Back to all blog posts

Kick-starting a privacy program … revisited

It is not enough for a business to create a privacy notice and place it on its website; a business must define policies and practices, verify that their employees are following the practices and complying with policies, and confirm that third-party service providers are adequately protecting any shared information. As customer demands and regulatory requirements change, the business’s privacy practices and policies must be reviewed and revised to meet this changing business environment.

Several years ago, I wrote an article for the International Association of Privacy Professionals outlining 10 steps to get your privacy program started or revitalized. As time has moved on, privacy requirements have expanded placing more of a burden on organizational responsibilities, so I thought it was time to revisit how to get a privacy program kick-started.

1.    Identify a champion

It is critical to identify someone to own the privacy program and the process to create it. Optimally, this will be someone in your senior leadership team, thereby demonstrating the priority being given to privacy within the business. Appointing a senior leader to this role will also show your customers, staff, and partners your commitment to protecting personal information.

It is not enough for the selected individual to represent the program; they must drive it. They must be a champion for privacy so the organization can understand how the use of personal information impacts a business and how misuse of the information can affect their customers (and the business itself).

The champion does not need to manage the privacy program on a day-to-day basis; a program manager can be identified for this activity. The champion must provide active support and direction for the program.

You can imagine that different functions within your organization may have different perspectives on privacy. Marketing, human resources, sales, and legal, for example, may have very different perspectives on how personal information should be collected and used. Establishing a core team to support the program champion consisting of members from the various functions within your organization allows each of their voices to be heard and appropriate balances to be struck as the program gets established.

2.    Take inventory

To develop effective policies and practices, you must understand what is important to the various organizational functions. Taking inventory of the personal information already on hand is a great way to gather these requirements.

Using the core team members to work within their own functional teams, they can determine:

  • What personal information is collected.
  • Why the information is collected.
  • How the information is collected.
  • How the information is stored and protected.
  • If the information is shared with a third party and, if so,
    • How it is transmitted.
    • How the third party protects the information.
  • When the information is destroyed and by what process.

Once created, keeping this inventory current will help ensure compliance with your policies and practices.

3.    Understand your legal, regulatory and partner requirements

In addition to exploring the internal requirements for the use and protection of personal information, you also need to explore external requirements. There are three primary sources for these requirements—legislative bodies, regulatory bodies, and partners.

Legislative bodies

Throughout the world, laws have been established governing the collection, use, transfer and protection of personal information. These laws vary by jurisdiction with differences most often based on culture, history, and business climate.

It must be acknowledged that the foundational model for emerging legislation is the European Union’s General Data Protection Regulation, GDPR. I recommend that you include GDPR requirements in your inventory even if GDPR does not apply to your organization. This will allow your program to be ready as new legislation takes effect in jurisdictions where your organization operates.

Pay particular attention to Data Subjects’ Rights requirements. These are evolving and expanding as new laws are introduced.

Regulatory bodies

Depending upon your industry and the information you collect, there may be requirements that government or industry regulatory agencies impose. For example, if you use credit cards for payment, you should be compliant with the Payment Card Industry Data Security Standards. Participants in the U.S. healthcare industry must comply with The Health Insurance Portability and Accountability Act of 1996. Privacy in the U.S. financial industry is covered in the Gramm-Leach-Bliley Act.

Partners

You may have agreements in place with your customers or your suppliers that specify privacy requirements. Regardless of what you establish as an organizational standard, these agreements will override your standard policies and practices for these stakeholders.

4.    Define your high-level policy

Taking your internal and external requirements into account along with the personal information you collect, you are now ready to define your privacy policy. Often organizations want to become detailed and specific in their policies, but this frequently leads to an inability for the business to address unforeseen circumstances.

When you consider your privacy policy, think of it as a moral compass for your organization defining what is “the right thing to do.” Supplement this with some high-level guidance on implementation (such as “personal information will be encrypted in transit”), but leave the details for your functional areas to define. This allows for the policy to remain unaffected as technology, requirements or the business climate changes.

Consider that the policy should be directive. Your staff should not have to interpret what the policy intends for them to do to be compliant. The policy should be clear and concise. The policy should also define the consequences to an employee, contractor, or temporary worker if the policy is violated.

