacy gap-closing initiatives
  • First execution wave of gap-closing initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 4)
  • Sticky notes
  • Sticky dots
  • Markers
  • Whiteboard
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.7 Create the visual roadmap

1 hour

If enough information around current and immediate future project resourcing is available, use the Gantt chart in tab 5 to document the exact start and end times of each initiative. This may be difficult to do immediately after prioritization, as there may be many considerations as to where these projects fit alongside existing action plans and strategies.

  1. Work with team members to first identify start dates for mandatory privacy initiatives (governed by privacy law).
  2. Refer to cost and effort estimates provided in tab 4 as you begin to populate start and end dates for each individual privacy initiative. Work in sequential order based on assigned Execution Waves.
  3. Assign ownership to each initiative. Ensure that each assigned owner is provided with relevant documentation to keep track of initiative (project) progress.

The image contains a screenshot of the visual roadmap.

InputOutput
  • Outputs from activity 3.6.2
  • Start and end dates for privacy initiatives
  • Staffing resource ownership for privacy initiatives
  • Gantt chart version of the privacy initiative roadmap
MaterialsParticipants
  • Privacy Framework Tool (tab 5)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

3.8 Revise and assess the cost and effort table

30 minutes

  1. Refer to the Cost and Effort Table on tab 6. The table will populate with an estimate of your overall costs based on the data input into the Initiative Prioritization tab.
  2. Costs are broken out based on the execution waves with a full total tabulated at the bottom. For each of the waves, you will be able to see the total dollar cost and total effort requirement based on:
    1. The cost of initial implementation to establish the privacy program.
    2. The ongoing annual cost, describing the costs and effort required to maintain the program.
    3. A rough total of these costs over a specified number of years. The number of years can be changed on the initiative prioritization tab (tab 4).
  3. Based on the results, revise if necessary. Keep in mind that these totals will be the driving points put forward to the senior leadership team when sourcing resources for the privacy program.
  4. Document final total costs and total efforts for each execution wave within your executive presentation. Identify areas on which to focus to obtain buy-in from your senior management team.

* Bear in mind that these numbers are solely estimates of previously input data. The total may be higher than expected.

The image contains a screenshot of the cost and effort table.

InputOutput
  • Outputs from activity 3.6.2
  • Outputs from activity 3.7
  • Total and ongoing cost resource allocation for privacy initiatives
  • Total and ongoing staffing resource hour allocation for privacy initiatives
MaterialsParticipants
  • Privacy Framework Tool (tab 5)
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Implementation Example – Be Transparent

Key Components of a Privacy Notice

  1. The identity of the organization
  2. What personal data you collect
  3. Why you collect this personal data
  4. How you collect personal data
  5. How you use personal data
  6. How you share personal data with third parties
  7. How you store personal data
  8. Personal data cross-border transfers
  9. How you protect data
  10. How you treat children’s personal data
  11. Your data subjects' rights
  12. Contact details

Info-Tech Insight

Your privacy notice explains your commitment to the data subject. Make sure it’s accessible at the beginning of all data collection activities.

Implementation Example – Vendor Risk Management

End-to-End Third-Party Privacy Risk Management

  1. Pre-Contract
    • Due diligence check
  2. Signing of Contract
    • Data processing agreement
  3. Post-Contract
    • Continuous monitoring
    • Regular check or audit
  4. Termination of Contract
    • Data deletion
    • Access deprovisioning

Core components of a DPA

  • Defined data processing roles
  • Defined contract processing
  • Processing instructions
  • Sub-processor
  • Security controls
  • Data breach notification and handling
  • Data secrecy and staff awareness and training
  • Data subject request
  • Compliance demonstration
  • Cross-border transfer
  • Termination of Service
  • Liability and indemnity

According to the Ponemon Institute (2018): 61% of organizations experienced a data breach caused by their supply chain in 2018; only 29% of organizations believe a third-party vendor would notify them of a data breach; only 28% of organizations believe they will be notified when a third-party shares data with an nth party.

Info-Tech Insight

Many organizations know that they need to secure their supply chain but struggle with finding the right level of due diligence. An end-to-end third-party privacy risk management process should be established to protect the shared data.

Implementation Example - Data Retention

Some business leaders will perceive indefinite retention as a benefit for business intelligence reasons (there’s always another potential use for data). However useful it may be, unnecessary personal data will cause additional headaches in the event of a breach.

Requirements

Privacy laws and regulations

Business needs

Security protection such as data classification

Governance

Data Retention Policy

Data Retention Schedule

Cross-functional collaboration (i.e. IT, Business, Legal, etc.)

