Privacy breaches are on the rise. Most (or all) of you reading this have likely received notice that your personal data has been breached. Some of you may have fallen victim to identity theft. Regardless, it’s unnerving when a company notifies you that your personal information has been accessed or stolen by an unauthorized party. In the age of digital transformation, privacy awareness is on the rise, and related legal obligations have taken center stage. Thus, substantial privacy and data protection program will help protect personal information, build a foundation to mitigate data risks, and establish trust with data subjects and consumers.
For those in the United States, privacy has been understood as an individual’s fundamental right for many years and, in a broad sense, is the right to be left alone. However, information privacy is a new concept. Information privacy is concerned with establishing the rules that govern the collection, use, disclosure, retention, and disposal of personally identifiable information (PII). It provides an individual the right to control how their personal information is collected and used, which means that data identification, classification, governance, IT controls, and information life cycle management are critical to mitigating data and privacy risks.
When building a data protection program and associated policies and standards, it is an excellent practice to institute Fair Information Practice Principles (FIPPs), a set of guidelines for handling, storing, and managing personal information. FIPPs are organized into four categories and can serve as a foundation to protecting personal data:
• Rights of individuals – the company provides clear notice, choice,
and consent to how personal data is used and the individual's ability to request access to their data.
• Controls on the information – the company ensures a level of care around information security, IT controls, and that the data maintains its integrity and quality.
• Information lifecycle–the company has defined collection practices, uses the data for legitimate purposes, retains data for legal, business, or compliance purposes aligned with regulations, and data is destroyed when it should be.
• Management – the company has a plan to manage and administer its privacy program and monitor the program to ensure they are meeting their compliance obligations and enforce their program’s policies.
To build a holistic data protection program, it is essential to determine what the organization considers PII, particularly as it relates to applicable law. Personal information typically includes name, gender, postal address, telephone number, email address, age and date of birth, marital status, citizenship, and government-issued identification numbers. In certain jurisdictions, PII may also include other information that can be reasonably linked to an individual, such as IP address, location, and other device data. The organization then needs to determine what they consider sensitive information, such as health information or financial data. Once those terms are defined, the project team should build their Data Protection Framework.
Above is BDO Digital’sData Protection Framework, which allows an organization to manage individual rights and data
protection obligations by looking at the organization’s obligations from a holistic perspective. Outlined below is a checklist to get started.
Governance There should be a culture of compliance, accountability, and ownership of policies, combined with a tone at the top that supports data protection and compliance initiatives.
• Privacy Operations
The program should not only include a Global Privacy Office and should also involve supporting business units and operations to support privacy needs. This is an excellent area to consider outsourced operations and technology to drive down costs.
• Privacy by Design
Each process and system that collects, stores, and/or uses personal data should be designed with privacy in mind –preventative, not remedial, privacy as a default setting, privacy embedded into the design, full functionality despite increased privacy controls, end-to-end security, as well as visibility and transparency for the users.
Ensure that public notices describe how the organization collects, uses, retains, and discloses personal information. The organization must follow the guidelines they publish.
• Consent Management
The organization’s websites or apps should empower the individual to obtain consent when information gathering is required.
• Rights Requests & Complaints
Under many laws, such as the EU General Data Protection Regulation (GDPR), it is required that you allow individuals to gain access to or request the deletion of their records. Additionally, the organization must let individuals file a complaint if they suspect that their rights have been violated.
• Data Management
At the core of any good data protection program is data management. A holistic data protection program’s data management platform should ensure that the company can identify personal data sources located on their systems, where the data goes (inflows and outflows), builds upon the stated privacy policies, communicates uses of data, and can be monitored to ensure there is appropriate data classification schemas and retention programs in place. Additionally, the data should only be used for its intended purposes and should have a legitimate reason for being stored for a certain period.
• Data Security
Handling personal data and the controls implemented to protect personal data is essential to any suitable data protection program. Remember to ensure that appropriate access controls, encryption, data loss prevention strategies, and appropriate authentication mechanisms have been implemented, and always map to required data security laws and regulations.
• Incident Management
Incident response is a critical element of any data protection program. Without a good incident response program, the organization could likely be fined due to poorly managing the incident. This program not only requires a strong investigative and forensics team; it also requires a sound communications plan, crisis management team, and incident notification capabilities.
• Vendor Management
Data that flows to third parties should be reviewed, and the practices that those vendors employ are incredibly critical to fulfilling the organization’s holistic data protection program. Consider how data is handled when it is collected, stored, or analyzed by a vendor.
• Training & Awareness
If your employees don’t understand their responsibilities, then it is likely the program will fail. Train team members regularly, especially those that handle personal information and periodically communicate regulatory changes, so each associate understands the company’s obligations.
• Regulations & Change
Managing change is a challenge for any organization – monitoring regulatory changes is even more challenging. Build a program that implements tracking regularly and consider employing outside resources (technologies, service providers, consultants) that can track and manage your new obligations.
At the core of any program will be the organization’s ability to manage, maintain, and govern personal data to ensure that it is protected and accessible. Once the holistic program is developed, the company can consider taking a cyclical approach to complying with varying regulations. Often companies approach regulations from a linear perspective (e.g., GDPR, CCPA, PIPEDA) versus cyclical maintenance (e.g., identify regulatory changes, review the current status of a privacy program, create or update as needed). Combining a holistic plan and continuous monitoring allows the organization to manage an individual’s rights better, comply with regulations and laws, and respond to potential incidents