Don’t let privacy regulations paralyze you. Instead, keep your organization moving forward by setting some annual organizational data privacy goals that focus on maintaining brand value and customer trust, along with protecting consumer and employee data.
Whether you’re starting from the ground up or you have a privacy program in place, let’s look at some of the goals that may help your organization gain or maintain compliance.
Fully understand your requirements
Your organization evolves over time—and so do privacy laws. Before you can take any meaningful action toward privacy, you need a firm understanding of the requirements you face. A great place to start? Getting help from your legal department or a consultancy agency.
Any legal requirements based on the jurisdiction(s) your organization operates in must be taken into consideration. Some companies are well-accustomed to handling privacy requirements around long-standing regulations such as:
- Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
- Telephone Consumer Protection Act (TCPA)
- Children’s Online Privacy Protection Act (COPPA)
- Canadian Anti-Spam Law (CASL)
But that isn’t sufficient these days. Businesses also need to consider current and upcoming state-level privacy laws such as:
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA)/California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
Build or align your program to a privacy framework
You know what your requirements are. You have a policy and notice in place. So what else can you do to enhance your program?
Whether you’re currently building a program or you have an existing privacy program in place, aligning it to a privacy framework can add value. For example, an organization with a security program built around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) may find the NIST Privacy Framework (PF) a great choice. NIST provides a crosswalk between the CSF and the PF to support efficient cybersecurity programs.
In addition to NIST PF, the Information Systems Audit and Control Association (ISACA), the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA), and the International Organization for Standardization (ISO) all have privacy frameworks that can be used as a foundation and compass for your privacy program.
Gain buy-in
No matter what your privacy goals are, you will need support from your leadership.
A supportive culture is the key to success, no matter your strategy. The first step toward obtaining that buy-in from leadership is making sure they understand your goals and strategy—and the need for privacy. For example, if your organization is required to comply with CCPA/CPRA, it may be helpful when seeking buy-in from leadership to create a specific and relatable business case. You can even use real-world examples and draw parallels to your own organization’s operations.
Assign ownership of privacy
If you are newly affected by a privacy regulation or your organization is still maturing its privacy program, an important goal is to appoint a privacy lead, such as a Data Privacy Officer or Data Protection Officer (DPO, in both cases).
In fact, some regulations, such as GDPR, may even require you to have a formally appointed Data Protection Officer. Even if you aren’t required by regulation to appoint one, there are many other reasons to do so. Having a person in charge of your data privacy program will help ensure that the program is being appropriately executed.
This, in turn, helps you earn or maintain customer trust.
However, for some businesses, a privacy point person can feel like a big investment. Keep in mind that it’s not an all-or-something situation. One strategy that works well for many organizations is to collaborate with a Fractional Privacy Officer.
What does a Fractional Privacy Officer do?
Fractional Privacy Officers can support a sustained approach to privacy in your business, allowing you to take proactive steps without the expense of hiring for an internal position. A FPO can help you with all aspects of your privacy program, from helping you set up one in the first place to assessing what you have for compliance with upcoming regulations.
More specifically, though, they can:
- Run and review data inventories
- Create action plans for relevant privacy regulations
- Manage cookie consent processes
- Execute privacy impact assessments
- Implement privacy management technology
- Assess vendors and other third-parties for compliance
- Run privacy awareness training
And this is just the tip of the iceberg. An FPO can be an invaluable partner in your long-term privacy efforts.
Improve visibility with a data inventory
You can’t protect what you don’t know about. A data inventory, sometimes referred to as a data map, should include every piece of sensitive information stored or processed by your company, both electronically and/or via hard copies.
The idea is to understand what kind of data is collected so you can then build a data map. Data mapping is meant to show you where and how data is stored, what it’s used for, whether it’s shared, and how long it must be retained. Not only is data mapping important to any privacy program, but it is also necessary for compliance with GDPR, CCPA, VCDPA, and CPRA.
Planning for your data inventory
As you consider conducting a data inventory and mapping data, keep the following questions in mind:
- Which departments in your organization are most likely to collect, store, share or process data?
- Who would you need to contact to learn about the data that exists? What is the best way to reach them?
- Which stakeholders in your organization may have an interest in the outcome of your data map?
- Do you have sufficient internal resources to conduct the data map? Or, can you access external resources with experience in conducting such activities?
