- Higher education institutions have increased pressure in ensuring personal data protection for students and faculties in the new digital era, especially protecting sensitive information such as health data, biometrics data, etc.
- Privacy teams are having a difficult time conveying the legal obligations and privacy protection principles and providing actionable guidance to business partners.
- One institution may have more than one IT department. Decentralized and fractional systems lead to inconsistent policies and procedures.
Our Advice
Critical Insight
- Students are wary of privacy risks and value privacy protections. So should the leaders at the education institutions. Embed privacy-by-design principles into your business processes and data lifecycle to protect valuable personal data for students and faculty.
Impact and Result
- Establish a holistic and integrated privacy program that embeds privacy by design principles into the business processes.
- Partner with business departments by speaking a language it can understand and providing tools it can implement.
- Gain the visibility of personal data processing activities and prioritize personal data protection initiatives.
- Create privacy policies, standards and procedures that are established with respect to how information is collected, processed, shared, and protected within the data lifecycle.
Workshop: Build Business-Aligned Privacy Programs for Higher Education Institutions
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Collect Privacy Requirements
The Purpose
- Identify the driving forces behind the privacy program.
- Understand privacy governance.
- Assign ownership of privacy.
Key Benefits Achieved
Privacy requirements documented and privacy governance structure established.
Activities
Outputs
Define and Document Drivers
- Business context and drivers behind privacy program
Establish Privacy Governance Structure
Build Privacy RACI
- Data privacy RACI chart
Define Personal Data Scope
Build Risk Map
Module 2: Conduct a Privacy Gap Analysis
The Purpose
- Understand the methodology behind the Data Process Mapping Tool
- Assess risks and map out your data breach response process
- Work through the threshold assessment and DPIA process
Key Benefits Achieved
Privacy program gap areas identified
Activities
Outputs
Conduct interviews and complete Data Process Mapping Tool
- Data Process Mapping Tool draft
Compare compliance and regulatory requirements with current privacy practices of the organization
- Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
Identify gap areas
Review the DPIA process and identify whether threshold assessment or full DPIA is required
Module 3: Build the Privacy Roadmap
The Purpose
- Identify where high-priority gaps exist in current privacy practices
- Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
- Further refine resourcing estimates
Key Benefits Achieved
Gap initiatives identified and prioritized
Activities
Outputs
Complete business unit gap analysis; consolidate inputs from interviews
- Privacy Framework Tool
Apply variables to privacy initiatives
Create a visual privacy roadmap
Define and refine the effort map; validate costing and resourcing
- Data privacy roadmap and prioritized set of initiatives
Module 4: Implement and Operationalize
The Purpose
- Complete the roadmap
- Establish metrics that map to the needs of the organization
- Implement and integrate metrics into operations
Key Benefits Achieved
Privacy program roadmap completed
Activities
Outputs
Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program
- Completed data privacy roadmap
Operationalize metrics
Input all outputs from into the Data Privacy Report
Summarize and build an executive presentation
Set checkpoints and drive continuous improvement
- Data Privacy Program Report document
Build Business-Aligned Privacy Programs for Higher Education Institutions
Embed privacy by design into your business processes and protect high-risk personal data.
EXECUTIVE BRIEF
Analyst Perspective
Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. |
College students are living in environments that increasingly require regular interaction with information technology and data. Students are aware of data protection risks and take privacy seriously. Some personal identifiers, such as email addresses, can be easily replaced. But biometric information such as fingerprints and facial geometry scans are unique. Students' strong belief in the protection of sensitive personal information stems from a desire to protect themselves from privacy risks and harm that may last for the rest of their lives. With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage. Students care about their data privacy, and this concern is increasing. This leaves leaders in the education section questioning what exactly privacy involves and how to make it scalable for their respective institutes. As the general public begins to take back control over data privacy, so too should education institutions by taking a tactical, measurable approach to privacy and the business. Alan Tang |
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
---|---|---|
|
|
|
Info-Tech Insight
Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect the valuable personal data of students and faculty.
Relevant Legal Obligations and Guidelines
More than 130 countries had put in place legislation to secure the protection of data and privacy
Info-Tech Insight
Higher education institutions increasingly depend on online platforms related to student learning, advising, and management in order to optimize processes and deliver student services at scale. The importance of privacy and data protection is increasingly recognized. Equally concerned is the collection, use and disclosure of personal information to third parties without prior notice or consent from students and faculties.
Typical Business Processes of a Higher Education Institution
Usually, there are three types of business processes supporting the operations of a higher education institution: defining processes, shared processes and enabling processes.
Defining Capabilities
- Recruitment (Undergrad, Graduate Studies)
- Admission (Undergrad, Graduate)
- Student Enrollment (Enrollment, Financial Aid)
- Instruction & Research (Teaching & Learning, Research)
- Graduation (Graduation, Transcripts)
- Advancement (Alumni Relations, Fundraising)
Shared Capabilities
- Student Administration (Student progression, Record maintenance)
- Student Support Services (Athletics, Career Development)
- Academic Admin (Academic Year Scheduling, Policy Admin)
Enabling Capabilities
- Facilities & Property Mgmt.
- Finance Mgmt.
- Human Resources
- IT
- Legal Services
- Government, Public, and Stakeholders
- Governance, Risk, and Compliance
Privacy is all about personal data
When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. Conversely, an effective privacy program allows access to information based on regulatory guidance and appropriate measures.
Examples of personal data include:
Traditional PII: Personally identifiable information |
Personal Data: Any information relating to an identified or identifiable person |
Sensitive Personal Data: Special categories of personal data (some regulations, like GDPR, expand their scope to include these) |
Full name (if not common) |
Enrollment status |
Biometrics data: Retinal scans, voice signatures, or facial geometry |
Home address |
Grade level |
Health information: Patient identification number or health records |
Date of birth |
Dates of attendance |
Political opinions |
Social security number |
Degrees, honors, and awards received |
Trade union membership |
Banking information |
Location data |
Sexual orientation and/or gender identity |
Passport number |
Photograph |
Religious and/or philosophical beliefs |
Etc. |
Etc. |
Ethnic origin and/or race |
Privacy and Security Are Among the Top Concerns
Privacy and cybersecurity together are the #2 issue education institutions will be facing in 2023 based on EDUCAUSE’s recent report “Top 10 IT Issues, 2023: Foundation Models.”
Source: EDUCAUSE, 2022.
Privacy Policies Are Not Fully Understood
ECAR's 2019 survey of US students found that less than half of them believed they benefited from their institution's privacy and security policies, and even fewer students reported understanding how their institution used their personal data. *
![]() |
*ECAR, 2019.
Transparency and Communication Are Key
Case Study:
In March 2020, in response to a proposal to adopt facial recognition for security surveillance at UCLA, students from 36 campuses protested, in person and via online petitions, against the use of facial recognition systems. The pushback from students and the community led UCLA and about 50 other colleges and universities to promise not to use facial recognition technology on their campuses.*
*Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.
Info-Tech Insight
To foster trust and cooperation, higher education institutions should communicate how and why they collect and use students' personal information.
True Cost of a Data Breach
An industry outlook
Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance issues and resulting fines and minimizing overall exposure.
