Data privacy and protection (DPP) laws aren’t entirely new to the security and compliance landscape, but the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are prompting many organizations to take a more formal approach to DPP.
Data privacy and protection (DPP) laws aren’t entirely new to the security and compliance landscape, but the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are prompting many organizations to take a more formal approach to DPP.
So where do you begin? Here are five steps to get you started.
Start with sponsors, champions, and leads. Who will be driving the initial project to establish your DPP program? Will they continue leading your program once it’s established?
Who are your subject matter experts? Make sure they are involved from the beginning. Depending on the size and complexity of your organization, this could include roles from legal, security, privacy, senior management, compliance, and project management.
If data protection and privacy compliance are new to your organization, you might need to build internal knowledge. Connect with other privacy professionals for advice. You can:
What are the goals of your DPP program? If you can define the end result early, it will help you stay focused on moving in the same direction. A DPP program charter can provide clarity to define your team’s overall scope, authority, responsibilities, and governance structure.
Keep in mind that a project differs from a program. A project has defined deliverables that mark an end to the work being done, while a program is intended to move forward indefinitely. This means you might need a project to establish the program. In general, the project would encompass the first four steps listed here (i.e., “Determine DPP Leadership,” “Define Your Mission,” “Assemble the Team,” and “Find the Data”), while the program would be the ongoing work done in step five (i.e., “Refine and Reiterate”).
Data most likely lives in every corner of your organization, so consider including team members with diverse knowledge of data in your organization. This should include both technical and non-technical individuals, since their perspectives on data will differ due to the different natures of their jobs.
Recognize that the more unfamiliar your organization is with DPP, the more churn you can expect while determining who belongs on the team. The people you meet with initially to explain the project might not actually execute the work.
As you initially assemble the team, try to clearly explain the time commitments so that people with the appropriate bandwidth are on board to represent functional teams. Consider recording presentations that set context for the project and disseminate DPP training, so you don’t have to reiterate the goals and scope of the project if team members switch out.
Since most privacy-related development and analytical work is added on top of already existing workloads throughout Technology, Finance, HR, etc., getting buy-in from key stakeholders requires diplomacy, persuasion, and mutual respect. Without this, it is hard to really get the project the prioritization it needs.
But it is worth the work! These key people can truly become your Privacy Champions throughout the organization, furthering privacy efforts such as:
A common cybersecurity adage states, “You can’t protect what you can’t see,” so finding where data lives in every corner of your organization is critical. This often means assembling team members that are familiar with data flows and processes from various parts of the organization – technical and non-technical. Perform data Inventories and data mapping in one-on-one sessions with key stakeholders at the beginning of the project, if at all possible.
Taking the time to meet one-on-one can bring significant benefits, such as leading to more effective collaboration, building rapport, and encouraging greater buy-in.
Can you really ever be 100% compliant? It’s a good question because the DPP landscape is ever evolving. New legal interpretations of the regulations are developed as they are tested in the courts.
In GDPR, new business processes or new technologies require new Privacy Impact Assessments (PIA), new Article 30 records, and new data inventories. New data collection points or data stores require new development tied to DSRs. In addition, as you audit processes and embed privacy by design and by default, you will find gaps, room for improvement, and ways to make processes more efficient.
All of this can impact your privacy notice and required notification updates.
Gabrielle Harris has worked in Data Privacy and Protection for about 3 years, with a diverse background including Systems Analyst and Finance Accountant. She has a BS in Geography and a MS in Management and Leadership, both of which influence her to approach leadership in a global, humanistic way. Gabrielle lives in Utah. She is a football fanatic and also loves music and art.
.svg)
