With 2.5 quintillion bytes of data generated daily, data privacy is now a top priority for board members. Prioritizing data privacy is no longer just a compliance requirement but also a competitive advantage. While simple on the surface, the details make the difference. Data privacy can still cause potential headaches without comprehensive information of governance programs.
Regulators and consumers continually pressure companies to improve how they collect, use, store, and delete personal information. With technological innovations such as big data and mobile, new data insights about how people say and do have never been higher.
Under new and upcoming legislation, consumers now have rights to control this data and opt-out of the sale of said data, further creating the need for comprehensive data privacy programs.
Until recently, most internal data privacy efforts have revolved around the specific requirements of their industry and no more. However, with sweeping regulations like CCPA and GDPR, that approach may not cut it anymore.
With these regulations, businesses are better off with a more comprehensive approach to IG to help them tackle the full scope of data challenges.
Are your data privacy capabilities enough?
Asking the right questions about your current data privacy risks can help you get the ball rolling. A few questions to ask include:
Are we actively determining and complying with the laws and regulations applicable to our company?
Do we have a decent IG foundation established to face data privacy challenges such as DSAR requests?
Do we know what information we have, how accurate it is, and where it lives?
Do we have the right leadership and resources to assess and support these risks properly?
Do we have access to the required information to support significant business decisions?
How does our IG program compare to others in the industry?
Key process areas for managing data privacy risks
Complying with regulations isn’t always a cut-and-dry process. Most companies need to assess current strategy, key people, technology, and procedures to build tools in four areas (privacy/compliance, IG, crisis management, records management).
These tools include:
Data inventory: Companies need to know what data they’re collecting, where it’s stored, and how it’s used. Inventory should be ranked based on risk to identify the level of risk and what the business needs it for.
Classification: Along with maintaining data inventory, companies need to know what type of data they have — personal/public — and a clear definition of who is impacted by the data.
Third-party relationships: Companies need a history of third-party relationships, along with the data usage of those third parties, to create programs that adequately address data privacy issues. If you have existing contracts, amendments should include these new privacy standards.
Portability and erasure: Companies need to manage requests to eliminate personal information.
Data security: Maintaining security and responding effectively to data breaches is essential for companies.
Consent: Companies need tools to manage consumer requests promptly.
Oversight and monitoring: Companies must utilize comprehensive programs that adapt to ongoing regulatory changes.
The three lines of defense
Companies should follow the “3 lines of defense” approach in designing and implementing IG programs. Data privacy is a critical compliance risk for these organizations. Joining privacy and compliance encourages oversight, a clear picture of roles and responsibilities, effective management of regulatory matters and relationships, and prompt reporting to senior leaders and the board.
1st line of defense – Lines of business/privacy liaisons
- Own privacy risks and accountability for protecting personal data against current and future risks
- Controls procedures to align privacy policies and regulations
- Implements privacy program within the business
- Conducts ongoing assessments to determine how well privacy programs are working
- Tracks and reports on the performance of privacy programs
2nd line of defense – Global privacy office & compliance
- Sets up governance, policies, oversight, and accountability for privacy
- Develops core privacy program components such as processes, tools, templates, guidance, and privacy notices for the lines of business to use in building controls.
- Establishes privacy risk assessment requirements and performs second-line risk-based monitoring and enforcement of privacy controls to ensure compliance.
- Develops and implements competency-based training and awareness for privacy-related policies and standards.
- Reports performance of privacy program to the board; risk committees; privacy, security, and data governance councils.
- Communicates with supervisors and regulators on privacy and data protection
3rd line of defense – Internal audit
On an independent basis, evaluate the effectiveness of privacy controls to provide assurance.
Regularly report control effectiveness and issues to their supervisors
Key takeaways
Implementing a complete and unified approach to IG can be time-consuming and challenging. A few best practices to try include:
Establish an enterprise governance strategy: Create the vision driven by executive leadership to help ensure the program’s success. Verify that the governance strategy supports and aligns with corporate strategy and growth objectives. Make sure leadership approves and endorses the program before starting.
Deliver value quickly: Set realistic goals and expectations with leadership. Maintain a straightforward, no-nonsense approach. The simpler, the better. Measure success at multiple stages to make sure you’re on track.
Start with an end in mind: Set up an IG model to support upcoming business needs. It should support several types of data and customer touchpoints in a way that unifies them for a comprehensive overview.
Don’t alienate your customer base: Make sure customer-facing processes help them, not harm them.
Create business ownership and accountability for data: Create clearly defined roles and responsibilities to drive innovation within functional areas. Establish ownership within business management and require data quality accountability.
IG is a journey, not a one-time fix: Information governance requires executive buy-in to work. Policies and standards need to be approved and resources made available to measure effectiveness.
Conclusion
Although the task of creating and implementing an IG plan can seem overwhelming, the result is worth it. On top of complying with data privacy regulations, IG can also pay out significant business dividends. Ultimately, the path to minimizing data privacy risks starts by making IG a high priority.