86% of data breach costs are associated with REGULATORY fines
Healthcare* |
Government |
Financial Services |
Education |
Estimated Cost of Exposure: $841.41 |
Estimated Cost of Exposure: $114.75 |
Estimated Cost of Exposure: $188.05 |
Estimated Cost of Exposure: $207.75 |
* All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records Source: Proteus-Cyber, 2019.
Top challenges organizations face in building an effective privacy program
The struggle to get a comprehensive data protection and privacy program in place across an entire organization is one of the main challenges for data protection and privacy officers.
Info-Tech Insight
Creating a comprehensive, organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.
Why Is Privacy Important for Higher Education Institutions?
- Legal Obligations
- Failure to comply with privacy laws and regulations can result in serious legal penalties, liability, fines, and other unpleasant consequences.
- Reputation & Relationships
- A data breach can seriously damage a school's reputation. Privacy violations, or even inappropriate privacy practices, can affect a school's relationships with parents, applicants, donors, alumni, and others.
- Finances
- Data breaches and privacy violations can lead to costly lawsuits, large damages payments, and costly and onerous legal requirements.
- Time and Resources
- A robust privacy program requires considerable investment in terms of time and resources, which are usually underestimated.
- Student and Employee Wellbeing
- Privacy protection violations or personal data leaks could cause serious harm to students, faculty, and employees economically, mentally, and sometimes physically.
Embed Privacy Into Data Lifecycle Protection
Two of the main tasks of personal protection in the higher education section are to identify high-risk personal information categories and embed privacy-by-design principles into the data lifecycle.
Examples of high-risk personal information types
|
![]() |
Info-Tech’s Privacy Program Methodology
The below image is a visual representation of Info-Tech’s Privacy Framework. This includes high-level governance items as well as more tactically defined areas. See an overview below.
Info-Tech’s methodology for building a privacy program
1. Collect Privacy Requirements |
2. Conduct a Privacy Gap Analysis |
3. Build the Privacy Roadmap |
4. Implement and Operationalize |
|
---|---|---|---|---|
Phase Action Items |
|
|
|
|
Phase Outcomes |
|
|
|
|
Insight summary
Overarching insight Students are wary of privacy risks and value privacy protections. So should the leaders at education institutions. Privacy-by-design principles should be embedded into the business processes and data lifecycle to protect valuable personal data for students and faculty. |
|||
Fit privacy to the business. Contextualize privacy for your organization by involving the business units from day one; collect requirements that promote cross-collaboration. |
Privacy is dynamic. Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization. |
Prioritize and plan together. Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize. |
Make it operational. Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment. |
Privacy doesn’t live in isolation. By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure. |
A good privacy program takes time. Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk, and support the rollout through customized metrics. |
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Privacy Program RACI Chart
A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.
Data Process Mapping Tool
Full documentation of all business processes that leverage personal data within the organization.
Data Protection Impact Assessment
When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.
Data Privacy Program Report
A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.
Privacy Policy Templates
Internal and external policies around:
- Privacy Notice – Higher Education
- Data Processing Agreement
- Data Breach Handling Process
- Data Retention Policy
Key deliverable:
Privacy Framework/ Business Unit Framework Tools
Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST.
Build your gap-closing initiative roadmap and work through cost/effort analysis.
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” |
Guided Implementation“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” |
Workshop“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” |
Consulting“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
Call #1: Scope requirements, drivers, objectives, and challenges. Call #2: Build out privacy ownership using the RACI chart. |
Call #3: Review results of data process mapping business unit interviews. Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps. |
Call #5: Determine cost and effort ratio of gap initiatives. Call #6: Build out additional privacy collateral (notice, policy, etc.). |
Call #7: Review standard privacy metrics and customize for your organization. Call #8: Establish and document performance monitoring schedule. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Collect Privacy Requirements |
Conduct a Privacy Gap Analysis |
Build the Privacy Roadmap |
Implement and Operationalize |
Next Steps and |
|
Activities |
1.1 Define and document program drivers 1.2 Establish privacy governance structure and define scope 1.3 Build the data privacy RACI chart 1.4 Build the risk map |
2.1 Conduct interviews and complete Data Process Mapping Tool 2.2 Compare compliance and regulatory requirements with current privacy practices of the organization 2.3 Identify gap areas 2.4 Review the DPIA process and identify whether threshold assessment or full DPIA is required |
3.1 Complete business unit gap analysis; consolidate inputs from Day 2 interviews 3.2 Apply variables to privacy initiatives 3.3 Create a visual privacy roadmap 3.4 Define and refine the effort map; validate costing and resourcing |
4.1 Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program 4.2 Operationalize metrics 4.3 Input all outputs from Days 1-3 into the Data Privacy Report 4.4 Summarize and build an executive presentation 4.5 Set checkpoints and drive continuous improvement |
5.1 Consolidate and schedule any outstanding business unit interviews 5.2 Complete in-progress deliverables from previous four days 5.3 Set up review time for workshop deliverables to discuss next steps |
Deliverables |
|
|
|
|
Phase 1
Collect Privacy Requirements
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Define and Document Drivers 1.2 Establish Privacy Governance Structure 1.3 Build Privacy RACI 1.4.1 Define Personal Data Scope 1.4.2 Build Risk Map |
2.1 Complete Data Process Mapping Tool 2.2 Compare Compliance and Regulatory Requirements for Gap Analysis 2.3 Analyze the Risk of Data Breaches 2.4 Conduct DPIA Threshold Assessment |
3.1 Complete Business Unit Gap Analysis 3.2 Develop Cost Estimates 3.3 Define Alignment and Privacy Risk 3.4.1 Apply Variables to Privacy Initiatives 3.4.2 Assign Cost and Effort Values 3.5 Create a Visual Map 3.6.1 Define the Effort Map 3.6.2 Refine the Effort Map 3.7 Create the Visual Roadmap 3.8 Revise Cost and Effort Table |
4.1 Establish Metrics 4.2 Operationalize Metrics 4.3 Set Checkpoints and Drive Continuous Improvement |
This phase will walk you through the following activities:
- Identify the driving forces behind the privacy program
- Understand privacy governance
- Assign ownership of privacy
This phase involves the following participants:
- Privacy officer/privacy team
- Senior management representation (optional)
- Relevant business unit privacy champions
- InfoSec representative
- IT representative
1.1 Define and document the data privacy program drivers
1 hour
- Bring together relevant stakeholders from the organization. This can include Legal, HR, and Privacy teams, as well as others who handle personal data regularly (Marketing, IT, Sales, etc.).
- Using sticky notes, have each stakeholder write one driver for the privacy program.
- These may vary from concerns about customers to the push of regulatory obligations.
- Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list, and clarify any unusual or unclear drivers.
- Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
- For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage as well.
- Review the final priority of the drivers and confirm current status.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Privacy by design is no longer a "nice to have"
Integrate the key principles behind privacy by design to embed privacy in the operations of the organization and minimize business disruption.
- Proactive, not reactive. Preventative, not remedial.
- Privacy as the default setting.
- Privacy embedded into design.
- Full functionality; positive-sum not zero-sum.
- End-to-end security; full lifecycle protection.
- Visibility and transparency; keep it open.
- Respect for user-privacy; keep it user-centric.
