Operationalize Data Privacy for Durable Goods Manufacturing

Embed privacy by design into your business processes and protect high-risk personal data.

Analyst Perspective

Durable goods manufacturing firms need to embrace digital transformation while also managing the associated data privacy risks.

The durable goods manufacturing industry is undergoing significant changes due to factors such as the adoption of Industry 4.0 technologies, the emergence of a growing consumer class, changes in demographics, and increasing regulations. To remain competitive, manufacturing companies are digitally transforming their business operations.

The adoption of these technologies also brings new risks at the same time. Organizations must take steps to manage these risks. Privacy and data protection are particularly pressing concerns for manufacturers, as the expansion of the Internet of Things and the collection of massive amounts of data complicates the compliance landscape and imposes risks of potential penalties for violations. Moreover, emerging technologies like machine learning and artificial intelligence require vast amounts of data, which raises the risk of data privacy compliance missteps. It is worth noting that many manufacturers lack the expertise to manage data privacy risks effectively.

Durable goods manufacturing firms need to adapt to the changing landscape of their industry and embrace digital transformation while also managing the associated risks, particularly those related to data privacy. By doing so, they can remain competitive and provide value to their clients and stakeholders.

Alan Tang
Principal Research Director, Security & Privacy
Info-Tech Research Group

Executive Summary

Info-Tech Insight

As manufacturing technologies and processes evolve, data privacy is a significant risk and must be addressed with a high priority. An integrated privacy program that incorporates privacy principles into business processes will be a cost-effective way to safeguard the journey of business enablement.

Typical business processes of a durable goods manufacturing organization

The US EPA[1] defines durable goods as products with a lifetime of three years or more, such as large and small appliances, furniture and furnishings, consumer electronics, etc.

Usually, there are three types of business processes supporting the operations of a higher education institution: defining processes, shared processes, and enabling processes.

The diagram above provides a high-level view of business processes. For more detailed information, please see Info-Tech’s Durable Goods Industry Business Reference Architecture Template.

The ones highlighted in amber are the processes that usually collect and process personal information from either customers or employees.

[1] EPA, 2022.

Manufacturing IT: Focus on importance first

#1

Manufacturing industry ranks #1 for attacks. Manufacturing replaced financial services as the top attacked industry in 2021, representing 23.2% of the attacks X-Force remediated last year. Ransomware was the top attack type, accounting for 23% of attacks on manufacturing companies.[2]

61%

Sixty-one percent of incidents at OT-connected organizations last year were in the manufacturing industry. In addition, 36% of attacks on OT-connected organizations were ransomware.[2]

[2] “X-Force Threat Intelligence Index,” IBM Security, 2022.

Top challenges organizations face in building an effective privacy program

The struggle to get a comprehensive data protection and privacy program in place across an entire organization is one of the main challenges for data protection and privacy officers.

Case Study

The Background:
The FTC’s action against toy manufacturer VTech was the first time the FTC became involved in a children’s privacy and security matter. The allegations were that Vtech violated a US children’s privacy law by collecting personal information from children without providing direct notice and obtaining their parent’s consent and failing to take reasonable steps to secure the data it collected.

The Enforcement:
In January 2018, the company entered into a settlement with FTC to pay $650,000, as part of the agreement, to resolve allegations that it collected personal information from children without obtaining parental consent, in violation of the Children’s Online Privacy Protection Act (COPPA). VTech was also required to implement a data security program that is subject to audits for the next 20 years.

Lessons Learned:
Manufacturing companies need to strengthen their privacy and security programs by integrating privacy and security by design into their product management lifecycle in order to compete in the new era.

Source: FTC, 2018.

Info-Tech Insight

Creating a comprehensive, organization-wide data protection and privacy strategy continues to be a major challenge for privacy officers and privacy specialists.

True cost of a data breach

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance issues and resulting fines and minimizing overall exposure.[1]

The industrial industry, comprised of chemical, engineering and manufacturing organizations, saw an increase in the cost of a data breach, from US$4.24 million to US$4.47 million in 2022 (an increase of US$0.23 million or 5.4%).

$300K: Cost of one hour of shop floor downtime [2]

[1] “Cost of a Data Breach Report,” IBM Security, 2022.
[2] IBM Institute for Business Value, 2021.

Why is privacy important for durable goods manufacturing organizations?

Legal Obligations
Failure to comply with privacy laws and regulations can result in serious legal penalties, liability, fines, and other unpleasant consequences.

Customer Trust
Durable goods manufacturing organizations may collect personal information from customers, such as names, addresses, and payment details. It is important to ensure that this information is collected and stored in a way that protects the customer's privacy.

Finances
Data breaches and privacy violations can lead to costly lawsuits, large damages payments, and costly and onerous legal requirements.

Reputation
If a durable goods manufacturing organization experiences a privacy breach, it can lead to negative publicity, loss of customer trust, and reputational damage. This can ultimately lead to a loss of revenue and market share.

Securing Supply Chains
Durable goods manufacturing organizations may need to protect the privacy of their suppliers or partners to prevent supply chain disruptions or breaches.

Embed privacy by design into data lifecycle

Two of the main tasks of personal protection in the higher education section are to identify high-risk personal information categories and embed privacy by design principles into the data lifecycle.

Info-Tech’s privacy program methodology

The image below is a visual overview of Info-Tech’s Privacy Framework. This includes high-level governance items as well as more tactically defined areas.

Insight summary

Overarching insight

As manufacturing technologies and processes evolve, data privacy is a significant risk and must be addressed with a high priority. An integrated privacy program that incorporates privacy principles into business processes will be a cost-effective way to safeguard the journey of business enablement.

Fit privacy to the business

Contextualize privacy for your organization by involving the business units from day one; collect requirements that promote cross-collaboration.

Privacy is dynamic

Structure drives success: take a process-based vs. system-based approach to assess personal data as it flows throughout the organization.

Prioritize and plan together

Review, revise, and reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.

Make it operational

Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.

Privacy doesn’t live in isolation

By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.

A good privacy program takes time

Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk, and support the rollout through customized metrics.

Info-Tech’s methodology for building a privacy program

1. Collect Privacy Requirements

Phase Action Items

1. Define and document drivers
2. Establish privacy governance structure
3. Build a privacy RACI chart
4. Define personal data scope
5. Build a risk map

Phase Outcomes

• Documented business and IT drivers for the privacy program
• High-level understanding of how privacy is perceived in the organization
• Completed Data Privacy Program RACI Chart

2. Conduct a Privacy Gap Analysis

Phase Action Items

1. Complete the Data Process Mapping Tool
2. Compare compliance and regulatory requirements for gap analysis
3. Assess and categorize privacy gap initiatives

Phase Outcomes

• Data Process Mapping Tool detailing all business processes that involve personal data
• Privacy maturity ranking (Privacy Framework Tool)
• Identification of compliance or regulatory privacy gaps

3. Build the Privacy Roadmap

Phase Action Items

1. Finalize privacy gap initiatives
2. Prioritize initiatives based on cost, effort, risk, and business value
3. Set firm dates for launch and execution of privacy initiatives
4. Assign ownership for initiatives

Phase Outcomes

• Completed Privacy Framework Tool
• Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment

4. Implement and Operationalize

Phase Action Items

1. Establish a set of metrics for the data privacy program
2. Operationalize metrics
3. Set checkpoints to drive continuous improvement

