Building a Business Case for a Data Privacy Program

1. Review Existing Privacy Guidelines and Identify Relevant Data

The privacy officer along with the relevant stakeholders should review any existing privacy policies and identify the points of contact for those policies. Also review any existing risk assessments, Privacy Impact Assessments (PIAs), and data inventories. If your organization doesn't have a data inventory, or if it is not up to date, one must be created. A data inventory, including data provenance, identifies data as it moves across various systems, revealing its location, subject area, how it's organized, and how it's accessed and shared. It also identifies inconsistent data versions and the most and least valuable data.

2. Categorize Private Information at Your Organization

Start by locating all data containing personally identifiable information (PII). PII is any data that can directly or indirectly identify a specific individual. Review existing policies, procedures, or protections currently applied to this data. This establishes a baseline against which future progress will be evaluated.

3. Verify the Relevant Laws and Regulations

This includes all applicable U.S. and international laws and regulations, as well as regulations developed by your organization for internal purposes. It's essential to understand the scope of oversight and the authority of the regulating agencies, and the penalties for noncompliance. Active monitoring of regulatory activity will ensure adequate lead-time for preparation and cost controls.

4. Define and Develop Technical and Physical Controls

Work with your IT or IS department and other relevant functions to develop a PIA for all new systems, and embed the PIA into your organization's project management. To create a PIA, consult your industry standards and best practices. For example, the ISO/IEC 27001 specification is a global standard for information security (infosec). The Payment Card Industry (PCI) Data Security Standard sets technical and operational requirements to protect cardholder data.

5. Utilize the Resources of Existing Privacy Organizations

Take advantage of the resources of several organizations focused on data privacy and personal protections. These include the American Civil Liberties Union, Better Business Bureau, Electronic Privacy Information Center, Center for Democracy and Technology, and more. In addition, the CGOC has expanded its focus on privacy and security in its updated Information Governance Process Maturity Model, a framework — for legal, IT, security, privacy and business stakeholders — that addresses reducing the risks associated with storing information without regard to its value.

6. Select an Appropriate Industry Framework

There's no need to reinvent the wheel. Many organizations can start by utilizing an appropriate industry-specific framework. These frameworks include policies and taxonomies not covered in existing laws and regulations. Examples include:

• American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) Privacy Framework. See, http://bit.ly/1IXU7YJ.
• Canadian Standards Association (CSA) Privacy Code.
• International Organization for Standardization (ISO) 17799/BS7799.
• Economic Co-operation and Development (OECD) Privacy Guidelines.

7. Prevent Unnecessary or Unwanted Processing of Personal Data

One way to achieve this is to use privacy-enhancing technologies (PETs) to eliminate or minimize personal data without compromising functionality of your information system. Examples include the Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL).

8. Look for New Data Privacy Innovations

Industries continue to introduce new policies, practices and technology standards. For example, data masking is increasingly used by companies to prevent call center operators from viewing credit card numbers. That along with runtime aliasing (aka, tokenization) should be documented and tracked through the data privacy function.

9. Promote Education and Awareness

No data privacy program can be successful without a universal understanding of the importance, purpose and basic requirements of the program. Every organization must prioritize education and awareness raising as a critical part of the business case.

10. Develop Program Assurance Processes

Program assurance processes should include audits that provide accountability and demonstrate compliance with the applicable laws and regulations, as well as with an organization's specific objectives.

The Next Steps

During the development and implementation of these foundational requirements, consider these three program basics:

1. Business Case Reviews: Regularly scheduled reviews of the business case ensure appropriate changes are being made in response to changes in the business.
2. Communication: Regularly communicate relevant information about the business case — such as goals and requirements, next steps, program changes, etc. — to internal and external stakeholders through meetings, formal training, and email and internal social channels.
3. Gap Analysis: A gap analysis can determine whether an organization's current privacy management practices support the business and technical requirements uncovered in the business case. The analysis requires reviewing the capabilities of current systems management tools and hardware, operating systems, admin expertise, system locations, outsourced services and physical infrastructure. The analysis can be conducted before program implementation and any time an organization wants insight into the progress being made on implementing the data privacy program requirements and any necessary corrective measures.

Developing a comprehensive business case for data privacy will put you in a far better position to develop the appropriate processes and purchase the most effective technology to help you lower the risk of data loss and regulatory fines while at the same time supporting your strategic, operational, and legal goals and commitments. CGOC offers members access to detailed information on many aspects of developing a data privacy program. To join or find out more, go to http://www.cgoc.com.

***** Heidi Maher is an attorney and a certified privacy manager who has advised hundreds of organizations on information governance around data privacy, regulatory compliance and e-discovery. She is the executive director of the CGOC, a forum of over 3400 legal, IT, records and information management professionals from corporations and government agencies. For over a decade, CGOC has been advancing governance practices and driving thought leadership across the industry. This article also appeared in our ALM sibling, Corporate Counsel.