Source: IPC Privacy by Design
Download this research
Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT research.
Determine the primary owners of the privacy program
The privacy program must include multiple stakeholders for it to be successful. It’s integral to assign clear lines of ownership to build and effectively manage the program. Without defined ownership, privacy initiatives can easily fall between the cracks, and issues may not be handled effectively.
Privacy Department |
Legal, Compliance, Audit |
Human Resources |
InfoSec or IT |
---|---|---|---|
|
|
|
|
Info-Tech Insight
If not already mandated by governing privacy laws, consider appointing a privacy officer to formalize privacy ownership in the organization.
Define the governance structure of the privacy program
A successful privacy program will be structured in a way that best fits the needs of your organization. Minimize disruption to ensure a successful adaptation and launch.
- Centralized
- One central group manages the entire privacy program. They may direct other groups in terms of certain actions or initiatives, but privacy is centrally managed and reported on by one group.
- This works well for large organizations to manage and track all privacy efforts, but it can become very bureaucratic.
- Decentralized
- Privacy is distributed to the rest of the organization, often in the lower tiers. The expectation here is that there is a bottom-to-top discussion of privacy while allowing for a flatter structure.
- This works well with highly privacy-aware employees who can make the correct decisions at their respective levels. However, it can be difficult to track compliance.
- Hybrid
- Aspects of centralized and decentralized programs are combined to get the best of both structures; for example, one group or individual may track all privacy efforts in the organization, but each business unit can choose how to implement them. Another method is to have a designated privacy representative in each business unit.
Info-Tech Insight
While there may be one individual or group designated to manage the privacy program, privacy is everyone’s responsibility. Employees will have to perform the necessary actions such as limiting their personal data collection or anonymizing data. The success of the program will rely on everyone understanding how to put privacy first.
Evaluate a centralized governance model
This is an example of a centralized organizational structure for managing privacy. In this case, there is a dedicated privacy team that directs all the other departments in terms of their personal data management.
The centralized model is a more traditional structure for privacy in the organization, and it promotes the idea that one group is entirely accountable for the proliferation of privacy within the organization. This structure requires regular reporting and communication between the different groups.
Advantages
|
Disadvantages
|
Evaluate a decentralized governance model
In a decentralized model, we see that it is up to each department to create and form its own respective privacy practices. This can be done with the help of assigned privacy champions within each group. These individuals work with their own teams to integrate privacy within their business processes.
Advantages
| Disadvantages
|
Evaluate a hybrid governance model
These days, many privacy-mature organizations lean toward a privacy center of excellence. This hybrid method combines the best of both centralized and decentralized structures:
The privacy champions from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the central team. |
![]() |
Advantages
| Disadvantages
|
Organizations that identify as having adopted a hybrid privacy governance model report shorter sales delays (4.6 weeks) when compared against organizations that employ either a fully centralized (9.8 weeks) or decentralized model (7.1 weeks).
Source: Cisco, 2018
1.2 Right-size your privacy governance structure
1 hour
Consider the following when building out your privacy organizational structure.
- Determine where ownership of the privacy program will be.
- Common choices are a dedicated privacy team or the legal, information security, and/or HR departments.
- Decide whether a privacy officer is necessary in your organization – some regulations recommend it.
- Review your current organizational structure to decide which model would be best for your privacy practices: centralized, distributed, or hybrid.
- Review the previous examples for how this could be structured. Be mindful that you can set up this structure based on your own unique requirements, for example, two different groups can share ownership of the entire privacy program.
- Select the appropriate governance structure; document. Make note of significant changes that will need to occur to facilitate implementation of the governance structure.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Info-Tech Best Practice
There is no single perfect governance structure that works for all organizations. Look at your current organizational and governance setup and see which structure fits best. Ask yourself:
Are we already set up in a centralized, distributed, or hybrid structure? Are we looking to implement privacy with new resources or existing employees? What model works best for us to meet our compliance needs?
1.3 Build out the data privacy RACI chart
30-60 minutes
|
![]() |
Download the Data Privacy Program RACI Chart
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1.4.1 Define the extent of your personal data scope
1 hour
- Divide into groups and give each group member a handful of sticky notes.
- Ask them to write down as many business units or functional groups as possible that process (collect, record, use, disseminate, etc.) personal data within the organization.
- Collect each group’s responses and discuss whether the business unit is a data controller, a data processor, or both.
- Focus on whether the business unit decides the purpose of processing the data or if an external party determines the purpose of processing.
- Use blue for data controllers and yellow for data processors. If a business unit is both a data controller and a data processor, write the business unit on both a blue and a yellow sticky note.
- Discuss and aggregate all responses into a final document, listing what is in scope of your privacy program and what is out of scope.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1.4.2 Build your risk map
1 hour
|
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Info-Tech Insight
Bake in a quantitative element of risk analysis as you create the privacy framework to take away some of the guess work when it comes to prioritizing initiatives and creating your roadmap in Phase 3. Compare and contrast the perspective of your core IT or privacy team and that of the business units when it comes to assigning a volume and risk ranking for each of the business processes.
Phase 2
Conduct a Privacy Gap Analysis
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Define and Document Drivers 1.2 Establish Privacy Governance Structure 1.3 Build Privacy RACI 1.4.1 Define Personal Data Scope 1.4.2 Build Risk Map | 2.1 Complete Data Process Mapping Tool 2.2 Compare Compliance and Regulatory Requirements for Gap Analysis 2.3 Analyze the Risk of Data Breaches 2.4 Conduct DPIA Threshold Assessment | 3.1 Complete Business Unit Gap Analysis 3.2 Develop Cost Estimates 3.3 Define Alignment and Privacy Risk 3.4.1 Apply Variables to Privacy Initiatives 3.4.2 Assign Cost and Effort Values 3.5 Create a Visual Map 3.6.1 Define the Effort Map 3.6.2 Refine the Effort Map 3.7 Create the Visual Roadmap 3.8 Revise Cost and Effort Table | 4.1 Establish Metrics 4.2 Operationalize Metrics 4.3 Set Checkpoints and Drive Continuous Improvement |
This phase will walk you through the following activities:
- Understand the methodology behind the Data Process Mapping Tool
- Assess risks and map out your data breach response process
- Work through the threshold assessment and DPIA process
This phase involves the following participants:
- Privacy officer
- Core privacy team
- Relevant business unit privacy champions
- InfoSec representative (optional)
- IT representative (optional)
Understand the role of the Data Process Mapping Tool
1 | 2 | 3 |
---|---|---|
Inventories personal data by business process |
Identifies gaps in the organization's data processing activities |
Fulfills regulatory needs (e.g. GDPR) |
|
Highlights data processing activities with a high degree of risk due to:
|
|
Determine the appropriate level of granularity with your processing activities
Think about the major business processes that make up your operations and refine by the common set of personal data types within sub-processes.
2.1 Complete the Data Process Mapping Tool
1-1.5 hour per business unit interview
Data protection goes beyond understanding where data is stored and how the systems are protected. Use this activity to start defining activities that are involved in processing your data.
- Using the outputs from activities 1.4.1 and 1.4.2, group all business processes that touch personal data, based on their corresponding business function or unit.