Phase Outcomes

• Customized set of privacy metrics
• Tasks to operationalize privacy metrics
• Data Privacy Report document
• Performance monitoring scheduled checkpoints

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 8 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

Workshop overview

Day 1: Collect Privacy Requirements

Activities
1.1 Define and document program drivers
1.2 Establish privacy governance structure and define scope
1.3 Build the data privacy RACI chart
1.4 Build the risk map

Deliverables

1. Business context and drivers behind privacy program
2. Data privacy RACI chart

Day 2: Conduct a Privacy Gap Analysis

Activities
2.1 Conduct interviews and complete the Data Process Mapping Tool
2.2 Compare compliance and regulatory requirements with current privacy practices of the organization
2.3 Identify gap areas
2.4 Review data protection impact assessment (DPIA) process and identify whether threshold assessment or full DPIA is required

Deliverables

1. Data Process Mapping Tool draft
2. Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
3. Optional: Walk-through of DPIA tool

Day 3: Build the Privacy Roadmap

Activities
3.1 Complete business unit gap analysis; consolidate inputs from Day 2 interviews
3.2 Apply variables to privacy initiatives
3.3 Create a visual privacy roadmap
3.4 Define and refine the effort map; validate costing and resourcing

Deliverables

1. Privacy Framework Tool
2. Data privacy roadmap and prioritized set of initiatives

Day 4: Implement and Operationalize

Activities
4.1 Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program
4.2 Operationalize metrics
4.3 Input all outputs from Days 1 to 3 into the Data Privacy Report
4.4 Summarize and build an executive presentation
4.5 Set checkpoints and drive continuous improvement

Deliverables

1. Completed data privacy roadmap
2. Completed Data Process Mapping Tool
3. Review of any outstanding privacy collateral (privacy notice, data protection policy, etc.)
4. Data Privacy Program Report document

Day 5: Next Steps and Wrap Up (offsite)

Activities
5.1 Consolidate and schedule any outstanding business unit interviews
5.2 Complete in-progress deliverables from previous four days
5.3 Set up review time for workshop deliverables to discuss next steps

Contact your account representative for more information.

workshops@infotech.com
1-888-670-8889

Phase 1

Collect Privacy Requirements

This phase will walk you through the following:

• Identify the driving forces behind the privacy program
• Understand privacy governance
• Assign ownership of privacy

This phase involves the following participants:

• Privacy officer/privacy team
• Senior management representation (optional)
• Relevant business unit privacy champions
• InfoSec representative
• IT representative

1.1 Define and document the data privacy program drivers

Input: Optional: Ask core team members to brainstorm a list of key privacy program drivers and objectives
Output: Documented list of privacy program drivers, Documented list of privacy objectives, Level-setting on understanding of privacy from core team
Materials: Whiteboard/flip charts, Sticky notes, Pen/marker
Participants: Privacy officer, Senior management team, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Bring together relevant stakeholders from the organization. This can include Legal, HR, and Privacy teams, as well as others who handle personal data regularly (Marketing, IT, Sales, etc.).
2. Using sticky notes, have each stakeholder write one driver for the privacy program.
   1. These may vary from concerns about customers to the push of regulatory obligations.
3. Collect these and group together similar themes as they arise. Discuss with the group what is being put on the list and clarify any unusual or unclear drivers.
4. Determine the priority of the drivers. While they are all undoubtedly important, it will be crucial to understand which are critical to the organization and need to be dealt with right away.
   1. For most, any obligation relating to an external regulation will become top priority. Noncompliance can result in serious fines and reputational damage as well.
5. Review the final priority of the drivers and confirm current status.

Privacy by design is no longer a “nice to have”

Integrate the key principles behind privacy by design to embed privacy in the operations of the organization and minimize business disruption.

1. Proactive, not reactive. Preventative, not remedial.
2. Privacy as the default setting.
3. Privacy embedded into design.
4. Full functionality; positive-sum not zero-sum.
5. End-to-end security; full lifecycle protection.
6. Visibility and transparency; keep it open.
7. Respect for user privacy; keep it user-centric.

Get a head start on integrating data protection into the foundations of your projects and processes with Info-Tech's Demonstrate Data Protection by Design for IT research.

Determine the primary owners of the privacy program

The privacy program must include multiple stakeholders for it to be successful. It’s integral to assign clear lines of ownership to build and effectively manage the program. Without defined ownership, privacy initiatives can easily fall between the cracks, and issues may not be handled effectively.

Privacy Department:

• In the most privacy-mature organizations, a dedicated privacy function exists that heads up all privacy initiatives.
• This does involve coordinating with all other relevant departments, but privacy is centrally managed by one group.

Legal, Compliance, Audit:

• In many organizations without a dedicated privacy team, it often falls to Legal, Compliance, and/or Audit to take the privacy mantle.
• Since many privacy programs are being driven by the increase of privacy regulations, these groups often become huge proponents of implementing privacy within the organization.

Human Resources:

• Occasionally the HR department will take on the privacy program.
• This is the case for organizations that do not have a dedicated legal counsel and where most personal data held by the organization is that of the employees.

InfoSec or IT:

• Privacy can also be owned by the security team. Many still think of security and privacy as being the same thing, and it is not uncommon to conflate these two functions into one team.
• However, it is worth noting again that these two are different and many privacy initiatives go beyond security controls.

Info-Tech Insight

If not already mandated by governing privacy laws, consider appointing a privacy officer to formalize privacy ownership in the organization.

Define the governance structure of the privacy program

A successful privacy program will be structured in a way that best fits the needs of your organization. Minimize disruption to ensure a successful adaptation and launch.

Centralized:

• One central group manages the entire privacy program. They may direct other groups in terms of certain actions or initiatives, but privacy is centrally managed and reported on by one group.
• This works well for large organizations to manage and track all privacy efforts, but it can become very bureaucratic.

Decentralized:

• Privacy is distributed to the rest of the organization, often in the lower tiers. The expectation here is that there is a bottom-to-top discussion of privacy while allowing for a flatter structure.
• This works well with highly privacy-aware employees who can make the correct decisions at their respective levels. However, it can be difficult to track compliance.

Hybrid:

• Aspects of centralized and decentralized programs are combined to get the best of both structures; for example, one group or individual may track all privacy efforts in the organization, but each business unit can choose how to implement them. Another method is to have a designated privacy representative in each business unit.

Info-Tech Insight

While there may be one individual or group designated to manage the privacy program, privacy is everyone’s responsibility. Employees will have to perform the necessary actions such as limiting their personal data collection or anonymizing data. The success of the program will rely on everyone understanding how to put privacy first.

Evaluate a centralized governance model

This is an example of a centralized organizational structure for managing privacy. In this case, there is a dedicated privacy team that directs all the other departments in terms of their personal data management.

The centralized model is a more traditional structure for privacy in the organization, and it promotes the idea that one group is entirely accountable for the proliferation of privacy within the organization. This structure requires regular reporting and communication between the different groups.

Evaluate a decentralized governance model

In a decentralized model, we see that it is up to each department to create and form its own respective privacy practices. This can be done with the help of assigned privacy champions within each group. These individuals work with their own teams to integrate privacy within their business processes.

Evaluate a hybrid governance model

These days, many privacy-mature organizations lean toward a privacy center of excellence. This hybrid method combines the best of both centralized and decentralized structures:

• Centralized privacy for tracking and reporting purposes.
• Business unit privacy champions assigned to draw ownership and buy-in from the business units.

