Developing a Mature Privacy Program
Most organizational leaders understand privacy as a priority. They know that their organization needs a legally compliant privacy policy and a qualified privacy officer, and that new technological tools should be evaluated from the perspective of privacy. Once these basics are in place, however, they often have a harder time evaluating how their organization is doing with privacy. Figuring out privacy is not a one-time thing, nor a process to be repeated in response to regulatory or technological changes. A strong privacy program is primarily focused on how policies and procedures are being implemented across the organization.
So how can you evaluate how well your organization is implementing privacy? Perhaps a more helpful first question is, do you have the structures needed to support an effective privacy program?
Privacy Starts with Governance
One of the most common mistakes that organizations make is to start developing privacy policy without first establishing a governance framework. Good governance is the foundation of a mature privacy program. The active support and involvement of the board and executive allows a company to integrate best practices into everyday operations and make sure that management and staff are all on board. While all board members and executives should be well-informed about privacy developments, a Privacy Governance Committee that includes representatives from both can take on much of the oversight and ongoing monitoring of your Privacy Program.
Your Privacy Governance Committee will also work with the privacy officer to develop a privacy framework. Your Privacy Framework sets out all the principles and regulations that determine what data protection practices you must follow; these include legislative requirements, ethical standards, privacy best practices, terms in contracts with business partners, and any regulation specific to your industry.
Your Privacy Program, finally, deals with practical implementation. On the operational side, implementation will involve developing policies, establishing procedures and processes, and defining roles and responsibilities, as well as integrating privacy into employee training. On the technical side, it will involve developing risk management strategies and data management life-cycle practices. The more participatory program development is, the more effective the program will be; for instance, staff are far more likely to remember and follow policies that address their practical questions and concerns, and to adhere to procedures that fit with their existing workflow.
Ultimately, a successful Privacy Program involves an engaged and accountable Privacy Governance Committee, with the support of senior management and the Board, ensuring that staff are aware of privacy issues, understand their role in protecting privacy, and know how to carry out the procedures described in your policies.
Choosing the Right Privacy Officer
While we have emphasized the importance of board and executive support, the development of an effective privacy program will largely rely on your choice of a Privacy Officer with the knowledge and skills for this unique role. Your privacy officer is involved in every aspect of your organization’s handling of personal data. Their roles include:
- Custodian of your company’s PI
- Public face of your organization’s privacy initiatives
- Privacy consultant for operations and initiatives in all other departments
- Intra-organizational liaison, keeping all departments updated regarding new privacy regulations and their practical consequences
- Trainer of staff and management in privacy awareness and compliance procedures
A Privacy Officer doesn’t have to be a lawyer or an IT professional; however, they should have some kind of educational background in both these fields. They’ll need to be familiar with all applicable legislation, and be able to translate it into technical compliance, working closely with the IT and Security departments. They should have both training and experience in privacy implementation. Privacy certifications and continuing education courses can enable an internal hire to get up to speed. However, particularly if technical knowledge is not one of your organization’s strengths, it is well worth considering hiring a privacy consultant who will have in-depth, practical experience and expertise in different contexts. Privacy consultants are skilled in assessing a company’s operations and advising on governance structures, and can also help get your Privacy Program off the ground.
If you want an excellent Privacy Officer rather than just a qualified one, choose someone who is:
- a strong communicator,
- a good manager, and
- skilled at adoption and change management.
Your Privacy Officer must be able to “sell” privacy to the CEO, the Board, and to the rest of the organization. Compliance often requires shifting the mindsets, and changing the work patterns, of everybody in the organization. A privacy officer needs strong interpersonal skills to facilitate cooperation between the board, executive, and staff. Since the privacy officer is also the main point of contact for internal and external complaints, inquiries, and access requests, they will also need to be a good listener.
A Privacy Officer must be one step ahead of regulatory and technological change – able to analyze the current landscape and foresee future challenges, and to help the company adopt new practices to stay compliant.
Assessing the Effectiveness of Your Privacy Program
When your privacy program has active governance structures, a well-defined policy framework, and practical processes for implementation, it is time to return to the original question: How can you assess the effectiveness of your program?
The simplest but most important performance management process is regular reporting by the privacy officer to accountable individuals, including executives and the Board of Directors. Those responsible for overseeing the privacy program need to be well-informed about its progress. Good communication between the board, executive and privacy officer may be the single most important factor to the success of a privacy program.
There are a number of standard assessment tools for compliance. Privacy audits review an organization’s collection, use, retention, disclosure of personal information to ensure compliance with regulations and organizational policy. I recommend carrying out audits on an annual basis. Privacy Impact Assessments and Threat and Risk Assessments evaluate the privacy risks of new initiatives or technological tools and identify mitigation strategies. Just as important is regular monitoring, often using automated tools, to detect any unauthorized access to records. Demonstrating compliance also involves good record-keeping around client inquiries and access requests, employee training processes, and any data breach incidents.
Data from your audits and assessments can be used to establish a risk register: a catalogue of all identified privacy risks, with information about their nature, risk level, and mitigation strategies. You can then benchmark your risk management against your company’s self-imposed standards – informed by both legal requirements and industry best practices. I recommend that benchmarking be done quarterly, in order to motivate sustained effort to mitigate risks.
A privacy program can and should also be improved through performance management, like any other program. The International Association of Privacy Professionals (IAPP) suggests that performance metrics could include:
- Privacy Program ROI
- Business resilience metrics
- Privacy Program maturity level
- Resource utilization
Privacy maturity models, in particular, can be an invaluable map to guide the development of your privacy program. You can consult my book, Privacy in Design: A Practical Guide to Corporate Compliance, for my own Privacy Maturity Model, and much more in-depth, experience-based advice on how to develop an effective and efficient privacy program.
This article is based on my book, Privacy In Design: A Practical Guide to Corporate Compliance.