- Identify a privacy champion for each business unit or the respective business unit leader.
- Schedule interviews with these individuals and review each of their business processes. Leverage the Data Process Mapping Tool to capture all elements of personal data included in the business processes.
- Validate responses with members of the core team following each interview.
Download Info-Tech's Data Process Mapping Tool.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Info-Tech Insight
Compare and contrast the Data Process Mapping Tool with any previous documents collected, tailored to data kept in individual systems or applications, to gain a more robust understanding of how personal data interacts with organizational assets.
Examples of Personal Data Associated with Business Processes
Business Process |
Personal Data Types (Examples) |
Purpose of Processing |
Data Subject Categories |
Recruitment, Admission and Enrollment |
Personal information (name, grades, gender, age, school, application, financial information, family information, contact, etc.) of undergrad and graduate students |
Student recruitment and enrollment |
New students and prospects |
Instruction & Research |
Teaching-, learning-, and research-related personal information |
Institutional operations |
Students and faculties |
Graduation and advancement |
Transcripts, alumni relations, fundraising, etc. |
Student service |
Students |
Student administration and support |
Student progression, record maintenance, athletics-related information, career development, etc. |
Student admin and support |
Students |
Facilities & Property Mgmt. |
Physical access control information, photo, fingerprint, etc. |
Campus security and maintenance |
Students and faculties |
Finance Mgmt. |
Bank information, financial aid, etc. |
Financial support for students |
Students |
Human Resources |
Employee profile such as name, email, address, gender, age, contact, etc. |
Employment management |
All employees |
Review the Privacy Framework Tool
Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.
Domain |
Definition |
---|---|
Governance |
The overall governing of the privacy program, including the designation of a privacy officer/official, what constitutes personal and private data, and having a data classification scheme. |
Regulatory Compliance |
The mapping and tracking of regulatory obligations as they pertain to data privacy. Regulations have been one of the biggest drivers of privacy initiatives in recent years, and the ability to demonstrate compliance is essential. |
Data Process and Handling |
The documentation and process creation of how personal data is being collected and used – and for what purposes. |
Incident Response |
The plans outlining what actions need to take place in case of a data breach, including when to notify affected individuals and relevant authorities. |
Privacy Risk Assessments |
The building and use of assessments to determine how much privacy risk is associated with specific projects. |
Notices and Consent |
The use of notices to inform data subjects of how their information is being used, with processes built in to capture their consent to how their information is collected, shared, and/or used. |
Data Subject Requests |
The establishment of processes that allow data subjects to make requests to delete, modify, or gain access to their data. This can correspond with rights guaranteed by various regulations. |
Privacy by Design |
integration of privacy into all operations, particularly within systems and applications, to ensure privacy is the default throughout the entire process. |
Review the Privacy Framework Tool
Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.
Domain | Definition |
---|---|
Information Security | The use of security controls to protect personal data. |
Third-Party Management | The management of the privacy risks that exist when working with external third parties, vendors, and other entities, as they may process or interact with the personal data the organization holds. |
Awareness and Training | The use of training to ensure that employees are aware of their privacy responsibilities, including the handling and use of personal data. |
Program Measurement | The active measurement of the entire privacy program to demonstrate successes and weaknesses within the larger program. Can be used to communicate the status of the program with other stakeholders. |
The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework.
Info-Tech Insight
This best-practice framework will force you to reevaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements.
2.2 Compare compliance and regulatory requirements for gap analysis
2 hours
- On tab 2 of the Privacy Framework Tool, review each privacy control and determine the current organizational maturity based on the five-point CMMI scale below. Capture any relevant comments, as required:
- Initial/Ad hoc
- Developing
- Defined and Documented
- Managed and Measurable
- Optimized
- Define the target state using the same five-point scale.
- The target state will be heavily influenced by the requirements gathered in the earlier phase.
- Wherever there is a gap between the current and target state, document what initiative is needed to close the gap in column N.
Download the Privacy Framework Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Perform a high-level gap analysis on your processing activities
Taking a top-down view of a processing activity can often expose gaps in the process.
In the example of an Email-Based Document Exchange process, personal data could be exposed during these sub-processes in red. Optimizing the process, via improved security, with the version in green would address these gaps.
Info-Tech Insight
Knowing is half the battle. Ensure high-level gaps identified via this method are risk-assessed. Add remediation initiatives in the Privacy Framework Tool to contribute toward your defensible compliance position.
Align incident management to relevant regulations
Language within privacy regulations is explicit in requiring notification to the supervisory authority and data subjects in instance of a data breach.
- A key component of a successful privacy program involves a well-developed set of incident response and management procedures.
- Each privacy regulatory framework will establish its own timeframe when it comes to incident response procedures.
- These same frameworks will also support the underlying procedures involved in incident management runbooks that are created, maintained, and updated on a regular basis by the InfoSec or IT teams.
- Info-Tech recommends taking a “best-of-breed” approach in creating an effective incident management response plan:
- Use relevant regulatory timeframes as a guideline.
- Involve business unit privacy champions when creating the response plan.
- Identify all interdependencies and map them out as a part of the validation process.
GDPR – Data subject notification
“In the case of a personal data breach, the controller shall notify without undue delay and, where feasible, not later than 72 hours. […] Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
(Source: General Data Protection Regulation)
CCPA/CPRA – Not defined
Unlike the GDPR, CCPA/CPRA does not define data breach report in timeframes. However, should a breach or other data security incident occur “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” the business can be fined $100-$750 per individual incident, or the full cost incurred of damages. The CPRA adds in new standards for what constitutes a data breach.
(Source: California Consumer Protection Act)
PIPEDA – Breach of security safeguards
Following the occurrence of a breach, organizations must report any breaches in the prescribed form and manner as soon as feasible.
Understand the security incident management framework
For all incident runbooks, follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.
PREPARE
Ensure the appropriate resources are available to best handle an incident.
DETECT
Leverage monitoring controls to actively detect threats.
ANALYZE
Distill real events from false positives.
CONTAIN
Isolate the threat before it can cause additional damage.
ERADICATE
Eliminate the threat from your operating environment.
RECOVER
Restore impacted systems to a normal state of operations.
POST-INCIDENT ACTIVITIES
Conduct a lessons-learned post-mortem analysis.
Process adapted from NIST SP 800-61 Rev. 2
Info-Tech Insight
Document each step of the incident lifecycle. A thorough, comprehensive record will assist in understanding the root cause, allow for faster remediation of any future reoccurrences of the incident, and support any legal escalation. Tracking the cost of work hours helps in determining the overall impact to the organization.
2.3 Analyze the risk of data breaches to your data subjects
30 minutes
Take a client-centric approach to incident management. Understand the risk involved in data breaches beyond your organization and use as inputs as a part of your revised incident response process. Leverage existing runbooks and revise.
Identify each of the following. Validate with team members and document using incident management runbooks. Include data subject risk impact analysis as a step in your incident management runbooks.
- Type of breach
- Nature, severity, and volume of personal data
- Combinations of data are more sensitive
- Relevancy of situational sensitivity should be considered
- Ease of identification of individuals
- Severity of consequences for individuals
- A trusted recipient does not negate that a breach has occurred
- Are the resulting consequences permanent?