The privacy champions from each business unit report to the central privacy unit, eliminating the need to hire multiple privacy-specific individuals within the central team.

Organizations that identify as having adopted a hybrid privacy governance model report shorter sales delays (4.6 weeks) when compared against organizations that employ either a fully centralized (9.8 weeks) or decentralized model (7.1 weeks) (Cisco, 2018).

1.2 Establish your privacy governance structure

Input: Privacy governance structure models
Output: Future privacy governance structure, Initial understanding of privacy program ownership within the business context of the organization
Materials: Whiteboard/flip charts, Pen/marker
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

Consider the following when building out your privacy organizational structure.

1. Determine where ownership of the privacy program will be.
   1. Common choices are a dedicated privacy team or the legal, information security, and/or HR departments.
   2. Decide whether a privacy officer is necessary in your organization – some regulations recommend it.
2. Review your current organizational structure to decide which model would be best for your privacy practices: centralized, distributed, or hybrid.
   1. Review the previous examples for how this could be structured. Be mindful that you can set up this structure based on your own unique requirements; for example, two different groups can share ownership of the entire privacy program.
3. Select the appropriate governance structure and document it. Make note of significant changes that will need to occur to facilitate implementation of the governance structure.

Info-Tech Best Practice

There is no single perfect governance structure that works for all organizations. Look at your current organizational and governance setup and see which structure fits best. Ask yourself:
Are we already set up in a centralized, distributed, or hybrid structure? Are we looking to implement privacy with new resources or existing employees? What model works best for us to meet our compliance needs?

1.3 Build out the data privacy RACI chart

Input: Documented list of privacy program drivers, Documented list of privacy objectives, Data Privacy Program RACI Chart
Output: Ownership assigned to privacy-related tasks within the organization, Completed privacy RACI document
Materials: Laptop, Whiteboard (optional), Pen/markers (optional)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

30-60 minutes

1. Among your team, level set and discuss what each of the letters within the RACI chart schema means in the context of your organization.
2. Work through the actions documented in column B of the Data Privacy Program RACI Chart.
3. Validate. Review your outputs for each of the Action rows in column C and onward. Does overlap exist between various roles? Do dependencies exist? Will any of the assigned RACI values change with the implementation of the privacy program?
4. Document any notes or amendments made in columns adjacent to the role columns.

Download the Data Privacy Program RACI Chart

1.4.1 Define the extent of your personal data scope

Input: Drivers/outputs from activity 1.1, Solicited input from both IT/InfoSec and business units
Output: High-level list of business processes categorized by data risk, List of business processes coordinated by the organization, List of business processes coordinated by a third-party organization (vendor)
Materials: Whiteboard/flip charts, Sticky notes, Pen/marker
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Divide into groups and give each group member a handful of sticky notes.
2. Ask them to write down as many business units or functional groups as possible that process (collect, record, use, disseminate, etc.) personal data within the organization.
3. Collect each group’s responses and discuss whether the business unit is a data controller, a data processor, or both.
   1. Focus on whether the business unit decides the purpose of processing the data or if an external party determines the purpose of processing.
   2. Use blue for data controllers and yellow for data processors. If a business unit is both a data controller and a data processor, write the business unit on both a blue and a yellow sticky note.
4. Discuss and aggregate all responses into a final document, listing what is in scope of your privacy program and what is out of scope.

1.4.2 Build your risk map

Input: Outputs identified in activity 1.4.1, Business unit leaders’ and champions’ understanding (high-level) of processes that involve personal data
Output: Prioritization of business units for each privacy program activity
Materials: Whiteboard/flip charts, Sticky notes, Pen/whiteboard markers
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Review the data "processed" by data controllers and data processors identified in activity 1.4.1. Identify the relative sensitivity of the data these units process.
2. With input from your subject matter experts and IT leaders, organize the business units according to the volume of data in their operations.
3. Discuss the overall risk map to prioritize privacy initiatives.
4. Record for future reference.

Info-Tech Insight

Bake in a quantitative element of risk analysis as you create the privacy framework to take away some of the guesswork when it comes to prioritizing initiatives and creating your roadmap in Phase 3. Compare and contrast the perspective of your core IT or privacy team and that of the business units when it comes to assigning a volume and risk ranking for each of the business processes.

Phase 2

Conduct a Privacy Gap Analysis

This phase will walk you through the following:

• Understand the methodology behind the Data Process Mapping Tool
• Assess risks and map out your data breach response process
• Work through the threshold assessment and DPIA process

This phase involves the following participants:

• Privacy officer
• Core privacy team
• Relevant business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

Understand the role of the Data Process Mapping Tool

Inventories personal data by business process

• Name and contact details of the processor, controller, and where applicable, the privacy officer
• Categories of processing carried out on behalf of the controller
• Purposes of processing
• Categories of data subjects and personal data
• Sensitivity level of personal data
• Categories of recipients to whom data are or will be disclosed (includes third countries)
• Retention periods (if possible)
• Overview of third-country data transfers
• Technical and organizational security measures

Identifies gaps in the organization's data processing activities

Highlights data processing activities with a high degree of risk due to:

• Retention periods
• Sensitivity of data stored
• Vendor agreements
• Documentation of procedures around processing activities

Fulfills regulatory needs (e.g. GDPR)

The Data Process Mapping Tool closely resembles the Record of Processing register, which is required under Article 30 of the GDPR.

• The Record of Processing takes a dynamic and comprehensive approach to mapping data’s flow throughout an organization. It acts as a document that demonstrates an organization’s accountability and awareness of how personal data is leveraged.

This document inventories the full set of processes in which personal data is collected and processed by the organization.

Determine the appropriate level of granularity with your processing activities

Think about the major business processes that make up your operations and refine by the common set of personal data types within subprocesses.

2.1 Complete the Data Process Mapping Tool

Input: Outputs from activities 1.4.1 and 1.4.2
Output: Understanding of what data is involved in each business processing activity, Potential gap areas
Materials: Data Process Mapping Tool
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1-1.5 hour per business unit interview

Data protection goes beyond understanding where data is stored and how the systems are protected. Use this activity to start defining activities that are involved in processing your data.

1. Using the outputs from activities 1.4.1 and 1.4.2, group all business processes that touch personal data, based on their corresponding business function or unit.
2. Identify a privacy champion for each business unit or the respective business unit leader.
3. Schedule interviews with these individuals and review each of their business processes. Leverage the Data Process Mapping Tool to capture all elements of personal data included in the business processes.
4. Validate responses with members of the core team following each interview.

Download Info-Tech's Data Process Mapping Tool

Info-Tech Insight

Compare and contrast the Data Process Mapping Tool with any previous documents collected, tailored to data kept in individual systems or applications, to gain a more robust understanding of how personal data interacts with organizational assets.

Examples of personal data associated with business processes

Review the Privacy Framework Tool

Leverage the 12 domains and subsequent privacy controls as you work to right-size Info-Tech’s Privacy Framework for your organization.

The framework also contains mapping to major privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, and NIST Privacy Framework.

Info-Tech Insight

This best-practice framework will force you to reevaluate your current operations and understand how to integrate privacy. To gain the most benefits from your privacy program, review and understand which domains are most critical to your operations and which you will want to put the most focus on. This will ensure that this framework works for you and builds a privacy program around your organization’s specific requirements.

