Five key privacy programme elements that make it work

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://forbesindia.com/blog/business-strategy/five-key-privacy-programme-elements-that-make-it-work/

Although privacy is making rapid strides, one big challenge remains – how
do organisations demonstrate that they respect the data subjects’ right to
privacy? In fact, the challenge has increased multifold due to greater
awareness, regulations, and incidents. Today, enterprise data privacy
programmes must address both privacy and security needs. Meeting these
needs and creating privacy programmes call for a systematic approach to
designing it. The privacy programme must be kept simple with minimal jargon
and easier to understand expressions for all levels of stakeholders. While
the programme can be driven with regulatory compliance as the stick, the
carrot would be ease of understanding and implementation. But ensuring its
sustenance and scalability calls for making it part of the organisation’s
culture and not merely an organisational policy. This is, perhaps, the
hardest job in hand of an implementer and often, leads to a pertinent
question: Is there a simple design that can be scaled at the pace the
organisation needs?

In my experience, five steps go into designing a simple data privacy
programme that can be scaled as per the organization’s needs:


1.    Data visibility
Conduct a data visibility exercise for the entire organisational processes
in scope. Such an exercise will be an enabling tool for all process owners
to disclose personal data controlled and processed by them. It will help
put together an inventory of personal data managed by the organisation with
details such as, but not limited to:

Who is the owner of the data?
Why is the data required?
How is it stored / processed?
Who can access it and why?
How long is it retained?
How is it disposed?
What is the nature of the data (PI, PII, or SPI)?

Set up a process to update this inventory real-time or periodically, in
line with the legal requirement to ensure continuous data visibility. Data
visibility of this sort provides implementers, attorneys, and regulators
with the data they need to understand the privacy protection needs of the
organisation.

2.  Privacy protection need analysis
The data visibility exercise should be followed by a privacy and protection
need analysis. Define your requirements and commitments to ensure that the
data subject’s right to privacy and protection, of data within the
organisation’s gamut. Look into the local regulatory regime in the
geographies the organisation has scoped-in. Privacy protection needs may
differ across countries and industries. In addition, consider the relevant
published standards. Such an analysis enables making informed decisions to
ensure balanced privacy protection controls. Controls today considered to
be excessive may be considered essentials or vice-versa later. Thus, a
periodic analysis will help strike a balance as the practice matures
globally.

3.  Privacy protection controls
Design and adopt privacy protection controls based on privacy protection
need analysis, cost-benefit analysis, regulatory requirements, the
organisation’s commitments, and risk assessment. Privacy protection
controls can be, but may not be limited to: Data masking, encryption, data
transfer contracts, privacy policy and procedures, incident management,
internal audit, information security controls, privacy notice, consent
acquisition, retention and disposal policy, and more. The design and
selection of controls must be aligned with data protection principles.

4.  Privacy incident reporting and management
Put in place an effective incident reporting mechanism that enables all
stakeholders to report any privacy incident. All stakeholders must be made
aware of this mechanism continuously through various communication mediums
such as emails, posters, quizzes, trainings, etc. In addition, define the
process for acting on the reported incidents and ensure the process
includes privacy impact analysis, root cause analysis, RACI (Who’s
Responsible, Accountable, Consulted, and kept Informed) matrix for the
stakeholders involved, SLAs for closure, provisions for actions to be
taken, documentation of learnings, and measurement of effectiveness of
privacy incident management.

5.  Governance
A key ingredient in a robust privacy programmeme is top management
involvement. This will ensure the privacy programmeme is effective at
various levels in the organisation. Also, define the metrics that the
organisation wants to monitor, against the thresholds, as per the
organisation’s risk appetite, reflecting the health of the programmeme.
Aligning the privacy programmeme to the organisation’s business goals and
strategy is essential for effective governance.

Every day a new outlook on privacy appears. While it is true that we cannot
design and adopt a perfect privacy programmeme, we can definitely build a
reasonable assurance model. Begin by keeping these five basic elements in
mind and strive to improve the programmeme by building depth in activities
under the design.

There is no end to what can be done, so it is important for the implementer
to strike a balance between protecting the interest of all stakeholders and
continuously refining the programmeme to keep it relevant and friendly.
Only then will it function as an enabler in achieving business goals.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!