Co-authored by Jen Stone (CIS, CISSP, CISA, QSA), Principal Security Analyst at SecurityMetrics.
Data Privacy and Protection
Data privacy and protection (DPP) laws aren’t entirely new to the security and compliance landscape, but the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are prompting many organizations to take a more formal approach to DPP.
So where do you begin? Here are five steps to get you started.
1. Determine DPP leadership
Start with sponsors, champions, and leads. Who will be driving the initial project to establish your DPP program? Will they continue leading your program once it’s established?
Who are your subject matter experts? Make sure they are involved from the beginning. Depending on the size and complexity of your organization, this could include roles from legal, security, privacy, senior management, compliance, and project management.
If data protection and privacy compliance are new to your organization, you might need to build internal knowledge. Connect with other privacy professionals for advice. You can:
- Join International Association of Privacy Professionals (IAPP)
- Listen to data privacy webinars
- Join data privacy groups on LinkedIn
2. Define your goals
What are the goals of your DPP program? If you can define the end result early, it will help you stay focused on moving in the same direction. A DPP program charter can provide clarity to define your team’s overall scope, authority, responsibilities, and governance structure.
Keep in mind that a project differs from a program. A project has defined deliverables that mark an end to the work being done, while a program is intended to move forward indefinitely. This means you might need a project to establish the program. In general, the project would encompass the first four steps listed here (i.e., “Determine DPP Leadership,” “Define Your Mission,” “Assemble the Team,” and “Find the Data”), while the program would be the ongoing work done in step five (i.e., “Refine and Reiterate”).
3. Assemble the team
Data most likely lives in every corner of your organization, so consider including team members with diverse knowledge of data in your organization. This should include both technical and non-technical individuals, since their perspectives on data will differ due to the different natures of their jobs.
Recognize that the more unfamiliar your organization is with DPP, the more churn you can expect while determining who belongs on the team. The people you meet with initially to explain the project might not actually execute the work.
As you initially assemble the team, try to clearly explain the time commitments so that people with the appropriate bandwidth are on board to represent functional teams. Consider recording presentations that set context for the project and disseminate DPP training, so you don’t have to reiterate the goals and scope of the project if team members switch out.
Since most privacy-related development and analytical work is added on top of already existing workloads throughout Technology, Finance, HR, etc., getting buy-in from key stakeholders requires diplomacy, persuasion, and mutual respect. Without this, it is hard to really get the project the prioritization it needs.
But it is worth the work! These key people can truly become your Privacy Champions throughout the organization, furthering privacy efforts such as:
- Developing Erasure, Portability, and other Data Subject Right (DSR) procedures (Access, Rectification, etc.) for GDPR
- Creating data retention and destruction procedures
- Looping you into new processes where you can embed privacy by design and default (as written into Article 25 of the EU GDPR)
4. Find the data
A common cybersecurity adage states, “You can’t protect what you can’t see,” so finding where data lives in every corner of your organization is critical. This often means assembling team members that are familiar with data flows and processes from various parts of the organization – technical and non-technical. Perform data Inventories and data mapping in one-on-one sessions with key stakeholders at the beginning of the project, if at all possible.
Taking the time to meet one-on-one can bring significant benefits, such as leading to more effective collaboration, building rapport, and encouraging greater buy-in.
5. Refine and reiterate
Can you really ever be 100% compliant? It’s a good question because the DPP landscape is ever evolving. New legal interpretations of the regulations are developed as they are tested in the courts.
In GDPR, new business processes or new technologies require new Privacy Impact Assessments (PIA), new Article 30 records, and new data inventories. New data collection points or data stores require new development tied to DSRs. In addition, as you audit processes and embed privacy by design and by default, you will find gaps, room for improvement, and ways to make processes more efficient.
All of this can impact your privacy notice and required notification updates.
Gabrielle Harris has worked in Data Privacy and Protection for about 3 years, with a diverse background including Systems Analyst and Finance Accountant. She has a BS in Geography and a MS in Management and Leadership, both of which influence her to approach leadership in a global, humanistic way. Gabrielle lives in Utah. She is a football fanatic and also loves music and art.
Jen Stone (MSCIS, CISSP, CISA, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.