2.2 Compare compliance and regulatory requirements for gap analysis

Input: Knowledge of which privacy frameworks or laws apply to your organization
Output: Understanding of compliance and/or relevant privacy law requirements, Best-practice privacy controls mapped against organization’s current and target privacy controls, Existing gap areas
Materials: Privacy Framework Tool
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

2 hours

1. On tab 2 of the Privacy Framework Tool, review each privacy control and determine the current organizational maturity based on the five-point Capability Maturity Model Integration (CMMI) scale below. Capture any relevant comments, as required:
   1. Initial/Ad hocs
   2. Developing
   3. Defined and Documented
   4. Managed and Measurable
   5. Optimized
2. Define the target state using the same five-point scale.
   1. The target state will be heavily influenced by the requirements gathered in the earlier phase.
3. Wherever there is a gap between the current and target state, document what initiative is needed to close the gap in column N.

Download the Privacy Framework Tool

Perform a high-level gap analysis on your processing activities

Taking a top-down view of a processing activity can often expose gaps in the process.

In the example of an Email-Based Document Exchange process, personal data could be exposed during these subprocesses in red. Optimizing the process, via improved security, with the version in green would address these gaps.

Info-Tech Insight

Knowing is half the battle. Ensure high-level gaps identified via this method are risk-assessed. Add remediation initiatives in the Privacy Framework Tool to contribute toward your defensible compliance position.

Align incident management to relevant regulations

Language within privacy regulations is explicit in requiring notification to the supervisory authority and data subjects in instance of a data breach.

A key component of a successful privacy program involves a well-developed set of incident response and management procedures.

Each privacy regulatory framework will establish its own timeframe when it comes to incident response procedures.

These same frameworks will also support the underlying procedures involved in incident management runbooks that are created, maintained, and updated on a regular basis by the InfoSec or IT teams.

Info-Tech recommends taking a “best-of-breed” approach in creating an effective incident management response plan:

• Use relevant regulatory timeframes as a guideline.
• Involve business unit privacy champions when creating the response plan.
• Identify all interdependencies and map them out as a part of the validation process.

GDPR – Data subject notification

“In the case of a personal data breach, the controller shall notify without undue delay and, where feasible, not later than 72 hours. […] Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

— Source: General Data Protection Regulation

CCPA/CPRA – Not defined

Unlike the GDPR, CCPA/CPRA does not define data breach report in timeframes. However, should a breach or other data security incident occur “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices,” the business can be fined $100-$750 per individual incident, or the full cost incurred of damages. The CPRA adds in new standards for what constitutes a data breach.

— Source: California Consumer Protection Act, 2023

PIPEDA – Breach of security safeguards

Following the occurrence of a breach, organizations must report any breaches in the prescribed form and manner as soon as feasible.

Understand the security incident management framework

For all incident runbooks, follow the same process: detection, analysis, containment, eradication,recovery, and post-incident activity.

1. PREPARE
Ensure the appropriate resources are available to best handle an incident.

2. DETECT
Leverage monitoring controls to actively detect threats.

3. ANALYZE
Distill real events from false positives.

4. CONTAIN
Isolate the threat before it can cause additional damage.

5. ERADICATE
Eliminate the threat from your operating environment.

6. RECOVER
Restore impacted systems to a normal state of operations.

7. POST-INCIDENT ACTIVITIES
Conduct a lessons learned post-mortem analysis.

Info-Tech Insight

Document each step of the incident lifecycle. A thorough, comprehensive record will assist in understanding the root cause, allow for faster remediation of any future reoccurrences of the incident, and support any legal escalation. Tracking the cost of work hours helps in determining the overall impact to the organization.

2.3 Analyze the risk of data breaches to your data subjects

Input: Understanding of incident management process, Current runbooks to leverage as a basis for activity
Output: Inputs for revised incident management runbooks, Understanding of impact of data breaches on your data subjects
Materials: Sticky notes, Markers, Whiteboard/chart paper
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

30 minutes

Take a client-centric approach to incident management. Understand the risk involved in data breaches beyond your organization and use as inputs as a part of your revised incident response process. Leverage existing runbooks and revise.

Identify each of the following. Validate with team members and document using incident management runbooks. Include data subject risk impact analysis as a step in your incident management runbooks.

1. Type of breach
2. Nature, severity, and volume of personal data
   1. Combinations of data are more sensitive
   2. Relevancy of situational sensitivity should be considered
3. Ease of identification of individuals
4. Severity of consequences for individuals
   1. A trusted recipient does not negate that a breach has occurred
   2. Are the resulting consequences permanent?
5. Special characteristics of the individual
6. Number of affected individuals
7. Special characteristics of the data controller

Download this research Develop and Implement a Security Incident Management Program

Define and uphold your post-incident recordkeeping requirements

For regulatory purposes, it is crucial that a breach response process is developed and documented both prior to and following an incident.

• Causes of the breach
• What personal data was affected
• What took place during the breach
• Time to identify and time to resolve breach
• Consequences of the breach
• How the breach was remediated and the justified breach response
• Employee training on process

Integrate incident response as a part of security operations

Incident response is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operation, and technology infrastructure on a daily basis.

Know the “why” behind your processing activities

A good start to understand the legitimacy of your reasons for data processing stems from the GDPR. Align your reasons for processing with one of the six lawful bases for data processing.

Consent

• Permission to process for specific purposes.
• Notice must be clearly distinguishable, intelligible, in plain language, and freely given.
• Proof and documentation are required.

Performance of a Contract

• Data subject must be a party of the contract and want to enter into the contract.

Legal Obligation

• Narrow interpretation that applies to the legal obligation of European Union and member state laws only.

Vital Interests

• The interest of the data subject or another natural person.
• Interpreted as a necessity for survival and if no other basis of processing is available.

Public Interest or Official Authority

• Determined by the member state.
• E.g. administration of justice, tax collection, conducting a census

Legitimate Interest

• Data subjects’ interest must be balanced with the controllers’ interest.
• Data subjects must be informed of controllers’ legitimate interest.

Source: GDPR Article 4(2), 6.

Align data classification to privacy law requirements

Organizations can use data discovery and classification as a method to understand their data environment.

1. Require data discovery and classification

Organizations that have existing data classification can leverage their previous effort to align the scheme to personal data.

• The following slide details how your organization can adjust existing data classification tiers to align with personal data sensitivity.

Organizations that do NOT have existing data classification should create a tiered scheme that addresses all types of data (e.g. organizational and personal). Four steps of this project:

• Formalize your program – determine the classification scheme
• Discover the data – benefits and challenges of data
• Classify the data – continuation of discovery
• Plan for implementation – identify metrics

2. Have a sound understanding of your data environment

Validate and continue finalizing the Data Process Mapping Tool.

Align your data types based on data classification in the organization

Leverage Info-Tech’s research Discover and Classify Your Data

Define data classification in the context of your organization

Build out a data classification scheme that fits the operating and regulatory environment of your organization.

What is data classification?

Data classification is the process of identifying and classifying data on the basis of sensitivity and the impact the information could have on the company if the data is breached. The classification initiative outlines proper handling procedures for the creation, use, storage, disclosure, and removal of data.

Why do we need it?

With the increase in data and digital advancements in communication and storage (e.g. cloud), it becomes a challenge for organizations to know what data exists and where data lives. A classification scheme must be properly implemented and socialized to help ensure appropriate security measures are applied to protect that data appropriately.

Types of data

Structured

• Highly organized data, often in a relational, easily searchable database.
• E.g. employee numbers stored in a spreadsheet.

Unstructured

• Data that is not predefined in format and content; majority of data in most organizations.
• E.g. free text, images, videos, audio files.