- Special characteristics of the individual
- Number of affected individuals
- Special characteristics of the data controller
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download this research Develop and Implement a Security Incident Management Program
Define and uphold your post-incident record-keeping requirements
For regulatory purposes, it is crucial that a breach response process is developed and documented both prior to and following an incident.
- Time to identify and time to resolve breach
- Consequences of the breach
- How the breach was remediated and the justified breach response
- Employee training on process
- What took place during the breach
- What personal data was affected
- Causes of the breach
Integrate incident response as a part of security operations
Incident response is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.
Next-Gen Security Operations
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.
Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data, but also provides visibility into your threat landscape.
Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.
Know the “why” behind your processing activities
A good start to understand the legitimacy of your reasons for data processing stems from the GDPR. Align your reasons for processing with one of the six lawful bases for data processing.
1. Consent |
|
---|---|
2. Performance of a Contract |
|
3. Legal Obligation |
|
4. Vital Interests |
|
5. Public Interest or Official Authority |
|
6.Legitimate Interest |
|
Source: GDPR Article 4(2), 6
Align data classification to privacy law requirements
Organizations can use data discovery and classification as a method to understand their data environment.
1. Require data discovery & classification | Organizations that have existing data classification can leverage their previous effort to align the scheme to personal data.
Organizations that do NOT have existing data classification should create a tiered scheme that addresses all types of data (e.g. organizational and personal). Four steps of this project:
|
Align your data types based on data classification in the organization Download this research Leverage Info-Tech’s research Discover and Classify Your Data |
---|---|---|
2. Have a sound understanding of your data environment | Validate and continue finalizing the Data Process Mapping Tool. |
Define data classification in the context of your organization
Build out a data classification scheme that fits the operating and regulatory environment of your organization
What is data classification?
Data classification is the process of identifying and classifying data on the basis of sensitivity and the impact the information could have on the company if the data is breached. The classification initiative outlines proper handling procedures for the creation, use, storage, disclosure, and removal of data.
Why do we need it?
With the increase in data and digital advancements in communication and storage (e.g. cloud), it becomes a challenge for organizations to know what data exists and where data lives. A classification scheme must be properly implemented and socialized to help ensure appropriate security measures are applied to protect that data appropriately.
Types of data
Structured
- Highly organized data, often in a relational, easily searchable database.
- E.g. employee numbers stored in a spreadsheet
Unstructured
- Data that is not predefined in format and content; majority of data in most organizations.
- E.g. free text, images, videos, audio files
Semi-structured
- Information not in traditional database but contains some organizational properties.
- E.g. email, XML
Without data classification, an organization treats all information the same.
- Sensitive data may have too little protection.
- Less sensitive data may have too much protection.
Strategically classifying data will allow an organization to implement proper controls where necessary.
Further define risk using the Data Process Mapping Tool
Each of the business processes retained within the Data Process Mapping Tool contains an inherent level of risk based on the volume and sensitivity of data.
- Pull the outputs from the initial risk-mapping activity as you work through populating the Data Process Mapping Tool.
- Categorize each of the business processes based on where they fall within the quadrant, and populate column F within tabs 1 and 2 of the tool.
- High / Medium / Low
- Identify and make note of the number of processes that fall within each of the three categories. Track areas in which the majority of high vs. low risk processes exist and observe any trends.
- For any processes that remain categorized as High, perform further analysis to validate the classification:
- Internal Risk Assessment
- Security Assessment
- Info-Tech’s Data Protection Impact Assessment Tool
2.4 Complete the DPIA threshold assessment for high-risk business processes
1-2 hours
A data protection impact assessment is used to assess how much private data will be affected by planned processing activities. A DPIA helps ensure that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data.
- For all identified high-risk processing activities, work through the dynamic questionnaire.
- Complete one threshold assessment per activity.
- Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
- Complete either a Lite or Full version of the DPIA, based on the nature of the process.
- Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
- Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance.
Download Info-Tech’s DPIA tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Leverage Info-Tech’s security framework to document your security controls
A Best-of-Breed Information Security Framework
INFO-TECH’S SECURITY FRAMEWORK
- ISO 27000 series
- CIS – Critical Security Controls
- COBIT 5
- NIST SP800-53
Comprehensive standard providing best practices associated with each control
A concise list of 20 controls and sub-controls for actionable cyber defense
A process and principle structured security best-practice framework
Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations
Info-Tech’s information security framework and maturity model methodology
In general, organizations are required or expected to implement appropriate risk-based technical and organizational measures to ensure the ongoing confidentiality, integrity, availability of personal data.
- The controller and the processor shall provide
- Appropriate technical and organizational measures
- To ensure
- A level of security appropriate to the risk
- Taking into account
- The state of the art
- Costs of implementation
- The nature, scope, context, purposes of processing
Info-Tech Insight
A best-of-breed approach ensures holistic coverage of your information security program while maturing from reactive to strategic information security management.
Phase 3
Build the Privacy Roadmap
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Define and Document Drivers 1.2 Establish Privacy Governance Structure 1.3 Build Privacy RACI 1.4.1 Define Personal Data Scope 1.4.2 Build Risk Map | 2.1 Complete Data Process Mapping Tool 2.2 Compare Compliance and Regulatory Requirements for Gap Analysis 2.3 Analyze the Risk of Data Breaches 2.4 Conduct DPIA Threshold Assessment | 3.1 Complete Business Unit Gap Analysis 3.2 Develop Cost Estimates 3.3 Define Alignment and Privacy Risk 3.4.1 Apply Variables to Privacy Initiatives 3.4.2 Assign Cost and Effort Values 3.5 Create a Visual Map 3.6.1 Define the Effort Map 3.6.2 Refine the Effort Map 3.7 Create the Visual Roadmap 3.8 Revise Cost and Effort Table | 4.1 Establish Metrics 4.2 Operationalize Metrics 4.3 Set Checkpoints and Drive Continuous Improvement |
This phase will walk you through the following activities:
- Identify where high-priority gaps exist in current privacy practices
- Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
- Further refine resourcing estimates
This phase involves the following participants:
- Privacy officer
- Core privacy team
- Select business unit privacy champions
- InfoSec representative (optional)
- IT representative (optional)
3.1 Complete the privacy gap analysis exercise for individual business units
1-1.5 hours per business unit
After you’ve identified each of the key gap areas within your organization’s current privacy framework and supporting processes, walk business unit privacy champions through the maturity gap analysis (tab 2) for the following four areas:
- Data Processing and Handling
- Data Subject Requests
- Privacy by Design
- Notices and Consent
- Provide each business unit with a copy of the Privacy Analysis by Business Unit Tool.
- Fill out this tool using the same approach used for the larger framework.
- After completion, meet with the privacy champion from each business unit to discuss results. Compare maturity gaps with those of the overall Privacy Framework Tool.
- Identify which of the four areas and supporting controls had significantly different privacy gaps and gap-closing initiatives.
- Include all the supporting initiatives as part of tab 4 in the overall Privacy Framework Tool.
Download Info-Tech’s Privacy Analysis by Business Unit Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.2 Develop cost estimates for privacy initiative list
1 hour
- Leverage the full list of privacy initiatives, including any collected during activity 3.1.