Enforcement

Data deletion or de-identification

Monitoring and audit

Info-Tech Insight

Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to purge the secondary, tertiary, etc. instances on a regular basis.

Phase 4

Implement and Operationalize

Phase 1Phase 2Phase 3Phase 4

1.1 Define and Document Drivers

1.2 Establish Privacy Governance Structure

1.3 Build Privacy RACI

1.4.1 Define Personal Data Scope

1.4.2 Build Risk Map

2.1 Complete Data Process Mapping Tool

2.2 Compare Compliance and Regulatory Requirements for Gap Analysis

2.3 Analyze the Risk of Data Breaches

2.4 Conduct DPIA Threshold Assessment

3.1 Complete Business Unit Gap Analysis

3.2 Develop Cost Estimates

3.3 Define Alignment and Privacy Risk

3.4.1 Apply Variables to Privacy Initiatives

3.4.2 Assign Cost and Effort Values

3.5 Create a Visual Map

3.6.1 Define the Effort Map

3.6.2 Refine the Effort Map

3.7 Create the Visual Roadmap

3.8 Revise Cost and Effort Table

4.1 Establish Metrics

4.2 Operationalize Metrics

4.3 Set Checkpoints and Drive Continuous Improvement

This phase will walk you through the following activities:

  • Establish metrics that map to the needs of the organization
  • Implement and integrate metrics into operations

This phase involves the following participants:

  • Privacy officer/privacy team
  • Senior management representation (optional)
  • InfoSec representative
  • IT representative

Make your privacy program functional

Effective metrics add value by reflecting the current business environment and forecasting for the future

As you begin to establish relevant metrics to guide the data privacy program, document and classify based on the associated set of privacy controls and category. Use Info-Tech’s Data Privacy Program Report template as your repository.

1

Create a measurable privacy program

Metrics take your privacy program from static documentation to a functional operation. Ensure that each task populated within the data privacy framework Gantt chart is supported by corresponding metrics.

2

Use metrics to help integrate privacy in the organization

Remove the fear factor associated with privacy by leveraging the language of your business unit champions as you create a metrics program that they can understand and integrate.

3

Choose metrics that make sense and align to your business requirements

Select metrics that make sense for the group you’re reporting up to and ensure that the metrics are business-relevant and support strategic initiatives and the direction of the organization.

4

Be selective with the number of metrics

“More” does not mean “more effective.” Limit the metrics selected for the privacy program. One of the obstacles in obtaining buy-in stems from how lengthy and complex privacy can be to implement – don’t make it harder than it has to be!

Source: IAPP, “Privacy Program Management”

Match metrics to privacy controls

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls

1. Governance 2. Regulatory Compliance 3. Data Processing and Handling 4. Data Subject Requests 5. Privacy by Design 6. Notices and Consent
  • Average privacy document age
  • Frequency of privacy policy reviews
  • Percentage of personal data accounted for through data classification
  • Reduction in time to report
  • Reduction in time to disclosure
  • Frequency of review of current regulations
  • Number of external regulatory obligations in scope
  • Frequency of new regulation integration
  • % of high-sensitivity solutions with encryption, anonymization, pseudonymization capabilities
  • % of high-sensitivity solutions with monitored audit trails
  • % of personal data covered by regulatory retention periods
  • % of all data currently classified vs. unclassified
  • Number of data subject requests received (monthly, quarterly, yearly)
  • Average time to respond to DSARs
  • Number of DSARs un-responded vs. responded
  • % of projects that include PbD during planning phase
  • % of processes (current) within the organization that include PbD
  • % of high-risk projects (current) that include PbD in the planning phase
  • % of data collection processes that do not capture consent
  • Average time to respond to data subject’s request to withdraw consent

Match metrics to privacy controls (cont.)

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls.

7. Incident Response 8. Privacy Risk Assessment 9. Information Security 10. Third-Party Management 11. Awareness and Training 12. Program Measurement
  • Average cost of an incident
  • Number of incidents tracked (origin, org. unit, project, security level)
  • Mean time to initiate incident response
  • Mean time to complete incident response
  • Number of completed privacy risk assessments
  • Frequency of DPIAs/PIAs performed
  • Privacy risk score or ratio
  • % of privacy or security incidents that are notifiable breaches
  • Frequency of testing performed on security controls
  • % of data-at-rest covered by security controls
  • % of data-in-transit covered by security controls
  • Frequency of vendor contract review or touchpoints
  • Number of data transfer agreements in place (current) for external vendors
  • Number of vendors validated (i.e. SOC2 reports)
  • % of personal data retained by vendors
  • Number of days between onboarding and completion of privacy/ security training
  • % of privacy personnel with privacy certifications
  • % of staff receiving privacy training
  • Frequency of in-house privacy training programs
  • Average number of metrics achieved upon review (or % of metrics tracked)
  • % of metrics that directly support business strategy
  • Frequency of privacy program review
  • Frequency of privacy committee meetings