Semi-structured

• Information not in traditional database but contains some organizational properties.
• E.g. email, XML.

Without data classification, an organization treats all information the same.

• Sensitive data may have too little protection.
• Less sensitive data may have too much protection.

Strategically classifying data will allow an organization to implement proper controls where necessary.

Further define risk using the Data Process Mapping Tool

Each of the business processes retained within the Data Process Mapping Tool contains an inherent level of risk based on the volume and sensitivity of data.

Pull the outputs from the initial risk-mapping activity as you work through populating the Data Process Mapping Tool

Categorize each of the business processes based on where they fall within the quadrant and populate column F within tabs 1 and 2 of the tool.

• High / Medium / Low

Identify and make note of the number of processes that fall within each of the three categories. Track areas in which the majority of high-risk vs. low-risk processes exist and observe any trends.

For any processes that remain categorized as High, perform further analysis to validate the classification:

• Internal Risk Assessment
• Security Assessment
• Info-Tech’s Data Protection Impact Assessment Tool

2.4 Complete the DPIA threshold assessment for high-risk business processes

Input: Outputs identified in activity 1.4.2
Output: Analysis of high-risk business processes, Understanding of impact of data involved in processing activities
Materials: Data Protection Impact Assessment Tool
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1-2 hours

A data protection impact assessment is used to assess how much private data will be affected by planned processing activities. A DPIA helps ensure that data-processing activities are both compliant with data protection regulations and that data processors are cognizant of the risks surrounding the processing of personal data.

1. For all identified high-risk processing activities, work through the dynamic questionnaire.
2. Complete one threshold assessment per activity.
3. Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
4. Complete either a Lite or Full version of the DPIA, based on the nature of the process.
5. Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
6. Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance.

Download Info-Tech’s DPIA Tool

Leverage Info-Tech’s security framework to document your security controls

A best-of-breed information security framework.

INFO-TECH’S SECURITY FRAMEWORK:

ISO 27000 series: Comprehensive standard providing best practices associated with each control

CIS – Critical Security Controls: A concise list of 20 controls and sub-controls for actionable cyber defense

COBIT 5: A process and principle structured security best-practice framework

NIST SP800-53: Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations

Info-Tech’s information security framework and maturity model methodology

In general, organizations are required or expected to implement appropriate risk-based technical and organizational measures to ensure the ongoing confidentiality, integrity, availability of personal data.

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your information security program while maturing from reactive to strategic information security management.

Phase 3

Build the Privacy Roadmap

This phase will walk you through the following:

• Identify where high-priority gaps exist in current privacy practices
• Tie cost, effort, risk, and alignment values to each of the relevant privacy gap-closing initiatives
• Further refine resourcing estimates

This phase involves the following participants:

• Privacy officer
• Core privacy team
• Select business unit privacy champions
• InfoSec representative (optional)
• IT representative (optional)

3.1 Complete the privacy gap analysis exercise for individual business units

Input: Level-setting meeting with each of the business unit privacy champions
Output: Analysis of privacy gaps on a business-unit level, Additional privacy gaps present on an organizational level
Materials: Privacy Analysis by Business Unit Tool, Privacy Framework Tool
Participants: Privacy officer, Core privacy team, Relevant business unit privacy champions

1-1.5 hours per business unit

After you’ve identified each of the key gap areas within your organization’s current privacy framework and supporting processes, walk business unit privacy champions through the maturity gap analysis (tab 2) for the following four areas:

• Data Processing and Handling
• Data Subject Requests
• Privacy by Design
• Notices and Consent

1. Provide each business unit with a copy of the Privacy Analysis by Business Unit Tool.
2. Fill out this tool using the same approach used for the larger framework.
3. After completion, meet with the privacy champion from each business unit to discuss results. Compare maturity gaps with those of the overall Privacy Framework Tool.
4. Identify which of the four areas and supporting controls had significantly different privacy gaps and gap-closing initiatives.
5. Include all the supporting initiatives as part of tab 4 in the overall Privacy Framework Tool.

Download Info-Tech’s Privacy Analysis by Business Unit Tool

3.2 Develop cost estimates for privacy initiative list

Input: Privacy Framework Tool (tab 2), Privacy gap initiative outputs from activity 3.1
Output: Cost and resource scheme for organization, Input cost range to present to senior management with respect to privacy initiatives
Materials: Privacy Framework Tool (tab 4)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Leverage the full list of privacy initiatives, including any collected during activity 3.1.
2. Look to Info-Tech’s industry standards (manufacturing, retail, healthcare, financial services) as a guideline when you determine a range for the following input categories for your organization:

Initial Cost: The cost to implement the initiative, including the purchase of any new solutions or resources.

Ongoing Cost (Annual): The ongoing cost to maintain the initiative, which can be in the form of subscription or maintenance fees.
This cost is often estimated at 20% of the initial cost.

Initial Staffing (Hours): The number of hours of assigned resources needed to bring the initiative to completion.

Ongoing Staff in Hours (per week): Any expected regular maintenance required after implementation (e.g. to monitor a privacy tracking solution or to respond to data subject requests).

Download Info-Tech’s Privacy Framework Tool

3.3 Define alignment and privacy risk for the organization

Input: Privacy Framework Tool (tab 2), Privacy gap initiative outputs from activity 3.1
Output: Alignment and privacy risk scheme for organization, Input for prioritization of initiatives
Materials: Privacy Framework Tool (tab 4)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

30 minutes

Continue standardizing variables, including “Alignment With Business” and “Privacy Risk Reduction.” On tab 4 of the Privacy Framework Tool, select “High,” “Medium,” or “Low” values for the following:

Alignment to Business

• Identify which initiatives directly align with the organization’s senior leadership team goals.

Privacy Risk Reduction

• This is a key variable in how you prioritize the initiatives.
• Privacy risk can be viewed in many ways: risk posed to data subjects’ rights, the financial consequences associated with a risk, likelihood of a breach, or other relevant criteria.
• The ways each organization looks at privacy risk will be different. Many will look at how a breach of privacy impacts the organization from a reputation or cost perspective, rather than through the rights of the data subject.

3.4.1 Apply variables to privacy initiatives

Input: Outputs from activities 3.2 and 3.3
Output: Alignment and privacy risk scheme for organization, Input for prioritization of initiatives
Materials: Privacy Framework Tool (tab 4)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

2 hours

Continue to build out the privacy initiative prioritization list on tab 4 of the Privacy Framework Tool by aligning bucket cost and benefit ranges based on your organization.

1. Apply the cost and benefit variables to each of the initiatives.
2. Copy and paste the initiatives from tab 2 (Privacy Framework) into tab 4 (Initiative Prioritization), under "Planned Initiatives." If desired, consolidate similar initiatives into larger projects.
3. Copy and paste any initiatives from the Privacy Analysis by Business Unit Tool here as well.
4. For each initiative, assign the cost, effort, and benefit of each of the different initiatives. This will provide an overall cost/effort rating based on the combination of all the cost and staffing variables put together. This scale ranges from 1 to 12.
5. Optional: Consider building an effort map using the cost/effort rating and the risk reduction benefit. This can be a useful exercise to visualize how your initiatives are distributed in terms of cost and benefit.

