No doubt, the first days (weeks, months…) of work on the organisation’s privacy program might present a real challenge. A mixture of things happening here and there, chaotic attempts to get to know all of the areas of business at once, talking to different people simultaneously – all of the above may prevent you from turning the first days in the role of privacy manager into an effective exercise.
Below, DPOrganizer outlines 5 cornerstones to focus on when making the first steps towards an effective privacy program.
These cornerstones do not exist in a vacuum and should become a part of a comprehensive strategic plan. It should also be noted that each of them represents a ‘building block’, grouping sets of activities to be done, rather than some stand-alone quick one-off exercises. One should not try to implement all of them simultaneously right during day one (or week/month one). Building a privacy program is a big project, while an effective project management plan always strikes a balance between three components: resources such as budget available and costs, time, and scope (workloads). In practice, this means that, e.g., for an increased number of tasks to be effectively completed, a privacy manager needs more time and/or resources. Keep that in mind when trying to obtain sponsorship or a C-level buy-in for the privacy program, for example.
1. Review the current privacy program, including governing documentation such as policies, manuals, guidelines, etc.
In the latter scenarios, it is of importance to review the efforts that have been made previously and come up with a checklist identifying what parts of the privacy program require updates.
In particular, a privacy manager has to evaluate the changes in the sets of personal data processed, data flows and geographical footprints (see item 2 below for more details), how technologies used by the organisation for the data processing have changed, how “scale” of the processing (number of employees and data subjects involved, amount of income generated, number of third parties involved and where those are located) has changed, etc.
Importantly, those findings will inform further updates to the organisation’s privacy documentation such as records of processing activities, privacy policies, documentation governing relationships with third-party vendors, etc., as well as technical (e.g., security measures or tools facilitating the exercise of data subject rights) and organisational updates.
The identified issues should then be turned into a realistic plan of risk mitigation activities – those might contain both short-term (interim), and long-term exercises and should envisage a realistic timeline.
2. (Re-)define the scope of your privacy program.
Depending on the issues identified, it might be necessary to redefine the scope of the privacy program. Or, when building the privacy program from the ground up, the scope should be identified initially.
Normally, this includes identifying (i) the personal information collected and processed, and (ii) the applicable data protection laws and regulations.
Identification of the personal data involved might occur through different methods – information-gathering interviews with functions typically involved in the data processing (IT, HR, Marketing, Finance, Information Security, etc.), questionnaires, information discovery tools, engaging internal and external auditors and consultants to assist with the information discovery. The more structured approach is to build the identification process around a typical data lifecycle: collection, storage, maintenance, usage, sharing, deletion, and to see what happens with the data at each stage of the lifecycle – i.e. who collects, uses and maintains personal data, what exactly is collected and for what purpose, how long it is then stored, who it is shared with, etc.
As for the identification of the applicable legal frameworks, organisations are often subject to several laws, while some data processing operations may be subject to more than one regulation. Although case-by-case analysis is required, it is not always feasible to implement a dedicated solution for each legal framework that applies. In essence, at a high level, most data privacy legislation imposes similar types of obligations, thus enabling entities to offer similar types of solutions covering several laws at once. Another possibility is, when comparing requirements of several laws, to apply a single solution that is based on a stricter standard – e.g., when setting a timeframe for responding to data subject requests, an organization may choose to apply the timeframe under the strictest law of those that apply.
It also makes sense to consider the usage of privacy tech vendors and GRC tools. The former might help you with data mapping, incident response, website scanning, consent management and similar tasks, while the latter might be of help when it comes to overseeing risks and compliance across the entire organisation and automating GRC initiatives.
Identification of the applicable data protection laws and regulations also implies understanding the organisation’s role in the data processing (controller, processor, joint controller, etc.), as obligations imposed vary substantially depending on that.
3. Obtain C-level buy-in and spend time networking with other employees.
Building an effective privacy program (especially when doing so from scratch) is not an exercise for an ‘one-man army’ or even for a separate privacy function. To deal with multiple pieces of legislation and to transform the efforts into sustainable solutions, a privacy manager requires assistance from both C-suite and ordinary employees from the company’s different functions.
C-suite would most likely become a ‘one-stop-shop’ when it comes to obtaining additional resources for the privacy program – to purchase new technologies, engage new vendors, hire new members of the privacy team, to support the launch of a privacy-related project in the organisation, etc. Apart from that, C-level executives might help privacy managers to broadcast their messages across the organisation and make other people listen. Finally, those will clearly be the most important go-to persons when making the first steps towards building a ‘privacy-first’ culture within the organisation. With this in mind, it is of high importance for a privacy manager to find the way to the executive team right from day one.
With that said, a good privacy manager should also spend plenty of time networking with function leaders and ordinary employees, thus ‘putting a face to the name’. It is important that they understand who their privacy manager is, what his/her mandate is, and that he/she should be invited to their weekly/monthly/quarterly stand-ups and also those meetings where, e.g., new products or features are discussed, privacy-related decisions are made, etc.