4.1 Define privacy metrics for the organization

1 hour

  1. Based on the metrics provided by Info-Tech as a part of the data privacy program framework, identify which ones best suit the current needs of the organization and future privacy goals.
  2. Limit this selection to two to three metrics per tactical privacy area (selected from the 12 control categories in the Privacy Framework). Ask yourself: What do you want to know most about your privacy program? What do you want to show to others?
    1. For many privacy regulations, the need to demonstrate adherence is crucial, and metrics will play a large role in this regard.
    2. Beyond regulations, what are the privacy areas you want to track? What are the areas that senior management wants to track?
  3. For the selected metrics, discuss the target that you would like to achieve.
    1. This will likely change over time, but identifying a target helps to add context and goals to your privacy program.
    2. Consider selecting an immediate-term target and a stretch-goal target that represents a mature state for the privacy program.
    3. Document targets within the Data Privacy Program Report.
InputOutput
  • Metrics from previous two slides
  • Selected set of metrics
  • Understanding of the organization’s key privacy priorities
  • Initiatives identified during Phase 3
MaterialsParticipants
  • Data Privacy Program Report
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Download Info-Tech’s Data Privacy Program Report

Info-Tech Insight

Don’t focus on industry benchmarks for privacy – your privacy requirements will be unique and continue to evolve over time. Similarly, even the metric targets can change over time. What was once considered a “good” target can become “bad” in the future. Privacy will continue to evolve just as the business continues to change.

4.2 Align and prioritize privacy metrics

1 hour

Fast-track external privacy documentation to satisfy the data privacy requirements of your end users.

  1. Write out the metrics selected in activity 4.2 on sticky notes.
  2. Divide whiteboard into 12 columns, each one corresponding to a category of privacy controls from the Privacy Framework Tool.
  3. Place metric stickies under appropriate privacy category.
  4. Reference prioritized initiatives from the Privacy Framework Tool (Execution Wave 1) and write each initiative on the whiteboard next to a corresponding metric.
  5. Metrics should directly correlate to tracking progress of the initiative. Some initiatives may map to multiple metrics; make note of this in the Data Privacy Program Report.
  6. For any Wave 1 initiatives that do not have an assigned metric, revisit activity 4.1 and ensure that a supporting metric is modified or a new metric is established.
  7. As the program matures, complete these activity for additional Execution Waves and align metrics accordingly.

The image contains a screenshot of the activity described in the text above.

Download Info-Tech’s Data Privacy Program Report

InputOutput
  • Outputs from Privacy Framework Tool
  • Metrics selected from activity 4.1
  • Implementation plan for metrics
  • Operationalization techniques
  • Prioritized metrics roadmap
MaterialsParticipants
  • Data Privacy Program Report
  • Sticky notes
  • Whiteboard
  • Markers
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Develop and implement your metric lifecycle

Increase the credibility of the privacy program by analyzing and reporting on metrics on a regular basis.

  • A key factor in ensuring integration of the privacy program throughout the organization is presenting the business benefits of the program to the entire organization, and specifically to the executive leadership group.
  • Privacy is not a “one-and-done” project. Even after establishing metrics and implementing metric tracking as a part of the program, progress should be assessed.
  • This is the key step in establishing a metric lifecycle, ensuring that your metrics are continuously monitored and reviewed to meet the needs of the privacy program.
  • The final factor is ensuring that the metrics used to gauge the privacy program directly align to the organization’s business goals and support achieving these objectives. This helps to obtain requisite buy-in and support from executive leadership.

Analysis and Monitoring Categories

  1. Compliance
    • Ensure that the organization meets compliance obligations.
    • Examples include audit management, self-monitoring, security/system management, and risk management.
  2. Regulatory/Legal
    • Ensure that the organization meets any legally imposed regulations to which it is subject.
  3. PEST
    • Ensure that the organization’s approach to privacy and the privacy program align with both the external and internal operating environment, and consider any political, social, economic, and technological factors (PEST).
Source: IAPP, “Privacy Program Management”

Quantify privacy by tracking ROI

The final step in maturing and delivering value through the privacy program is achieved by demonstrating positive return on investment to your leadership team.