3.4.2 Assign specific cost and effort values

Input: Outputs from activities 3.2, 3.3, and 3.4.1
Output: Specific cost estimates for privacy gap-closing initiatives, Specific resource allocation estimates for privacy gap-closing initiatives
Materials: Privacy Framework Tool (tab 4)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

If you are aware of exact costs or efforts required for an initiative, you can enter it on the right side of the table on tab 4 (Initiative Prioritization).

1. When entering "High," "Medium," or "Low" values for the cost and effort, you may be aware of the specific cost rather than using the large estimation buckets - if so, enter this on the right side of the table.
   1. The cells in blue are auto-calculating what the initiative will cost based on the "High," "Medium," or "Low" value and the multiplier you chose earlier.
   2. If you put in a specific cost or effort value in the white cells, your input will overwrite the estimate in the calculations.

Note: This will be useful in populating the “Cost and Effort Estimates Table” on tab 6. It will provide an overall estimate of costs and effort associated with implementing a privacy program. The more accurate the data you enter in the tool, the more accurate the final estimates will be.

3.5 Create a visual effort map for your organization

Input: Outputs from activities 3.4.1 and 3.4.2
Output: High-level prioritization for each of the privacy gap-closing initiatives, Visual representation of quantitative values
Materials: Privacy Framework Tool (tab 4), Sticky notes, Markers, Whiteboard
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 4 in the Privacy Framework Tool.

1. Establish the axes and colors for your effort map:
   1. X-axis represents the Privacy Benefit value from column J.
   2. Y-axis represents the Cost/Effort value from column H.
   3. Sticky note color is determined using the Alignment to Business value from column I.
2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

3.6.1 Define the effort map’s visual output

Input: Outputs from activity 3.5
Output: Prioritization for each of the privacy gap-closing initiatives, First execution wave of gap-closing initiatives
Materials: Privacy Framework Tool (tab 4), Sticky notes, Sticky dots, Markers, Whiteboard
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of governing privacy law (GDPR, CCPA, HIPAA, etc.) and mark with a sticky dot.
2. Document these initiatives as Execution Wave 1.

3.6.2 Refine the effort map’s visual output

Input: Outputs from activity 3.6.1
Output: Prioritization for each of the privacy gap-closing initiatives, First execution wave of gap-closing initiatives
Materials: Privacy Framework Tool (tab 4), Sticky notes, Sticky dots, Markers, Whiteboard
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

30 minutes

1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5 and 3.6.1.
   1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
   2. Leverage the following 0-4 Execution Wave scale:
      0. Underway – Initiatives that are already underway
      1. Must Do – Initiatives that must happen right away
      2. Should Do – Initiatives that should happen but need more time/support
      3. Could Do – Initiatives that are not a priority
      4. Won't Do – Initiatives that likely won't be carried out
3. Indicate the granular level for each execution wave using the A-Z scale.
   1. Use the lettering to track dependencies between initiatives.
      1. If one must take place before another, ensure that its letter comes first alphabetically.
      2. If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

3.7 Create the visual roadmap

Input: Outputs from activity 3.6.2
Output: Start and end dates for privacy initiatives, Staffing resource ownership for privacy initiatives, Gantt chart version of the privacy initiative roadmap
Materials: Privacy Framework Tool (tab 5)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

If enough information around current and immediate future project resourcing is available, use the Gantt chart in tab 5 to document the exact start and end times of each initiative. This may be difficult to do immediately after prioritization, as there may be many considerations as to where these projects fit alongside existing action plans and strategies.

1. Work with team members to first identify start dates for mandatory privacy initiatives (governed by privacy law).
2. Refer to cost and effort estimates provided in tab 4 as you begin to populate start and end dates for each individual privacy initiative. Work in sequential order based on assigned Execution Waves.
3. Assign ownership to each initiative. Ensure that each assigned owner is provided with relevant documentation to keep track of initiative (project) progress.

3.8 Revise and assess the cost and effort table

Input: Outputs from activity 3.6.2, Outputs from activity 3.7
Output: Total and ongoing cost resource allocation for privacy initiatives, Total and ongoing staffing resource hour allocation for privacy initiatives
Materials: Privacy Framework Tool (tab 5)
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

30 minutes

1. Refer to the Cost and Effort Table on tab 6. The table will populate with an estimate of your overall costs based on the data input into the Initiative Prioritization tab.
2. Costs are broken out based on the execution waves with a full total tabulated at the bottom. For each of the waves, you will be able to see the total dollar cost and total effort requirement based on:
   1. The cost of initial implementation to establish the privacy program.
   2. The ongoing annual cost, describing the costs and effort required to maintain the program.
   3. A rough total of these costs over a specified number of years. The number of years can be changed on the Initiative Prioritization tab (tab 4).
3. Based on the results, revise if necessary. Keep in mind that these totals will be the driving points put forward to the senior leadership team when sourcing resources for the privacy program.
4. Document final total costs and total efforts for each execution wave within your executive presentation. Identify areas on which to focus to obtain buy-in from your senior management team.

* Bear in mind that these numbers are solely estimates of previously input data. The total may be higher than expected.

Implementation example – Be transparent

Key Components of a Privacy Notice:

1. The identity of the organization
2. What personal data you collect
3. Why you collect this personal data
4. How you collect personal data
5. How you use personal data
6. How you share personal data with third parties
7. How you store personal data
8. Personal data cross-border transfers
9. How you protect data
10. How you treat children’s personal data
11. Your data subjects' rights
12. Contact details

Info-Tech Insight

Your privacy notice explains your commitment to the data subject. Make sure it’s accessible at the beginning of all data collection activities.

Implementation example – Vendor risk management

End-to-End Third-Party Privacy Risk Management

Pre-Contract: Due diligence check
Signing of Contract: Data processing agreement
Post-Contract: Continuous monitoring, Regular check or audit
Termination of Contract: Data deletion, Access deprovisioning

Core Components of a Data Processing Agreement (DPA)

• Defined data processing roles
• Defined contract processing
• Processing instructions
• Sub-processor
• Security controls
• Data breach notification and handling
• Data secrecy and staff awareness and training
• Data subject request
• Compliance demonstration
• Cross-border transfer
• Termination of service
• Liability and indemnity

According to the Ponemon Institute (2018): 61% of organizations experienced a data breach caused by their supply chain in 2018; only 29% of organizations believe a third-party vendor would notify them of a data breach; only 28% of organizations believe they will be notified when a third-party shares data with an nth party.

Info-Tech Insight

Many organizations know that they need to secure their supply chain but struggle with finding the right level of due diligence. An end-to-end third-party privacy risk management process should be established to protect the shared data.

Implementation example – Data retention

Some business leaders will perceive indefinite retention as a benefit for business intelligence reasons (there’s always another potential use for data). However useful it may be, unnecessary personal data will cause additional headaches in the event of a breach.

Requirements:

• Privacy laws and regulations
• Business needs
• Security protection such as data classification

Governance:

• Data retention policy
• Data retention schedule
• Cross-functional collaboration (IT, business, legal, etc.)

Enforcement:

• Data deletion or de-identification
• Monitoring and audit

Info-Tech Insight

Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to purge the secondary, tertiary, etc., instances on a regular basis.

Phase 4

Implement and Operationalize

This phase will walk you through the following:

• Establish metrics that map to the needs of the organization
• Implement and integrate metrics into operations

This phase involves the following participants:

• Privacy officer/privacy team
• Senior management representation (optional)
• InfoSec representative
• IT representative

Make your privacy program functional

Effective metrics add value by reflecting the current business environment and forecasting for the future.