- Do you intend to use the outcome of your data inventory to demonstrate compliance with any specific legal requirements?
Create (or update) your data privacy policy and privacy notice
A data privacy policy functions as the voice of your board of directors or senior management. It is meant to clearly state how the organization and its members are expected to behave regarding a particular subject.
A good internal data privacy policy should include:
- A statement of the organizational context (i.e., what is the purpose of the policy?)
- The basic guidelines or rules being implemented with the policy
- A clear definition of roles and responsibilities regarding data protection within the organization
It’s also vital to translate your privacy policy—which is an internal document—is accompanied by a clear, jargon-free privacy notice.
Your privacy notice is a public-facing document that details how your organization approaches privacy. It should include what data is collected, how it’s used and stored, and with whom the data is shared. It should articulate what the consumer’s rights are and, importantly, how they can go about exercising them. (I.e., if they want to opt-out or get a copy of their information or correct it, what steps can they take to ensure that happens.)
It’s vital to distribute your privacy notice accordingly. Make sure it is accessible via:
- Website footer
- Email footer
- Side menu
- Signup forms
- App store listings
Stay on top of individual rights
With a number of privacy regulations becoming enforceable, make sure you have everything in place to honor individual privacy rights in 2023. Among the newcomers are:
- California Privacy Rights Act (CPRA), which amends CCPA
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
Don’t make the mistake of assuming that you can paint with too broad a brush when it comes to individual rights. Each regulation has different stipulations for how you handle rights. A data inventory is a valuable tool for ensuring that you know the lay of the land for the data you’ve collected—and can come up with a strategy for ensuring it’s in compliance with the law of the land.
You should identify:
- Which regulations (and rights) apply to your business
- Processes and workflows for handling individual rights requests
- Methods of making requests
- Requirements for verifying consumer identity
- Timeline requirements
Conduct a thorough risk assessment
With a privacy lead assigned, a policy in place, and support from your management and stakeholders, it’s time to roll up your sleeves.
All the information you discovered while building a data inventory and doing data mapping makes performing an assessment of your current state easier. As you perform your risk assessment, you should be considering at least the following:
- Are you compliant with applicable legal, regulatory, and policy requirements for privacy?
- What are your risks (including vulnerabilities, threats, likelihood, and impact)?
- Are your current protections and processes sufficient to mitigate potential privacy risks?
The various risks that you identify when you assess your program should provide you with some areas that you can act on. But before you move forward, you’ll need a plan of action.
Developing a privacy plan of action
Using the results of your assessment, you should be able to build a plan for implementing the necessary privacy controls throughout your organization. Your plan will probably include a number of projects, which are needed to meet privacy needs.
As you think about those projects, make sure you are capturing at least the following:
- Appropriate business use cases
- Project implementation schedule
- Lessons learned during implementation
- Benefits expected versus benefits realized
For some organizations, there may be business-to-business (B2B) workflows that must be considered for the scope of a project. In these cases, any contracts or agreements with other organizations should be reviewed.
Revise your contracts
You should review and update contracts and data processing addendums regularly, to ensure they contain language required by applicable privacy laws.
If you are unfamiliar with data processing addendums, you need these agreements for consumers if you have a website, collect customer data, or make sales online. For purposes of Virginia, a data processing addendum compliant with GDPR may be sufficient. CPRA, on the other hand, requires specific language that differs from both CCPA and VCDPA, and more detailed revisions.
Train your team on privacy awareness
Buy-in from management is important for setting the right culture in an organization. But staff must be able to carry out the intended culture, and this requires training.
Training should cover the basic mechanisms and controls for maintaining privacy and meeting regulatory requirements. Staff should also be trained on the “why” behind the privacy guidelines, and they should know what to do in the case of a privacy incident.
A few other areas that you should be covering in your training program include:
- Definition of personal data
- Individual rights (consumer and employee)
- Responsibilities
- When to contact the privacy team
You can’t achieve your goals if you never set any
A robust privacy program is a great goal, but there are many baby steps along the way.
A successful privacy program is one that’s custom-built to suit an organization’s needs. Whether your organization appoints a Data Privacy Officer and assembles a privacy team, or hires an external one, privacy programs will need to continue to evolve. The experts at Red Clover Advisors can keep you moving forward and achieving your privacy goals.
Schedule a call today to see what we can do for you.