Finally, everything in the policy should be measurable. This characteristic lays the foundation for obtaining metrics to determine if the privacy program is working or needs adjustment.

5.    Define processes, standards and guidelines

To support your policy and to ensure your staff understands how to meet your requirements, supporting documentation must be created to specify how the staff should behave. There are three different ways to document these instructions:

  • Processes are step-by-step instructions describing how a task must be accomplished.
  • Standards define minimum requirements that must be met (though exceeding these requirements should be encouraged).
  • Guidelines are suggestions about how things should be done, but unlike Standards, are not required.

The core team can work within their own functional areas to define the appropriate level of documentation for their area. This will engender a sense of stakeholder ownership of these documents. However, you should consider having the entire core team perform a final review and approve each of these documents to eliminate duplicative and possibly conflicting documents.

6.    Train your staff

With everything now in place, it is time to train your staff. Simply asking them to read the documented policy, processes, standards, and guidelines will not be effective; think of all the email and reading each of us addresses in a typical day. A formal training, either face-to-face, computer-based, or by webinar should be undertaken.

Training should occur when the privacy program is initially introduced. New hires should be trained upon joining the organization as should contractors and temporary employees. Annual refresher courses should also be put in place.

Annual privacy training should be required of every staff member; completion of the training should be logged and considered part of the performance review process.

It is strongly recommended that the training be role-based. For example, providing similar content to Legal and IT may be effective, but adding subject matter and examples relevant to each area will increase the potency of the training.

Executives should also be trained. Their training should include content similar to that provided to the overall staff but should also include a segment on the state of privacy in the organization and the privacy landscape for the foreseeable future.

7.    Review your vendor/service agreements and third-party practices

Your organization is responsible for data it collects and shares even when it is provided to a third party for processing or simply shared with a partner organization. To be sure that everyone with whom you share information is protecting the data to your satisfaction, your business must consider these questions:

  • Are the third parties meeting your new policies?
  • If not, are they willing to meet the new requirements?
  • If not, are there ways to remediate or compensate for the requirements in question?
  • If not, is there a different third party you could use to meet the requirements?

Similar to providing training for your staff, holding a series of webinars for your third parties describing your new policy will give notice to these organizations about the changes in your requirements. You can follow up with a survey-based attestation process to determine if your requirements are being met.

You should also modify your standard contracts to include language that requires your policies be met. This will become a negotiation point for most of your vendors, but if your requirements are reasonable, it will be easy to achieve a meeting of the minds.

8.    Declare victory and celebrate

Establishing a privacy program is a significant milestone in the maturity of an organization. Holding an event to recognize the achievements of the champion, program manager, the core team, and the organization as a whole is appropriate. The event will also reinforce the importance placed upon protecting personal information by the organization.

9.    Post a notice to your customers

Having the program publicized internally and with your service providers is a start, but your customers must be informed as well. Typically, this is done through a Privacy Notice, also known as Privacy Statement or Privacy Policy, on your web site.

The notice is not only a legal document; it can be used as a strategic marketing tool. If you do not share information and your competitors do, then call that out. You can make the notice part of an educational experience by explaining why privacy is important, how your customers can protect their own information on a day-to-day basis and how your policy supports their efforts.

The notice should reflect your organization’s perspective on the importance of protecting personal information, giving insight into

  • when you collect personal information.
  • why you collect personal information.
  • what information is collected.
  • how you protect the information.
  • when you share the information.
  • what a customer should do if they think their information has been compromised.

Many jurisdictions impose requirements on what must be included in a privacy notice. Do review these requirements to ensure your notice is legally compliant in all jurisdictions in which you operate.

This notice should be dated with links provided to it conspicuously throughout your website. If a change is made to the notice, customers should be notified on the website when they visit. It is also a good idea to allow visitors to view previous iterations of your notice.

10. Review, reassess and revise

Your business and the privacy landscape are constantly changing, so it is important to review your privacy policy and supporting processes, standards, and guidelines at least annually. In fact, some legislative and regulatory agencies require this. Ongoing training is also required by some legislative and regulatory agencies.

An annual, independent review is also advisable. This will provide an outside, unbiased look at your privacy program identifying what is working and what can use improvement.