As you begin to establish relevant metrics to guide the data privacy program, document and classify based on the associated set of privacy controls and category. Use Info-Tech’s Data Privacy Program Report template as your repository.

Create a measurable privacy program
Metrics take your privacy program from static documentation to a functional operation. Ensure that each task populated within the data privacy framework Gantt chart is supported by corresponding metrics.

Use metrics to help integrate privacy in the organization
Remove the fear factor associated with privacy by leveraging the language of your business unit champions as you create a metrics program that they can understand and integrate.

Choose metrics that make sense and align to your business requirements
Select metrics that make sense for the group you are reporting up to and ensure that the metrics are business-relevant and support strategic initiatives and the direction of the organization.

Be selective with the number of metrics
“More” does not mean “more effective.” Limit the metrics selected for the privacy program. One of the obstacles in obtaining buy-in stems from how lengthy and complex privacy can be to implement – don’t make it harder than it has to be!

Source: IAPP, 2022.

Match metrics to privacy controls

Create a cohesive privacy framework by aligning metrics to each of the 12 categories of privacy controls.

Governance:

• Average privacy document age
• Frequency of privacy policy reviews
• Percentage of personal data accounted for through data classification
• Reduction in time to report
• Reduction in time to disclosure

Regulatory Compliance:

• Frequency of review of current regulations
• Number of external regulatory obligations in scope
• Frequency of new regulation integration

Data Processing and Handling:

• % of high-sensitivity solutions with encryption, anonymization, pseudonymization capabilities
• % of high-sensitivity solutions with monitored audit trails
• % of personal data covered by regulatory retention periods
• % of all data currently classified vs. unclassified

Data Subject Requests:

• Number of data subject requests received (monthly, quarterly, yearly)
• Average time to respond to data subject access requests (DSARs)
• Number of DSARs un-responded vs. responded

Privacy by Design:

• % of projects that include privacy by design (PbD) during planning phase
• % of processes (current) within the organization that include PbD
• % of high-risk projects (current) that include PbD in the planning phase

Notices and Consent:

• % of data collection processes that do not capture consent
• Average time to respond to data subject’s request to withdraw consent

Incident Response:

• Average cost of an incident
• Number of incidents tracked (origin, org. unit, project, security level)
• Mean time to initiate incident response
• Mean time to complete incident response

Privacy Risk Assessments:

• Number of completed privacy risk assessments
• Frequency of DPIAs/PIAs performed
• Privacy risk score or ratio

Information Security:

• % of privacy or security incidents that are notifiable breaches
• Frequency of testing performed on security controls
• % of data-at-rest covered by security controls
• % of data-in-transit covered by security controls

Third-Party Management:

• Frequency of vendor contract review or touchpoints
• Number of data transfer agreements in place (current) for external vendors
• Number of vendors validated (i.e. SOC2 reports)
• % of personal data retained by vendors

Awareness and Training:

• Number of days between onboarding and completion of privacy/security training
• % of privacy personnel with privacy certifications
• % of staff receiving privacy training
• Frequency of in-house privacy training programs

Program Measurement:

• Average number of metrics achieved upon review (or % of metrics tracked)
• % of metrics that directly support business strategy
• Frequency of privacy program review
• Frequency of privacy committee meetings

4.1 Define privacy metrics for the organization

Input: Metrics from previous two slides
Output: Selected set of metrics, Understanding of the organization’s key privacy priorities, Initiatives identified during Phase 3
Materials: Data Privacy Program Report
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Based on the metrics provided by Info-Tech as a part of the data privacy program framework, identify which ones best suit the current needs of the organization and future privacy goals.
2. Limit this selection to two to three metrics per tactical privacy area (selected from the 12 control categories in the Privacy Framework). Ask yourself: What do you want to know most about your privacy program? What do you want to show to others?
   1. For many privacy regulations, the need to demonstrate adherence is crucial, and metrics will play a large role in this regard.
   2. Beyond regulations, what are the privacy areas you want to track? What are the areas that senior management wants to track?
3. For the selected metrics, discuss the target that you would like to achieve.
   1. This will likely change over time, but identifying a target helps to add context and goals to your privacy program.
   2. Consider selecting an immediate-term target and a stretch-goal target that represents a mature state for the privacy program.
   3. Document targets within the Data Privacy Program Report.

Download Info-Tech’s Data Privacy Program Report

Info-Tech Insight

Don’t focus on industry benchmarks for privacy – your privacy requirements will be unique and continue to evolve over time. Similarly, even the metric targets can change over time. What was once considered a “good” target can become “bad” in the future. Privacy will continue to evolve just as the business continues to change.

4.2 Align and prioritize privacy metrics

Fast-track external privacy documentation to satisfy the data privacy requirements of your end users.

Input: Outputs from Privacy Framework Tool, Metrics selected from activity 4.1
Output: Implementation plan for metrics, Operationalization techniques, Prioritized metrics roadmap
Materials: Data Privacy Program Report, Sticky notes, Whiteboard, Markers
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1 hour

1. Write out the metrics selected in activity 4.1 on sticky notes.
2. Divide whiteboard into 12 columns, each one corresponding to a category of privacy controls from the Privacy Framework Tool.
3. Place metric stickies under appropriate privacy category.
4. Reference prioritized initiatives from the Privacy Framework Tool (Execution Wave 1) and write each initiative on the whiteboard next to a corresponding metric.
   1. Metrics should directly correlate to tracking progress of the initiative. Some initiatives may map to multiple metrics; make note of this in the Data Privacy Program Report.
5. For any Wave 1 initiatives that do not have an assigned metric, revisit activity 4.1 and ensure that a supporting metric is modified or a new metric is established.
6. As the program matures, complete these activities for additional Execution Waves and align metrics accordingly.

Download Info-Tech’s Data Privacy Program Report

Develop and implement your metric lifecycle

Increase the credibility of the privacy program by analyzing and reporting on metrics on a regular basis.

A key factor in ensuring integration of the privacy program throughout the organization is presenting the business benefits of the program to the entire organization, and specifically to the executive leadership group.

Privacy is not a “one-and-done” project. Even after establishing metrics and implementing metric tracking as a part of the program, progress should be assessed.

This is the key step in establishing a metric lifecycle, ensuring that your metrics are continuously monitored and reviewed to meet the needs of the privacy program.

The final factor is ensuring that the metrics used to gauge the privacy program directly align to the organization’s business goals and support achieving these objectives. This helps to obtain requisite buy-in and support from executive leadership.

Analysis and Monitoring Categories

Compliance: Ensure that the organization meets compliance obligations. Examples include audit management, self-monitoring, security/system management, and risk management.

Regulatory/Legal: Ensure that the organization meets any legally imposed regulations to which it is subject.

PEST: Ensure that the organization’s approach to privacy and the privacy program align with both the external and internal operating environment, and consider any political, social, economic, and technological factors (PEST).

Source: IAPP, 2022.

Quantify privacy by tracking ROI

The final step in maturing and delivering value through the privacy program is achieved by demonstrating positive return on investment to your leadership team.

As privacy becomes the norm within organizations globally, the relationship that exists between high-accountability, privacy-mature organizations and organizational performance becomes increasingly easy to track.

Business and IT leaders attribute privacy management practices to:

• Increased competitive advantage
• Positive compliance records
• Innovation gains
• Operational agility
• Reduced sales delays
• Increased customer loyalty and brand reputation

Privacy ROI worldwide

1. United Kingdom (3.5x)
2. Brazil (3.3x)
3. Mexico (3.3x)

$1.00 spent = $2.70 privacy ROI (Cisco, 2020).
Organizations that have dedicated time and resources to maturing privacy best practices are already experiencing positive ROI from their efforts.