  • As privacy becomes the norm within organizations globally, the relationship that exists between high-accountability, privacy-mature organizations and organizational performance becomes increasingly easy to track.
  • Business and IT leaders attribute privacy management practices to:
    • Increased competitive advantage
    • Positive compliance records
    • Innovation gains
    • Operational agility
    • Reduced sales delays
    • Increased customer loyalty and brand reputation

Privacy ROI worldwide

  1. United Kingdom (3.5x)
  2. Brazil (3.5x)
  3. Mexico (3.5x)

$1.00 spent = $2.70 privacy ROI

Organizations that have dedicated time and resources to maturing privacy best practices are already experiencing positive ROI from their efforts.

4.3 Create and deliver the Data Privacy Program Report

1-2 hours

  1. Using all the privacy outputs collected from Phases 1-4, create your executive presentation by leveraging the Data Privacy Program Report.
  2. Focus on the key outputs that your senior management team will want to know:
    1. What are the high-priority “must-do’s”? Regulatory or governance requirements.
    2. What are the associated costs?
    3. What are the resourcing requirements?
    4. What is the required level of ongoing maintenance?
    5. How will this be tracked?
    6. Who takes ownership or the program and relevant initiatives?

The image contains a screenshot of the Data Privacy Program Report.

InputOutput
  • Privacy initiatives
  • Roadmap (Phase 3)
  • Outputs from activities 4.1 and 4.2
  • Full Data Privacy Program Report and executive presentation
MaterialsParticipants
  • Full Data Privacy Program Report
  • Privacy officer
  • Core privacy team
  • InfoSec representative (optional)
  • IT representative (optional)

Summary of Accomplishment

A clear path toward proactive privacy management

Higher education institutions are increasingly relying on online student learning, advice, and management platforms to streamline processes and deliver student services at scale.

In a perfect world, the summary of accomplishment would state that you’ve solved the data privacy problem within your organization, and you’ll never be the subject of headline news as having fallen victim to a data breach.

The reality is that an effective data privacy program is ongoing, constantly evolving to fit within the surrounding digital and societal landscape. You’ve laid the foundation in working through the Data Process Mapping Tool and understanding how privacy is currently applied within the scope of your organization. By leveraging the outputs from this tool, as well as the maturity gaps identified as a part of the Privacy Framework set of exercises, you’ve begun to create a forward-looking data privacy roadmap.

Established metrics and a set of steps to achieve operationalization position your data privacy program for success by moving beyond static policies and procedures. By focusing on monitoring and assessing how the program captures and supports data privacy, you create a dynamic and adaptable framework.

And while even the strongest of data privacy programs are not bulletproof vests when it comes to preventing data breaches, by developing a flexible and customized data privacy program, your organization significantly strengthens its ability to recover from data privacy incidents and reduces its overall risk of exposure.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

The image contains a screenshot of the Data Process Mapping Tool.

Develop the Data Process Mapping Tool

During an onsite engagement, Info-Tech analysts will guide the interviews conducted with each of the business unit champions. The outputs will enable a clearer perspective on how personal data is handled throughout the organization.

The image contains a screenshot of the activity privacy gap analysis.

Conduct a privacy gap analysis

An Info-Tech analyst will guide the discussion around the current state of privacy in the organization, aligned to Info-Tech’s best-practice Privacy Framework. Compare current and future states to prioritize gap-closing initiatives.

