Four Initial Steps for implementing a data privacy framework
The requirement for protection of data is becoming increasingly obvious after several high-profile incidents involving the breaches of company and consumer data. The results of such data breeches usually include two types of damage: first to a company’s reputation, as the public bemoans the violation of their trust, and then financially from the fallout. The implications can be that companies are forced to pay for credit-monitoring services, make pay-outs for lawsuits or settlements, or even pay ransoms for hijacked data.
There are companies that have adopted a ‘it-can’t-happen-here’ approach to data breaches, global legislation will soon force them to take a closer look at their approach.
When unpacking the complexities of global operational data privacy, it is very easy to get lost in the details of specific requirements or to have management shift the focus to the hottest topic of the moment. It is better to not react to the most recent scandal or legislation and instead look at the overarching process of data-privacy controls at the technological, compliance and management levels.
To help those tasked with managing compliance obligations and risks, companies need to be able to plan and prioritise over a wide range of issues and have those priorities understood and acted upon by the business.
The 4 initial steps to take to design and maintain your data-privacy programme
1. Choose a framework
It is important to agree to a framework to document obligations and review their relative importance. There should also be a method of managing the overarching programme to deal with each of the obligations according to their priority. The system of controls and processes can become very complex and intricate, and companies need to build their systems on a firm footing. There is rarely the need to reinvent the wheel when it comes to data-privacy controls, as there are internationally recognised standards to assist in building and organising.
At Relentless we have developed a framework covering 10 core areas and 72 controls examining: Policies, and communications and procedures and controls delivering a full 360 view of the clients privacy compliance status.
2. Understand your obligations
One of the most easily made mistakes when building a data-privacy programme is to jump into the technical requirements of a law or code without fully considering what is most important to the business and it’s operations.
The first step should always be to understand the business necessity to comply. This involves a careful analysis of what the obligation requirements of the the organisation are, what the risk of breaching those obligations could be whilst balancing that with the organisations risk strategy, — essentially conducting a gap analysis of your legal, regulatory and reputational obligations and how your current efforts stack up.
The obligations of data privacy for companies operating or based in Europe may come from the European Union’s GDPR, but most countries have some form of data-privacy legislation that also needs to be considered. Many industries have their own codes of conduct which provide more specific guidance about how to treat data and are often more stringent. There may also be contractual obligations. Finally, there are also expectations of a company’s employees about how you will treat their private personal data — whether realistic or not.
3. Having a full view of what the risks are
Once the obligations have been understood, you need to calculate the chances that a violation will occur. This involves analysis of many factors, such as the type of data (employee or customer), how sensitive the data is, what people have access to that data (both within your company and externally), what your security processes are, and how you have managed breaches in the past. This understanding will help provide clear guidance on the risks and potential impact of breaches, and it will allow for a discussion about what level of risk your business is willing to accept.
4. Document and Communicate your policies
Once the obligations and risks are understood, it is vital to document exactly what your policies are to manage the risk. Not all risks are managed in the same manner or to the same extent. A policy document needs to provide more than a high-level statement that you take privacy seriously — it needs to set out the appropriate guidance in key areas, such as consent, access and breach management. Policies for data protection and privacy may overlap with other business policies, such as security standards, records retention policies and the management of confidential or internal intellectual property.
With all policy documentation the ability for policies to be effective is in the communications of your policies. The great percentage of data breaches are from unfortunate staff errors. A good solid privacy awareness program is seen as the catalyst of successful privacy management.