Building a Privacy Program: Tips and Tools

Building a Privacy Program: Tips and Tools

Deep into the era of big data, information security that includes the proper handling of customer and client privacy is mission-critical. A privacy program covers how a business stores and processes the personal information of clients when offering their products and services. Capturing the information can bring tremendous value to consumers and be a strong point of differentiation for your business. Think of personalized ads that are more impactful, reminding users of their shopping history when they go to make another purchase or retaining important information for a client in an online archive. These are useful capabilities that are good for business. In order to power that kind of service, caring for and keeping privileged information secure is important to your customers and crucial to maintaining your company’s integrity and reputation. The strength of your organization’s privacy program will determine how well you are able to manage sensitive customer data. 

What Is a Privacy Program?

The full scope of a privacy program is all of the activities within your business that touch and manage personal client information — from the first step of collection to end-of-cycle deletion. Aspects of a successful program include support from senior management, ongoing team training, and a culture of solid privacy protection. Privacy programs should undergo regular reviews, with room for adjustments and continual improvement.

How Do You Develop a Privacy Program?

There are several steps involved when developing a successful privacy program. Teams need to identify their needs while keeping in mind legal requirements and industry regulations, get internal team buy-in, finalize goals, and then implement their plans.

1: Determine Requirements

What are the main drivers in your business leading you to establish or reassess your privacy program? Common reasons are meeting industry-related data protection requirements, avoiding non-compliance penalties, meeting partner or customer compliance needs, and protecting customer data to gain or maintain client trust and your organization’s reputation.

2: Establish Scope 

All appropriate stakeholders should be engaged to determine what the organization’s privacy goals are. Stakeholders are typically the head of each business unit and corporate division heads. These groups then meet to determine the full scope of the program. Are there any goals beyond meeting industry regulatory and legal requirements? Teams should discuss the benefits of a rigorous privacy program, and the risks associated with not having a proper program put in place. A privacy framework is an important tool in determining privacy requirements, identifying privacy risk areas, and learning to manage that risk while also meeting compliance. The US Department of Commerce — through the National Institute of Standards and Technology — created a reference called the NIST Privacy Framework to help organizations determine what they need to do to protect individuals’ privacy within their company’s products and services. The next section has more details on privacy framework tools and goals — there are multiple options that may be useful to your business.

3: Generate Support & Gather Data

Meet with the senior management team to outline the privacy program goals and plans. After receiving support from leadership, the plan should be communicated to all stakeholders so that data touchpoint information can be collected from relevant teams. All types of personal data that are collected should be documented and categorized. Data categories include sensitive/prejudicial data, general data, employment data, financial and tax-related data, and health data. You may also want to categorize what is Personally Identifiable Information data (PII), and what isn’t. 

4: Assess Privacy Risk

Any third parties that your company deals with that also have access to personal information must document their collection practices and how they keep that data secure. In addition, your organization needs to conduct a Privacy Impact Assessment (PIA). The Department of Homeland Security advises on how to proceed. Many companies find that this project is best tackled on a departmental basis. This helps uncover areas of data vulnerability. 

5: Refine Goals 

After the full privacy impact analysis and risk assessment, you’ll be positioned to refine what your organization’s specific privacy program needs and goals are. You should have determined any security gaps with the PIA review and decided on appropriate solutions. Adjusted goals should be documented and recirculated back to senior management, as well as the stakeholder teams that previously shared personal data touchpoint information. Look for gaps in the current privacy procedures as matched against privacy goals, and then list solutions that need to be enabled to meet those goals.

6: Implement Plan 

With the revised goals finalized, the business can build out an implementation plan for the privacy controls and solutions it has selected. Create and document business use cases, an implementation schedule, and key metrics and monitoring plans. Make sure to continue to communicate progress to senior stakeholders, and fold the new privacy solutions into day-to-day business operations. This is also a good time to initiate needed employee training to ensure the new privacy program requirements are adhered to by all team members — with a proper understanding of why the program exists and what the benefits are. 

7: Assess and Revise 

With the new privacy program in place, the organization needs to assess whether or not it’s successful. Is it meeting regulatory requirements and company goals? Are team members able to easily and effectively fold the new policy into their day-to-day work habits? Are any additional privacy protections needed? Make sure to continue to iterate and evolve your organization’s privacy program as needed.

What Is a Privacy Program Framework? 

Using a privacy program framework can help your organization determine key steps to improve privacy controls. A privacy framework is a set of guidelines used to aggregate all compliance requirements essential to your business. The NIST Privacy Framework can be used to help organizations determine what they need to do to protect customer privacy. It uses enterprise risk management techniques to assess privacy capabilities and manage risk. The framework tool is a great way for organizations to model different privacy-related data protection scenarios within their business and determine what problems might arise. This helps organizations to determine what their privacy program-related needs are and identify appropriate workflow and technological solutions. The Association of International Certified Public Accounts (AICPA) has also released a privacy framework tool that helps provide privacy program guidance.

The InfoSec Survival Guide: Achieving Continuous Compliance

What Should a Privacy Protection Program Include? 

We’ve already outlined the steps needed to create a reliable privacy program. There are three things that are essential within a company culture to make sure that a privacy program is successful. Bear in mind that an organization’s adoption of a new privacy program is not likely to succeed if any single one of these three elements is missing.

1: Executive Support

When developing the privacy program and setting and revising goals, approval from senior leadership is important. More than that, having visible, significant support from the C-Suite is key to overall success. When a company’s executive team makes it clear that customer and client privacy is important to them, that significance permeates through the entire team and into the culture. Similarly, if senior leaders don’t care about privacy, then the rest of the team isn’t able to make it a priority.

2: Team Training

Another way to emphasize the gravity and significance of maintaining strict privacy controls is through team training. The company’s overall philosophy on maintaining privacy controls and meeting regulatory requirements should be outlined here so that all team members understand the “why” behind the privacy guidelines. Then, employees should consider what data they have access to and how a possible breach could take place. All team members should know what to do in the case of a privacy breach and how to report and escalate issues correctly. In addition, the proper handling of devices can be covered in training. 

3: A Culture of Privacy Protection

With senior management support and consistent team training, you are on your way to building a company with a culture steeped in the impotence of protecting privileged data. Maintaining strong information security protocols and protecting against breaches and phishing scams is another way to keep privacy top of mind amongst team members. In addition, you can infuse your team culture with the importance of privacy by making sure to mention it in team documents, such as the employee handbook and other materials. In addition, Marketing and/or Public Relations may want to tout the organization’s rigorous standards for handling matters of customer privacy as a point of differentiation for your business. All of these factors add up to create a strong company culture steeped in privacy protection.

Is a Privacy Program Needed When You’re HIPAA Compliant? 

There is a governmental mandate for HIPAA compliance that includes privacy guidelines for health plans, health care clearinghouses, and health care providers. A privacy program is essential to help make sure you meet HIPAA regulatory requirements. You can read details of the mandate on the HHS site, and learn the essentials for how to be HIPAA compliant

How CrossComply Can Assist Your Privacy Program Needs 

AuditBoard’s CrossComply compliance management software can help you determine where and how to meet the appropriate privacy program requirements for your industry. CrossComply also helps businesses map different privacy frameworks to their controls to help determine where areas are overlapping and find savings when one control maps to multiple regulatory needs. Find out more as you prepare to enable your new privacy program, and make sure you are positioned to meet all of your privacy goals.