- Look to Info-Tech’s industry standards (Manufacturing, Retail, Healthcare, Financial Services) as a guideline when you determine a range for the following input categories for your organization:
- Initial Cost
- The cost to implement the initiative, including the purchase of any new solutions or resources.
- Ongoing Cost (Annual)
- The ongoing cost to maintain the initiative, which can be in the form of subscription or maintenance fees.
- This cost is often estimated at 20% of the initial cost.
- Initial Staffing (Hours)
- The number of hours of assigned resources needed to bring the initiative to completion.
- Ongoing Staff in Hours (per week)
- Any expected regular maintenance required after implementation (e.g. to monitor a privacy tracking solution or to respond to data subject requests).
Download Info-Tech’s Privacy Framework Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.3 Define alignment and privacy risk for the org.
30 minutes
Continue standardizing variables, including “Alignment With Business” and “Privacy Risk Reduction.” On tab 4 of the Privacy Framework Tool, select “High,” “Medium,” or “Low” values for the following:
Alignment to Business
- Identify which initiatives directly align with the organization’s senior leadership team goals.
Privacy Risk Reduction
- This is a key variable in how you prioritize the initiatives.
- Privacy risk can be viewed in many ways: risk posed to data subjects’ rights, the financial consequences associated with a risk, likelihood of a breach, or other relevant criteria.
- The ways each organization looks at privacy risk will be different. Many will look at how a breach of privacy impacts the organization from a reputation or cost perspective, rather than through the rights of the data subject.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.4.1 Apply variables to privacy initiatives
2 hours
Continue to build out the privacy initiative prioritization list on tab 4 of the Privacy Framework Tool by aligning bucket cost and benefit ranges based on your organization.
- Apply the cost and benefit variables to each of the initiatives.
- Copy and paste the initiatives from tab 2, Privacy Framework, into tab 4, Initiative Prioritization, under “Planned Initiatives.” If desired, consolidate similar initiatives into larger projects.
- Copy and paste any initiatives from the Privacy Analysis by Business Unit Tool here as well.
- For each initiative, assign the cost, effort, and benefit of each of the different initiatives. This will provide an overall cost/effort rating based on the combination of all the cost and staffing variables put together. This scale ranges from 1 to 12.
- Optional: Consider building an effort map using the cost/effort rating and the risk reduction benefit. This can be a useful exercise to visualize how your initiatives are distributed in terms of cost and benefit.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.4.2 Assign specific cost and effort values
1 hour
If you are aware of exact costs or efforts required for an initiative, you can enter it on the right side of the table on tab 4, Initiative Prioritization.
- When entering “High,” “Medium,” or “Low” values for the cost and effort, you may be aware of the specific cost rather than using the large estimation buckets – if so, enter this on the right side of the table.
- The cells in blue are auto-calculating what the initiative will cost based on the “High,” “Medium,” or “Low” value and the multiplier you chose earlier.
- If you put in a specific cost or effort value in the white cells, your input will overwrite the estimate in the calculations.
Note: This will be useful in populating the “Cost and Effort Estimates Table” on tab 6. It will provide an overall estimate of costs and effort associated with implementing a privacy program. The more accurate the data you enter in the tool, the more accurate the final estimates will be.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.5 Create a visual effort map for your organization
1 hour
An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 4 in the Privacy Framework Tool.
- Establish the axes and colors for your effort map:
- X-axis represents the Privacy Benefit value from column J
- Y-axis represents the Cost/Effort value from column H
- Sticky note color is determined using the Alignment to Business value from column I
- Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
- As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.6.1 Refine the effort map’s visual output
1 hour
Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.
- Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of governing privacy law (GDPR, CCPA, HIPAA, etc.) and mark with a sticky dot.
- Document these initiatives as Execution Wave 1.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.6.2 Refine the effort map’s visual output
30 minutes
- Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
- Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5 and 3.6.1.
- Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
- Leverage the following 0-4 Execution Wave scale:
- Underway –Initiatives that are already underway
- Must Do – Initiatives that must happen right away
- Should Do – Initiatives that should happen but need more time/support
- Could Do – Initiatives that are not a priority
- Won’t Do – Initiatives that likely won’t be carried out
- Indicate the granular level for each execution wave using the A-Z scale.
- Use the lettering to track dependencies between initiatives.
- If one must take place before another, ensure that its letter comes first alphabetically.
- If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.
- Use the lettering to track dependencies between initiatives.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.7 Create the visual roadmap
1 hour
If enough information around current and immediate future project resourcing is available, use the Gantt chart in tab 5 to document the exact start and end times of each initiative. This may be difficult to do immediately after prioritization, as there may be many considerations as to where these projects fit alongside existing action plans and strategies.
- Work with team members to first identify start dates for mandatory privacy initiatives (governed by privacy law).
- Refer to cost and effort estimates provided in tab 4 as you begin to populate start and end dates for each individual privacy initiative. Work in sequential order based on assigned Execution Waves.
- Assign ownership to each initiative. Ensure that each assigned owner is provided with relevant documentation to keep track of initiative (project) progress.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
3.8 Revise and assess the cost and effort table
30 minutes
- Refer to the Cost and Effort Table on tab 6. The table will populate with an estimate of your overall costs based on the data input into the Initiative Prioritization tab.
- Costs are broken out based on the execution waves with a full total tabulated at the bottom. For each of the waves, you will be able to see the total dollar cost and total effort requirement based on:
- The cost of initial implementation to establish the privacy program.
- The ongoing annual cost, describing the costs and effort required to maintain the program.
- A rough total of these costs over a specified number of years. The number of years can be changed on the initiative prioritization tab (tab 4).
- Based on the results, revise if necessary. Keep in mind that these totals will be the driving points put forward to the senior leadership team when sourcing resources for the privacy program.
- Document final total costs and total efforts for each execution wave within your executive presentation. Identify areas on which to focus to obtain buy-in from your senior management team.
* Bear in mind that these numbers are solely estimates of previously input data. The total may be higher than expected.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Implementation Example – Be Transparent
Key Components of a Privacy Notice
- The identity of the organization
- What personal data you collect
- Why you collect this personal data
- How you collect personal data
- How you use personal data
- How you share personal data with third parties
- How you store personal data
- Personal data cross-border transfers
- How you protect data
- How you treat children’s personal data
- Your data subjects' rights
- Contact details
Info-Tech Insight
Your privacy notice explains your commitment to the data subject. Make sure it’s accessible at the beginning of all data collection activities.
Implementation Example – Vendor Risk Management
End-to-End Third-Party Privacy Risk Management
- Pre-Contract
- Due diligence check
- Signing of Contract
- Data processing agreement
- Post-Contract
- Continuous monitoring
- Regular check or audit
- Termination of Contract
- Data deletion
- Access deprovisioning
Core components of a DPA
- Defined data processing roles
- Defined contract processing
- Processing instructions
- Sub-processor
- Security controls
- Data breach notification and handling
- Data secrecy and staff awareness and training
- Data subject request
- Compliance demonstration
- Cross-border transfer
- Termination of Service
- Liability and indemnity
According to the Ponemon Institute (2018): 61% of organizations experienced a data breach caused by their supply chain in 2018; only 29% of organizations believe a third-party vendor would notify them of a data breach; only 28% of organizations believe they will be notified when a third-party shares data with an nth party.
