You’ve created a data inventory, you’ve mapped your processes, and researched the laws and regulations that are applicable to your business. Not surprisingly, there are some gaps between your practices and the legal requirements. Now what do you do?
Generally, there are two types of remedies to address gaps in your privacy compliance activities: Administrative and Operational.
Administrative Compliance Remedies
When I refer to Administrative Compliance remedies, I include the creation of controls such as policies, procedures, standards, guidelines for use by an organization that provides direction for the organization to become and remain compliant. Without having appropriate Administrative Compliance controls in place, Operational Compliance cannot be reasonbly achieved.
There are three types of gaps that may hinder Administrative Compliance within an organization’s guidance. The types are Omissions, Conflicts, and Misdirection.
Omissions occur when a requirement is overlooked by an organization and is therefore not included in the directional guidance provided to team members. For example, as new jurisdictional laws are enacted there are often privacy notice requirements defined. If these requirements are missed when the new law is reviewed, guidance in the form of standards for transparency, for example, may be omitted with the requirements not met within individual products or service agreements.
To address omissions a careful, periodic review of applicable laws is required. This review should also be accomplished each time a law is determined to be applicable. Leveraging your legal inventory will provide a basis for this analysis.
Conflicts occur when directional guidance is provided by two different documents, usually authored by two different departments, establish different requirements. A simple example is when the standards from the privacy office requires AES 256 bit encryption for personal information in transit while IT Security requires AES 512 bit encryption.
Addressing Conflicts can be addressed in many ways. My recommended approach is for the privacy team to allow the appropriate operational department to take the lead in defining the requirement and then have that referenced in the privacy artifacts as appropriate. In the above example, having IT Security define the encryption requirements with the privacy guidance referencing the IT Security requirement, without providing any details, would solve the conflict.
Finally, Misdirection is when a requirement is recognized, but the guidance provided is just incorrect. Team members are expect to follow the privacy office’s Administrative guidance, so when follows the incorrect guidance, the organization may become non-compliant.
To address Misdirection consider having an third party privacy assessment periodically (we recommend at least annually). This independent review will identify not only Administrative issues, but Operational issues as well.
Operational Compliance Remedies
Operational Compliance remedies to me refers to the actualization within those systems, applications, or business processes to comply with the Administrative Controls. Beyond periodic privacy assessments, the most effective approach to ensure operational compliance include a formal Privacy Impact Assessment (“PIA”) and a formal compliance testing regimes.
The use of these tools will be discussed in coming entries to this series.