In a 2021 NAVEX risk and compliance program survey, 66% of respondents indicated privacy, data protection and security as a priority. This means privacy ranks right up there with other, more familiar, topics including conflicts of interest; antibribery and anticorruption; diversity, equity, and inclusion (DEI); and environmental, social and governance (ESG). Constant regulatory change is certainly part of the reason ethics and compliance leaders report that privacy continues to be a key area of focus. But the next logical question must be: how can privacy and data protection program leaders address the continuous external regulatory change impacting their organizations?
2022 is primed to be the year many privacy program leaders will focus on implementing privacy frameworks as a way of insulating the privacy program from the winds of change that constantly buffet the organization.
Choosing the Right Privacy Framework
Privacy frameworks help organizations deal with change. They provide a structure upon which to base both program fundamentals, and those critical processes necessary to fully support the privacy program and its stakeholders. Program leaders seeking to effectively leverage a privacy framework must have a clear grasp of the specific information requirements of the organization, and the relevant industry or industries the organization operates within. Using a privacy framework doesn’t obviate the need to understand laws and regulations applicable to the business – but with a framework in place, it is easier to evaluate changes that could have a substantive impact on the organization. It is also important to be mindful of the organization’s culture and values, as well as its appetite for regulatory risk.
Fortunately, numerous privacy frameworks are available, including:
- Fair Information Practice Principles
- Generally Accepted Privacy Principles (GAPP) Maturity Model
- National Institute of Standards and Technology (NIST) Privacy Framework
- Organization for Economic Cooperation and Development (OECD) Privacy Framework
Additionally, work must be done to complete data maps (or records of processing activities) for the personal and sensitive data processed by the organization when implementing a privacy framework. Privacy leaders must consider the scope of the privacy program and how it aligns with the organization’s values. It is also helpful to be aware of specific challenges the privacy program may face, including the potential for regulatory enforcement.
Buy-in and Implementation
First and foremost, the privacy program must have unmitigated buy-in from the organization’s executive management. Privacy leaders should leverage departmental or functional champions where it makes sense and be sure to involve those privacy champions in related training events and workshops for senior management. There may be an additional organizational lift by creating a steering committee and deputizing other leaders to help carry the load associated with implementing the framework.
One of the first steps after selecting a privacy framework is to map out how the privacy regulations your organization must comply with overlap both with your framework and each other. In some cases, it may be helpful to leverage more than one framework. Some organizations find it helpful to begin by replicating the work done by another portion of the organization – for example, the information security team’s use of the NIST Cybersecurity Framework or ISO 27001. This can establish a stronger alignment in those spaces that naturally overlap between privacy and security. Mapping out control areas and then establishing connections within and across regulations can reduce the complexity that naturally exists in the global privacy and data protection arena.
Next is the creation of action items for the steering committee members and privacy stewards. These individuals will be in a great position to help map the controls from the selected framework into the organization’s personal data-collecting processes. Privacy leaders should help the committee leverage existing policies, procedures and training. It is important to consistently communicate what is happening and why to truly gain buy-in. Roles, responsibilities, and descriptions created for the framework should be kept simple and clear. Members of the privacy program team with steering team members and privacy champions should be in alignment so they can be reliable evangelists for the program without danger of contradicting one another. Their involvement also provides the opportunity for personal and professional development. As with any effective compliance program, monitor regularly to evaluate the progress being made and check that the framework continues to be fit for purpose.
It will likely be necessary to tailor the chosen framework to the specific privacy risks and regulatory requirements the organization is obligated to meet. This is a natural part of the implementation process, and making these minor adjustments smooths implementation for everyone. When determining how to tailor the framework, be sure to involve those business partners that may be affected by, or must adhere to, the program.
Once the framework is implemented it can be leveraged every time a regulatory change happens – though the framework should still remain dynamic and flexible, as static frameworks become dated quickly. First, map the new requirements into the controls you have documented in the framework. Where there are gaps in controls (which can happen from time to time) adjust the controls. Then you’ll be ready to rinse and repeat the next time a regulatory change happens.
In this day and age, true data privacy protection is not practical without technical automation. Nearly all data gathering, storage and use is already a technology-driven. Data control mapping should be done using software tools as well. The need for robust, yet flexible data control software tools becomes even more obvious when considering the aforementioned rate of regulatory change. Manual, or only partially automated, control systems cannot respond as quickly change as a well-chosen software solution. As such, making necessary technology investments should be prioritized.
Data privacy regulation shows no sign of slowing. Organizations should prepare for changes by auditing existing privacy frameworks, investing in technology, and preparing to make changes as necessary. The coming year will yield increased attention to privacy programs, and current and upcoming legislation will demand dedicated resources and organizational buy-in to maintain compliance.