It makes sense to use the company’s town halls to present yourself and reach out to the audience, but also one-on-one informal meetings with key stakeholders are helpful. Among them are employees responsible for information security, risk management, compliance and legal decisions, but also internal stakeholders like HR, marketing, IT, etc. – those who hold ownership of privacy activities in the organisation. A good privacy manager should become aware of how other stakeholders handle personal data and help them with embedding privacy requirements into their daily operations and ongoing projects. It is also important to remember that other employees have their objectives and KPIs, and risk mitigation solutions offered should not undermine them.
Apart from informal meetings, it is also a good practice to conduct workshops for stakeholders supporting privacy efforts. As a matter of fact, those are usually at different levels of privacy knowledge, so it is important to answer their questions and bring them to the same baseline understanding of privacy-related challenges, risks, ongoing and future activities, etc.
Another good practice is to introduce so-called ‘privacy champions’. Those are usually those from the functional team members who help to promote privacy values and the company’s privacy program within their teams, thus becoming assistants of a privacy manager in a particular company’s function. Appointing someone as a ‘privacy champion’ may require approval of the functional team lead or even of someone from the C-suite, thus again stressing the importance of good networking and obtaining buy-in.
Finally, to align on privacy-related responsibilities, it is highly recommended to keep a record of ownership clarifying who does what and which function and particular employees are accountable for compliance.
4. Build training and awareness campaigns.
As mentioned above, internal stakeholders and employees play a crucial role in meeting the goals of the company’s privacy program. To turn them into effective assistants, they should be well trained in internal privacy-related processes and procedures and understand how to react in different situations that may occur. Under some legal frameworks, training might be mandatory.
The terms “training” and “awareness” might sometimes be used interchangeably, but in fact, those serve different purposes and imply different methods of communication.
Training programs are rolled out to educate employees on legal rules and provisions of the company’s policies and the practical application of data processing principles. As a matter of best practice, training materials should be continuously updated to reflect changes in the legal landscape, organisation’s policies, best practices and business processes, while trained employees should be then audited to ensure that policies and data processing principles are followed by them. At the same time, awareness intends to encourage a vigilant and watchful attitude and reinforces general privacy messages through different ‘reminders’ – e.g., lobby video screens, posters and flyers in canteens, quizzes, handouts, etc.
Effective training and awareness campaigns always combine different channels of communication: formal education, tabletop exercises, e-learning, road shows, newsletters, pre-recorded videos, webinars, posters, handouts, slogans, ‘coffee talks’ and catch-ups, etc. It might make sense to partner with the HR function to arrange and coordinate events and sessions. When it comes to choosing channels and content, the key issue is to make the communication effective for particular audiences. The targeted employees are normally not professionals in privacy management and law, so it is crucial to adjust the content and communication manner accordingly. Use stories that are easy to grasp and lessons learned from commonly known events or incidents, leverage gamification and friendly contests to engage participants, and deliver clear ‘calls to action’ instead of obscure messages written in professional jargon. Use metrics to measure understanding and see if/where additional/refined training should be conducted.
Who to train? This is usually decided on a case-by-case basis, but usually, all employees receive some general training in the company’s policies, data subject requests, incident response, etc., while front-line employees receive in-depth specific roles-based training.
As a matter of good practice, training and awareness plans should be created to facilitate the campaign and, ideally, integrate it with other programs to reinforce messaging. Normally, training and awareness campaigns should be repeated once in a pre-defined period e.g., annually, biannually.
5. Pay specific attention to incident response programs and data subject request procedures.
It must be an important part of the comprehensive privacy program review (see item 1 above), but it still deserves special attention as information security incidents and data subject requests are the things that go far beyond the organisation’s perimeter and, thus, significantly increase risk exposure.
When approaching both of these issues, a privacy manager’s scope of work can be divided into three blocks: 1) building processes and drafting governing documentation; 2) personnel training and awareness; 3) working with third-party processors.
Building processes and drafting governing documentation includes putting an incident response plan (incl. setting-up of the incident response team, investigation, reporting, remediation, issues, recovering from the incident, etc.) and data subject request procedure in place, understanding key stakeholders that might be involved and their roles in incident response and requests handling, getting incident insurance coverage where appropriate.
Training and awareness issues are generally covered in item 4 above. In respect of incident and requests handling, involved stakeholders should understand how to recognise incidents or data subject requests, how to escalate them internally, how to authenticate data subjects making a request, how to respond to different types of requests, and when those can be declined under applicable laws, who does what in the course of an incident and what the incident response team’s mandate is. Doing readiness-testing exercises involving key stakeholders and simulating emergencies might be a good way to have the written processes and procedures tested and make sure they work in practice. A good ‘rule of thumb’ here is that if you have a plan that is not tested, then you don’t have a plan.
Finally, if the organisation engages third-party data processors, it may well be the case that those may receive a data subject request or suffer a data breach. With this in mind, it is important to understand what personal data those processors have, how they use it, and what request handling and incident response routines and procedures they have. The starting point of this ‘due diligence’ exercise is reviewing contracts and agreements put in place. However, it should go far beyond that and include ‘on-site’ audits to evaluate the level of the processor’s readiness in the event of receiving data subject requests and suffering information security incidents.
Building and maintaining privacy programs within the organisation is always a challenging task involving significant efforts and multiple resources. DPOrganizer’s tool can help companies with carrying out data mapping, while the Professional Services team can advise on all ranges of privacy-related issues.