4.3 Create and deliver the Data Privacy Program Report

Input: Privacy initiatives, Roadmap (Phase 3), Outputs from activities 4.1 and 4.2
Output: Full Data Privacy Program Report and executive presentation
Materials: Data Privacy Program Report
Participants: Privacy officer, Core privacy team, InfoSec representative (optional), IT representative (optional)

1-2 hours

1. Using all the privacy outputs collected from Phases 1 to 4, create your executive presentation by leveraging the Data Privacy Program Report.
2. Focus on the key outputs that your senior management team will want to know:
   1. What are the high priority "must-do's"? Regulatory or governance requirements.
   2. What are the associated costs?
   3. What are the resourcing requirements?
   4. What is the required level of ongoing maintenance?
   5. How will this be tracked?
   6. Who takes ownership of the program and relevant initiatives?

Summary of Accomplishment

A clear path toward proactive privacy management.

The durable goods manufacturing industry is undergoing significant changes due to factors such as the adoption of Industry 4.0 technologies, the emergence of a growing consumer class, changes in demographics, and increasing regulations. To remain competitive, manufacturing companies are digitally transforming their business operations.

In a perfect world, the summary of accomplishment would state that you’ve solved the data privacy problem within your organization, and you’ll never be the subject of headline news as having fallen victim to a data breach.

The reality is that an effective data privacy program is ongoing, constantly evolving to fit within the surrounding digital and societal landscape. You’ve laid the foundation in working through the Data Process Mapping Tool and understanding how privacy is currently applied within the scope of your organization. By leveraging the outputs from this tool, as well as the maturity gaps identified as a part of the Privacy Framework set of exercises, you’ve begun to create a forward-looking data privacy roadmap.

Established metrics and a set of steps to achieve operationalization position your data privacy program for success by moving beyond static policies and procedures. By focusing on monitoring and assessing how the program captures and supports data privacy, you create a dynamic and adaptable framework.

And while even the strongest of data privacy programs are not bulletproof vests when it comes to preventing data breaches, by developing a flexible and customized data privacy program, your organization significantly strengthens its ability to recover from data privacy incidents and reduces its overall risk of exposure.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889

Research Contributors and Experts

Kevin Tucker
Principal Research Director,
Info-Tech Research Group

Bibliography

“2016 Annual Report and Notice of Annual Meeting.” Nike, 15 July 2016. Accessed 15 Aug. 2017.

"2017 Global Aerospace and Defense Industry Outlook." Deloitte United States. 19 June 2017. Accessed 16 Aug. 2017.

"Alicia Boler-Davis Remarks to J.D. Power Roundtable at NADA Convention." General Motors, 24 Jan. 2014. Accessed 15 Aug. 2017.

The Business Architecture Guild. BIZBOK® Guide, 2021. Web.

California Attorney General. California Consumer Privacy Act (CCPA). State of California Department of Justice, February 15, 2023.

Cavoukian, Ann. “Privacy by Design: The 7 Foundational Principles.” Office of the Information and Privacy Commissioner of Ontario, Canada (IPC), Jan. 2011. Web.

“Cisco 2018 Privacy Maturity Benchmark Study.” Cisco, January 2018. Web.

“Cisco Data Privacy Benchmark Study 2020 – From Privacy to Profit: Achieving Positive Returns on Privacy Investments.” Cisco, 2020. Web.

“Data Protection and Privacy Officer Priorities 2020 Report.” CPO Magazine, March 29, 2020.

“Define the Business Context Needed to Complete Strategic IT Initiatives.” Business Wire, 1 February 2018. Web.

“Data Protection and Privacy Officer Priorities 2020 Report.” CPO Magazine, March 29, 2020.

“Define the Business Context Needed to Complete Strategic IT Initiatives.” Business Wire, 1 February 2018. Web.

A Guide to the Business Architecture Body of Knowledge®, V5.5 (BIZBOK® Guide), 2017. Business Architecture Guild. Web.

"The global manufacturing sector: current issues -CIMA." CIMA Global, n.d. Accessed 16 Aug. 2017.

Gunn, Matt. "Nike's 4 Game-Changing Moves in Supply Chain." GT Nexus. 2 Nov. 2016. Accessed 2 Aug. 2017.

Iera, Danielle. "Six Challenges Facing Modern Manufacturing Companies." Manufacturing.net, 17 Dec. 2015. Accessed 16 Aug. 2017.

Kevin Tucker. Durable Goods Manufacturing IT Stakeholder Satisfaction Benchmarking Report. Info-Tech Research Group, 2021.

Khurana, Anil. "Delivering the Sustainable Development Goals -seizing the opportunity in global manufacturing." United Nations Industrial Development Organization, 2017. Accessed 14 Aug. 2017.

Mullen, Michael. "Kraft Heinz Reports Second Quarter 2017 Results." Kraft Heinz Company, 3 Aug. 2017. Accessed 15 Aug. 2017.

"Nike's 4 Game-Changing Moves in Supply Chain." Infor, 15 Dec. 2016. Accessed. 2 Aug. 2017.

Paul Cichonski (NIST), Thomas Millar (DHS), Tim Grance (NIST), Karen Scarfone. SP 800-61 Rev. 2 Computer Security Incident Handling Guide. NIST, August 2012.

Pedersen, Michael, and Alice Born. "North American Industry Classification System (NAICS) Canada 2017 Version 1.0." Government of Canada, Statistics Canada, 18 July 2017. Accessed 14 Aug. 2017.

Ponemon Institute, IBM. Cost of a Data Breach Study 2018. IBM Security, July 2018.

Ponemon Institute, IBM Security. Cost of a Data Breach Report 2022. IBM, 2022.

Potts, Rachel. "Caterpillar Reports Second-Quarter 2017 Results." Caterpillar, 25 July 2017. Accessed 15 Aug. 2017.

Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (GDPR) [2016] OJ L 119/1.

Richardson, Amy. "6 Critical Issues Manufacturers Will Face in 2016." Flow Control Network, 13 Oct. 2015. Accessed 16 Aug. 2017.

Russell Densmore. Privacy Program Management. IAPP, 2022.

Singleton, Camille, et al. “X-Force Threat Intelligence Index 2022.” IBM Security, February 2022.

Skip Snyder, David Meek, Tomipekka Lehtonen, Plamen Kiradjiev. Smart manufacturing. IBM Institute for Business Value, 2021.

TOGAF Version 9.1. The Open Group, 2 February 2009. Web.

Tom Pahl. Electronic Toy Maker VTech Settles FTC Allegations That it Violated Children’s Privacy Law and the FTC Act. FTC, January 8, 2018.

Ulrich, William, and Neal McWhorter. "Business Architecture Scenarios, Version 3.0." Business Architecture Special Interest Group (BAWG). Object Management Group (OMG), 10 Aug. 2010. Web.

United States Environmental Protection Agency (EPA). Durable Goods: Product-Specific Data. EPA.gov, December 3, 2022.

"U.S. Industrial Outlook: Manufacturing Still Recovering." MAPI Foundation, n.d. Accessed 16 Aug. 2017.

White, Glen. "6 challenges facing the global manufacturing sector in 2015." Manufacturing Global, 26 April 2017. Accessed 16 Aug. 2017.