Info-Tech Insight
Many organizations know that they need to secure their supply chain but struggle with finding the right level of due diligence. An end-to-end third-party privacy risk management process should be established to protect the shared data.
Implementation Example - Data Retention
Some business leaders will perceive indefinite retention as a benefit for business intelligence reasons (there’s always another potential use for data). However useful it may be, unnecessary personal data will cause additional headaches in the event of a breach.
Requirements | Privacy laws and regulations Business needs Security protection such as data classification |
Governance | Data Retention Policy Data Retention Schedule Cross-functional collaboration (i.e. IT, Business, Legal, etc.) |
Enforcement | Data deletion or de-identification Monitoring and audit |
Info-Tech Insight
Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to purge the secondary, tertiary, etc. instances on a regular basis.
Phase 4
Implement and Operationalize
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Define and Document Drivers 1.2 Establish Privacy Governance Structure 1.3 Build Privacy RACI 1.4.1 Define Personal Data Scope 1.4.2 Build Risk Map | 2.1 Complete Data Process Mapping Tool 2.2 Compare Compliance and Regulatory Requirements for Gap Analysis 2.3 Analyze the Risk of Data Breaches 2.4 Conduct DPIA Threshold Assessment | 3.1 Complete Business Unit Gap Analysis 3.2 Develop Cost Estimates 3.3 Define Alignment and Privacy Risk 3.4.1 Apply Variables to Privacy Initiatives 3.4.2 Assign Cost and Effort Values 3.5 Create a Visual Map 3.6.1 Define the Effort Map 3.6.2 Refine the Effort Map 3.7 Create the Visual Roadmap 3.8 Revise Cost and Effort Table | 4.1 Establish Metrics 4.2 Operationalize Metrics 4.3 Set Checkpoints and Drive Continuous Improvement |
This phase will walk you through the following activities:
- Establish metrics that map to the needs of the organization
- Implement and integrate metrics into operations
This phase involves the following participants:
- Privacy officer/privacy team
- Senior management representation (optional)
- InfoSec representative
- IT representative
Make your privacy program functional
Effective metrics add value by reflecting the current business environment and forecasting for the future
As you begin to establish relevant metrics to guide the data privacy program, document and classify based on the associated set of privacy controls and category. Use Info-Tech’s Data Privacy Program Report template as your repository.
1 | Create a measurable privacy program Metrics take your privacy program from static documentation to a functional operation. Ensure that each task populated within the data privacy framework Gantt chart is supported by corresponding metrics. |
2 | Use metrics to help integrate privacy in the organization Remove the fear factor associated with privacy by leveraging the language of your business unit champions as you create a metrics program that they can understand and integrate. |
3 | Choose metrics that make sense and align to your business requirements Select metrics that make sense for the group you’re reporting up to and ensure that the metrics are business-relevant and support strategic initiatives and the direction of the organization. |
4 | Be selective with the number of metrics “More” does not mean “more effective.” Limit the metrics selected for the privacy program. One of the obstacles in obtaining buy-in stems from how lengthy and complex privacy can be to implement – don’t make it harder than it has to be! |
Source: IAPP, “Privacy Program Management”
Match metrics to privacy controls
Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls
1. Governance | 2. Regulatory Compliance | 3. Data Processing and Handling | 4. Data Subject Requests | 5. Privacy by Design | 6. Notices and Consent |
|
|
|
|
|
|
Match metrics to privacy controls (cont.)
Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls.
7. Incident Response | 8. Privacy Risk Assessment | 9. Information Security | 10. Third-Party Management | 11. Awareness and Training | 12. Program Measurement |
|
|
|
|
|
|
4.1 Define privacy metrics for the organization
1 hour
- Based on the metrics provided by Info-Tech as a part of the data privacy program framework, identify which ones best suit the current needs of the organization and future privacy goals.
- Limit this selection to two to three metrics per tactical privacy area (selected from the 12 control categories in the Privacy Framework). Ask yourself: What do you want to know most about your privacy program? What do you want to show to others?
- For many privacy regulations, the need to demonstrate adherence is crucial, and metrics will play a large role in this regard.
- Beyond regulations, what are the privacy areas you want to track? What are the areas that senior management wants to track?
- For the selected metrics, discuss the target that you would like to achieve.
- This will likely change over time, but identifying a target helps to add context and goals to your privacy program.
- Consider selecting an immediate-term target and a stretch-goal target that represents a mature state for the privacy program.
- Document targets within the Data Privacy Program Report.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download Info-Tech’s Data Privacy Program Report
Info-Tech Insight
Don’t focus on industry benchmarks for privacy – your privacy requirements will be unique and continue to evolve over time. Similarly, even the metric targets can change over time. What was once considered a “good” target can become “bad” in the future. Privacy will continue to evolve just as the business continues to change.
4.2 Align and prioritize privacy metrics
1 hour
Fast-track external privacy documentation to satisfy the data privacy requirements of your end users.
- Write out the metrics selected in activity 4.2 on sticky notes.
- Divide whiteboard into 12 columns, each one corresponding to a category of privacy controls from the Privacy Framework Tool.
- Place metric stickies under appropriate privacy category.
- Reference prioritized initiatives from the Privacy Framework Tool (Execution Wave 1) and write each initiative on the whiteboard next to a corresponding metric.
- Metrics should directly correlate to tracking progress of the initiative. Some initiatives may map to multiple metrics; make note of this in the Data Privacy Program Report.
- For any Wave 1 initiatives that do not have an assigned metric, revisit activity 4.1 and ensure that a supporting metric is modified or a new metric is established.
- As the program matures, complete these activity for additional Execution Waves and align metrics accordingly.
Download Info-Tech’s Data Privacy Program Report
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Develop and implement your metric lifecycle
Increase the credibility of the privacy program by analyzing and reporting on metrics on a regular basis.
- A key factor in ensuring integration of the privacy program throughout the organization is presenting the business benefits of the program to the entire organization, and specifically to the executive leadership group.
- Privacy is not a “one-and-done” project. Even after establishing metrics and implementing metric tracking as a part of the program, progress should be assessed.
- This is the key step in establishing a metric lifecycle, ensuring that your metrics are continuously monitored and reviewed to meet the needs of the privacy program.
- The final factor is ensuring that the metrics used to gauge the privacy program directly align to the organization’s business goals and support achieving these objectives. This helps to obtain requisite buy-in and support from executive leadership.
Analysis and Monitoring Categories
- Compliance
- Ensure that the organization meets compliance obligations.
- Examples include audit management, self-monitoring, security/system management, and risk management.
- Regulatory/Legal
- Ensure that the organization meets any legally imposed regulations to which it is subject.
- PEST
- Ensure that the organization’s approach to privacy and the privacy program align with both the external and internal operating environment, and consider any political, social, economic, and technological factors (PEST).
Source: IAPP, “Privacy Program Management”
Quantify privacy by tracking ROI
The final step in maturing and delivering value through the privacy program is achieved by demonstrating positive return on investment to your leadership team.
- As privacy becomes the norm within organizations globally, the relationship that exists between high-accountability, privacy-mature organizations and organizational performance becomes increasingly easy to track.
