As more and more data privacy regulations are introduced, organizations need to be diligent in how they plan, review, and maintain effective data privacy programs. Businesses that prioritize a consistent program, especially one with third-party support, put themselves in a position to remain compliant, avoid the risk of high penalties, and maintain their customers’ trust. In this article, we’ll examine ten tips for operationalizing data privacy with insight from our data privacy experts.
1. Go broad to future-proof your privacy program
If you establish your data privacy program to meet only very specific current requirements, you may find yourself constantly making minute changes to account for new regulations. Jonathan Gardner, Senior Analyst at W. Capra, urged, “Consider the most stringent state law currently in place or a future-oriented framework like the NIST Privacy Framework. The pace of new data privacy laws has and will continue to increase, and it’s far better to be prepared for these changes.”
2. Engage a third-party technology vendor in the space, and do so early
The road to finding the right vendor for your organization can often be a long one. You must define your needs, secure budget, conduct countless fact-finding calls, negotiate a contract, and then go live. This process takes time!
Given the explosion of data privacy regulations in recent years, there are now many mature vendors in the space that are capable of adapting their privacy tools to your organization and tech stack. They will take the onus to adapt to new and updated regulations for your organization.
3. Establish ongoing processes to vet your IT stack for data risk
Daniel Kahan, Delivery Lead at W. Capra, stressed, “Gone are the days when new vendors could be added to the mix without understanding how they will use data from your organization and customers. It is critical to develop this understanding. Legacy providers are also in need of continued vetting to understand their security and privacy programs and associated risk.”
4. Conduct risk assessments for data privacy
This is not only a best practice of a strong data privacy program, but a burgeoning requirement (mandated specifically in the CPRA). Make sure you are conducting thorough semi-annual or annual risk assessments. A third-party vendor can once again prove valuable in completing this task as they will be focused on completing an objective and detailed assessment that will stand up to the test of audits by state attorneys general.
5. Be cognizant of expectation transfer
Companies like Facebook, Google, and others give consumers wide-ranging privacy controls. Because industries are no longer isolated from one another on the digital consumer experience side, consumers will expect similar controls from all companies as consumers grow more aware of data privacy and how companies are using their Personally Identifiable Information (PII).
6. Maintain good data maps
Gardner added, “Make sure you know where consumer data is flowing in your systems, and keep those data maps updated. It’s a best practice from a security and privacy standpoint, and it ensures that you’ll always have the data you need in the event of an audit to prove that you’re compliant with data privacy regulations.” There are several third parties that offer automated data mapping to aid in this endeavor.
7. Establish a process for reviewing your privacy program on a quarterly or semi-annual basis
Even if you heed recommendation #1 (future-proof your data privacy program) it’s critical to maintain awareness of new regulations that may impact your program or organization. The International Association of Privacy Professionals (IAPP) provides a comprehensive breakdown of data privacy laws, both ratified and in consideration, to aid in your reviews and planning.
8. Assign internal ownership of your data privacy program
It is often said that if everyone is accountable, no one is accountable! Whether someone in your organization handles privacy program execution personally manages a team of vendors and/or outside legal counsel, it’s critical that you have a point person who is accountable for ongoing management of the program.
9. Communicate with your customer base
Modern customers are invested in the handling of their data. They want to make sure their data is secure and used or shared in a consistent, transparent way. Be open with your customers about your policies and adhere to those policies stringently.
10. Plan SUPER early
Reacting to the need for a thorough data privacy program or new state laws and regulations versus planning for potential privacy needs is always going to prove to be a colossal endeavor. Plan, revisit the plan, and start back at one on this list to reference what you should be considering.
Daniel Kahan and Jonathan Gardner are dedicated to leading W. Capra clients in their Data Privacy decisions. For further discussion, contact Daniel Kahan at [email protected] or Jonathan Gardner at [email protected].