Building a Business Case for a Data Privacy Program

When members of the Compliance, Governance and Oversight Council (CGOC) discuss data privacy and security today, I see an entirely new level of urgency. Enterprise data security programs used to be driven by the fear that breached customer and employee data could damage reputations and harm brands. Today, organizations recognize that data privacy is a vital competence driven by evolving regulations around the world and the increasing cost of data breaches and compliance failures. The 2016 Ponemon Institute Cost of Data Breach Studyrevealed the average cost for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. Even a modest breach of 30,000 records at a small business or startup can cost more than $4.6 million.

In the United States, privacy legislation is targeted at specific industries or populations. These include the U.S. Privacy Act, the Children's Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), and many others. However, U.S. companies of all sizes and in all industries should recognize that the EU's General Data Protection Regulation (GDPR), going into effect in May 2018, applies to all foreign companies processing data of EU residents. Can your products be utilized by EU customers? If so, it's imperative that you are ready to comply with the GDPR.

This means you can no longer take a haphazard or piecemeal approach to data privacy. Instead, you must establish and maintain a comprehensive, organization-wide data privacy program built on a solid business case that defines your organization's specific requirements and the specific ways you'll meet them. If you're ready to start this journey, here are 10 foundational business and technical requirements for operationalizing a data privacy program.

1. Review Existing Privacy Guidelines and Identify Relevant Data

The privacy officer along with the relevant stakeholders should review any existing privacy policies and identify the points of contact for those policies. Also review any existing risk assessments, Privacy Impact Assessments (PIAs), and data inventories. If your organization doesn't have a data inventory, or if it is not up to date, one must be created. A data inventory, including data provenance, identifies data as it moves across various systems, revealing its location, subject area, how it's organized, and how it's accessed and shared. It also identifies inconsistent data versions and the most and least valuable data.

2. Categorize Private Information at Your Organization

Start by locating all data containing personally identifiable information (PII). PII is any data that can directly or indirectly identify a specific individual. Review existing policies, procedures, or protections currently applied to this data. This establishes a baseline against which future progress will be evaluated.

3. Verify the Relevant Laws and Regulations

This includes all applicable U.S. and international laws and regulations, as well as regulations developed by your organization for internal purposes. It's essential to understand the scope of oversight and the authority of the regulating agencies, and the penalties for noncompliance. Active monitoring of regulatory activity will ensure adequate lead-time for preparation and cost controls.

4. Define and Develop Technical and Physical Controls

Work with your IT or IS department and other relevant functions to develop a PIA for all new systems, and embed the PIA into your organization's project management. To create a PIA, consult your industry standards and best practices. For example, the ISO/IEC 27001 specification is a global standard for information security (infosec). The Payment Card Industry (PCI) Data Security Standard sets technical and operational requirements to protect cardholder data.

5. Utilize the Resources of Existing Privacy Organizations

Take advantage of the resources of several organizations focused on data privacy and personal protections. These include the American Civil Liberties Union, Better Business Bureau, Electronic Privacy Information Center, Center for Democracy and Technology, and more. In addition, the CGOC has expanded its focus on privacy and security in its updated Information Governance Process Maturity Model, a framework — for legal, IT, security, privacy and business stakeholders — that addresses reducing the risks associated with storing information without regard to its value.

6. Select an Appropriate Industry Framework

There's no need to reinvent the wheel. Many organizations can start by utilizing an appropriate industry-specific framework. These frameworks include policies and taxonomies not covered in existing laws and regulations. Examples include:

• American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) Privacy Framework. See, http://bit.ly/1IXU7YJ.
• Canadian Standards Association (CSA) Privacy Code.
• International Organization for Standardization (ISO) 17799/BS7799.
• Economic Co-operation and Development (OECD) Privacy Guidelines.

7. Prevent Unnecessary or Unwanted Processing of Personal Data

One way to achieve this is to use privacy-enhancing technologies (PETs) to eliminate or minimize personal data without compromising functionality of your information system. Examples include the Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL).

8. Look for New Data Privacy Innovations

Industries continue to introduce new policies, practices and technology standards. For example, data masking is increasingly used by companies to prevent call center operators from viewing credit card numbers. That along with runtime aliasing (aka, tokenization) should be documented and tracked through the data privacy function.

9. Promote Education and Awareness

No data privacy program can be successful without a universal understanding of the importance, purpose and basic requirements of the program. Every organization must prioritize education and awareness raising as a critical part of the business case.

10. Develop Program Assurance Processes

Program assurance processes should include audits that provide accountability and demonstrate compliance with the applicable laws and regulations, as well as with an organization's specific objectives.

The Next Steps

During the development and implementation of these foundational requirements, consider these three program basics:

1. Business Case Reviews: Regularly scheduled reviews of the business case ensure appropriate changes are being made in response to changes in the business.
2. Communication: Regularly communicate relevant information about the business case — such as goals and requirements, next steps, program changes, etc. — to internal and external stakeholders through meetings, formal training, and email and internal social channels.
3. Gap Analysis: A gap analysis can determine whether an organization's current privacy management practices support the business and technical requirements uncovered in the business case. The analysis requires reviewing the capabilities of current systems management tools and hardware, operating systems, admin expertise, system locations, outsourced services and physical infrastructure. The analysis can be conducted before program implementation and any time an organization wants insight into the progress being made on implementing the data privacy program requirements and any necessary corrective measures.

Developing a comprehensive business case for data privacy will put you in a far better position to develop the appropriate processes and purchase the most effective technology to help you lower the risk of data loss and regulatory fines while at the same time supporting your strategic, operational, and legal goals and commitments. CGOC offers members access to detailed information on many aspects of developing a data privacy program. To join or find out more, go to http://www.cgoc.com.

***** Heidi Maher is an attorney and a certified privacy manager who has advised hundreds of organizations on information governance around data privacy, regulatory compliance and e-discovery. She is the executive director of the CGOC, a forum of over 3400 legal, IT, records and information management professionals from corporations and government agencies. For over a decade, CGOC has been advancing governance practices and driving thought leadership across the industry. This article also appeared in our ALM sibling, Corporate Counsel.