- Business and IT leaders attribute privacy management practices to:
- Increased competitive advantage
- Positive compliance records
- Innovation gains
- Operational agility
- Reduced sales delays
- Increased customer loyalty and brand reputation
Privacy ROI worldwide
- United Kingdom (3.5x)
- Brazil (3.5x)
- Mexico (3.5x)
$1.00 spent = $2.70 privacy ROI
Organizations that have dedicated time and resources to maturing privacy best practices are already experiencing positive ROI from their efforts.
4.3 Create and deliver the Data Privacy Program Report
1-2 hours
- Using all the privacy outputs collected from Phases 1-4, create your executive presentation by leveraging the Data Privacy Program Report.
- Focus on the key outputs that your senior management team will want to know:
- What are the high-priority “must-do’s”? Regulatory or governance requirements.
- What are the associated costs?
- What are the resourcing requirements?
- What is the required level of ongoing maintenance?
- How will this be tracked?
- Who takes ownership or the program and relevant initiatives?
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Summary of Accomplishment
A clear path toward proactive privacy management
Higher education institutions are increasingly relying on online student learning, advice, and management platforms to streamline processes and deliver student services at scale.
In a perfect world, the summary of accomplishment would state that you’ve solved the data privacy problem within your organization, and you’ll never be the subject of headline news as having fallen victim to a data breach.
The reality is that an effective data privacy program is ongoing, constantly evolving to fit within the surrounding digital and societal landscape. You’ve laid the foundation in working through the Data Process Mapping Tool and understanding how privacy is currently applied within the scope of your organization. By leveraging the outputs from this tool, as well as the maturity gaps identified as a part of the Privacy Framework set of exercises, you’ve begun to create a forward-looking data privacy roadmap.
Established metrics and a set of steps to achieve operationalization position your data privacy program for success by moving beyond static policies and procedures. By focusing on monitoring and assessing how the program captures and supports data privacy, you create a dynamic and adaptable framework.
And while even the strongest of data privacy programs are not bulletproof vests when it comes to preventing data breaches, by developing a flexible and customized data privacy program, your organization significantly strengthens its ability to recover from data privacy incidents and reduces its overall risk of exposure.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Additional Support
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Develop the Data Process Mapping Tool During an onsite engagement, Info-Tech analysts will guide the interviews conducted with each of the business unit champions. The outputs will enable a clearer perspective on how personal data is handled throughout the organization. |
Conduct a privacy gap analysis An Info-Tech analyst will guide the discussion around the current state of privacy in the organization, aligned to Info-Tech’s best-practice Privacy Framework. Compare current and future states to prioritize gap-closing initiatives. |
Research Contributors and Experts
![]() |
Amalia Barthel Lecturer and Advisor, Privacy SME – private practice CIPM, CPIT, PMP, CRISC, CISM University of Toronto |
![]() |
Cat Coode Data Privacy Consultant, Fractional Data Privacy Officer, Speaker Binary Tattoo |
![]() |
Paul Hinds, CISA, CISM, CRISC, CDPSE Security Privacy Advisor Northwestern University |
![]() |
Mark Roman B.Math, MBA, PMP Managing Partner Info-Tech Research Group |
![]() |
Mark Maby Research Director for Higher Education Info-Tech Research Group |
![]() |
Mark Hoeting Executive Counselor Info-Tech Research Group |
Bibliography
Aberdeen and Liaison. “Enterprise Data in 2018: The State of Privacy and Security Compliance in Healthcare.” Aberdeen Group, 2018. Web. January 2019.
Accenture. “How Global Organizations Approach the Challenge of Protecting Personal Data.” Accenture and Ponemon Institute,2009. Web. January 2019.
California Consumer Protection Act of 2018. 2018. Web. November 2019.
Cavoukian, Ann. “Privacy by Design, The 7 Foundational Principles.” IPC Privacy by Design, January 2011. Web. 14 January 2020.
Centrify and Ponemon Institute. “The Impact of Data Breaches on Reputation & Share Value.” Centrify and Ponemon Institute, May 2017. Web. January 2019.
CIGI & Ipsos. “2018 CIGI-Ipsos Global Survey on Internet Security and Trust.” Centre for International Governance Innovation, 2018. Web. January 2019.
“Cisco 2018 Privacy Maturity Benchmark Study.” Cisco, January 2018. Web. January 2020.
“Cisco 2019 Privacy Maturity Benchmark Study.” Cisco, January 2019. Web. January 2020.
“Cisco 2020 Privacy Maturity Benchmark Study.” Cisco, January 2020. Web. January 2020.
“Data Protection & Privacy Officer Priorities.” CPO Magazine, 2020.
Densmore, Russell. “Privacy Program Management: Tools for Managing Privacy Within Your Organization.” IAPP, 2019.
“DoorDash Reports Data Breach Impacting 5 Million Customers.” Security Magazine, 27 September 2019. Web. November 2019.
Forbes. “DoorDash Data Breach Compromises 4.9 Million People.” Forbes, 26 September 2019. Web. December 2019.
General Data Protection Regulation. Chapters 1-11. May 2018. Web. November 2019.
Gierdowski, Dana C. ECAR Study of Undergraduate Students and Information Technology, 2019. Research report. Louisville, CO: ECAR, October 2019.
Government of Canada. “The Personal Information Protection Electronic Documents Act.” April 2000. Web. November 2019.
Grajek, Susan. “Top 10 IT Issues, 2023: Foundation Models.” Educause, Oct. 2022.
HIPAA of 1996. US Department of Health & Human Services. 1996. Web. January 2020.
Hodge, Rae. “2019 Data Breach Hall of Fame: These were the biggest data breaches of the year.” CNET, 27 December 2019. Web. January 2020.
“IAPP-EY Annual Privacy Governance Report 2019.” IAPP, 2019. Web. December 2019.
IBM Security. “Cost of a Data Breach Report, 2019.” IBM, January 2020. Web. January 2020.
ISACA and TITUS. “GDPR: The End of the Beginning.” ISACA, 2018. Web. January 2019.
Kari Paul, "'Ban This Technology': Students Protest US Universities' Use of Facial Recognition," The Guardian, March 2, 2020.
NIST. "Computer Security Incident Handling Guide." NIST, SP800-61 Rev. 2, August 2101. Web. November 2019.
NIST. “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST, 16 January 2020. Web. January 2020.
PIPEDA of 2000. The Government of Canada, 2000. Web. October 2019.
Proteus. “Privacy Research Database; Breach Calculator.” Proteus-Cyber. Web. December 2019.
Protiviti and North Carolina State University’s ERM Initiative. “Executive Perspectives on Top Risks for 2018: Key Issues Being Discussed in the Boardroom and C-Suite.” Protiviti and North Carolina State University’s ERM Initiative, 2017. Web. January 2019.
PwC. “The Anxious Optimist in the Corner Office.” 21st CEO Survey. PwC, 2018. Web. January 2019.
“Q3 2019 Data Breach QuickView Report.” RiskBased Security, 12 November 2019. Web. December 2019.
“Study: Mature Privacy Programs Experience Higher ROI.” IAPP, 27 January 2020. Web. January 2020.