Research Contributors and Experts

Amalia Barthel

Amalia Barthel

Lecturer and Advisor, Privacy SME – private practice

CIPM, CPIT, PMP, CRISC, CISM

University of Toronto

Cat Coode

Cat Coode

Data Privacy Consultant, Fractional Data Privacy Officer, Speaker

Binary Tattoo

Paul Hinds

Paul Hinds, CISA, CISM, CRISC, CDPSE

Security Privacy Advisor

Northwestern University

Mark Roman

Mark Roman B.Math, MBA, PMP

Managing Partner

Info-Tech Research Group

Mark Maby

Mark Maby

Research Director for Higher Education

Info-Tech Research Group

Mark Hoeing

Mark Hoeting

Executive Counselor

Info-Tech Research Group

Bibliography

Aberdeen and Liaison. “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare.” Aberdeen Group, 2018. Web. January 2019.
Accenture. “How Global Organizations Approach the Challenge of Protecting Personal Data.” Accenture and Ponemon Institute,2009. Web. January 2019.
California Consumer Protection Act of 2018. 2018. Web. November 2019.
Cavoukian, Ann. “Privacy by Design, The 7 Foundational Principles.” IPC Privacy by Design, January 2011. Web. 14 January 2020.
Centrify and Ponemon Institute. “The Impact of Data Breaches on Reputation & Share Value.” Centrify and Ponemon Institute, May 2017. Web. January 2019.
CIGI & Ipsos. “2018 CIGI-Ipsos Global Survey on Internet Security and Trust.” Centre for International Governance Innovation, 2018. Web. January 2019.
“Cisco 2018 Privacy Maturity Benchmark Study.” Cisco, January 2018. Web. January 2020.
“Cisco 2019 Privacy Maturity Benchmark Study.” Cisco, January 2019. Web. January 2020.
“Cisco 2020 Privacy Maturity Benchmark Study.” Cisco, January 2020. Web. January 2020.
“Data Protection & Privacy Officer Priorities.” CPO Magazine, 2020.
Densmore, Russell. “Privacy Program Management: Tools for Managing Privacy Within Your Organization.” IAPP, 2019.
“DoorDash Reports Data Breach Impacting 5 Million Customers.” Security Magazine, 27 September 2019. Web. November 2019.
Forbes. “DoorDash Data Breach Compromises 4.9 Million People.” Forbes, 26 September 2019. Web. December 2019.
General Data Protection Regulation. Chapters 1-11. May 2018. Web. November 2019.
Gierdowski, Dana C. ECAR Study of Undergraduate Students and Information Technology, 2019. Research report. Louisville, CO: ECAR, October 2019.
Government of Canada. “The Personal Information Protection Electronic Documents Act.” April 2000. Web. November 2019.
Grajek, Susan. “Top 10 IT Issues, 2023: Foundation Models.” Educause, Oct. 2022.
HIPAA of 1996. US Department of Health & Human Services. 1996. Web. January 2020.
Hodge, Rae. “2019 Data Breach Hall of Fame: These were the biggest data breaches of the year.” CNET, 27 December 2019. Web. January 2020.
“IAPP-EY Annual Privacy Governance Report 2019.” IAPP, 2019. Web. December 2019.
IBM Security. “Cost of a Data Breach Report, 2019.” IBM, January 2020. Web. January 2020.
ISACA and TITUS. “GDPR: The End of the Beginning.” ISACA, 2018. Web. January 2019.
Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.
NIST. "Computer Security Incident Handling Guide." NIST, SP800-61 Rev. 2, August 2101. Web. November 2019.
NIST. “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST, 16 January 2020. Web. January 2020.
PIPEDA of 2000. The Government of Canada, 2000. Web. October 2019.
Proteus. “Privacy Research Database; Breach Calculator.” Proteus-Cyber. Web. December 2019.
Protiviti and North Carolina State University’s ERM Initiative. “Executive Perspectives on Top Risks for 2018: Key Issues Being Discussed in the Boardroom and C-Suite.” Protiviti and North Carolina State University’s ERM Initiative, 2017. Web. January 2019.
PwC. “The Anxious Optimist in the Corner Office.” 21st CEO Survey. PwC, 2018. Web. January 2019.
“Q3 2019 Data Breach QuickView Report.” RiskBased Security, 12 November 2019. Web. December 2019.
“Study: Mature Privacy Programs Experience Higher ROI.” IAPP, 27 January 2020. Web. January 2020.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Collect Privacy Requirements
  • Call 1: Scope requirements, drivers, objectives, and challenges.
  • Call 2: Build out privacy ownership using the RACI chart.

Guided Implementation 2: Conduct a Privacy Gap Analysis
  • Call 1: Review results of data process mapping business unit interviews.
  • Call 2: Delve into the Privacy Framework Tool to identify and evaluate gaps.

Guided Implementation 3: Build the Privacy Roadmap
  • Call 1: Determine cost and effort ratio of gap initiatives.
  • Call 2: Build out additional privacy collateral (notice, policy, etc.).

Guided Implementation 4: Implement and Operationalize
  • Call 1: Review standard privacy metrics and customize for your organization.
  • Call 2: Establish and document performance monitoring schedule.

Author

Alan Tang

Contributors

  • Amalia Barthel, Lecturer and Advisor, CIPM, CPIT, PMP, CRISC, CISM, University of Toronto
  • Cat Coode, Data Privacy Consultant, Fractional Data Privacy Officer, Speaker, Binary Tattoo
  • Paul Hinds, CISA, CISM, CRISC, CDPSE, Security Privacy Advisor, Northwestern University
  • Mark Roman B.Math, MBA, PMP, Managing Partner, Info-Tech Research Group
  • Mark Maby, Research Director for Higher Education, Info-Tech Research Group
  • Mark Hoeting, Executive Counselor, Info-Tech Research Group
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019