Building block #4: Privacy by design
Privacy by design means that your organization takes a proactive approach to privacy, building privacy considerations into new products, systems, business processes, etc. Whatever project it may be, if you have the opportunity to voice any potential privacy concerns at the outset, then you are using a privacy by design approach. And such a privacy-centric approach will save your organization both time and money, as handling privacy matters proactively is always more efficient than changing designs, options, or technical specifications after the project is completed. Additionally, as more people become concerned with how businesses are handling their data, privacy by design illustrates that your organization takes privacy seriously.
Building block #5: A breach response plan
Privacy experts like to say that it isn’t a matter of if, but only when, an organization will suffer a breach of personal data. Depending on your organization, the tech department or the security team may already have a breach (or data incident) response plan in place. If so, the plan should be reviewed, as it may need an update. If your company does not yet have a breach response plan, putting together a new plan is a priority. A breach response plan should address topics like the establishment of a data breach response team, how a data breach investigation will be conducted and who will handle items like legal compliance with breach laws and coordination with law enforcement and the media, if necessary. Fortunately, there are many excellent resources on preparing for and handling data breaches.
Building block #6: A protocol for data retention
If your organization doesn’t have a policy on data retention, it’s time to design a plan which addresses the types of data you control and how long your organization will retain that data. Not only can this reduce the risk and impact of a data breach, but it will also cut data storage costs. This project can take some time, but talking to the development team and other stakeholders about how much data you have and how far back it dates is a good place to start. Digging into the details on how long you need the various types of data will likely require decisions from senior leaders. This project can encompass various organization-specific decisions, but designing a data deletion policy is a worthwhile effort.
Building block #7: GDPR assessment
Last but certainly not least, you will want to conduct a GDPR assessment for your organization. As the EU’s General Data Protection Regulation takes effect in May 2018, and has a more wide-ranging impact than previous data protection laws in the EU, there are many new considerations for businesses. If your organization offers goods or services to EU residents, this law will likely impact your organization. Fortunately, there are a lot of publicly available resources on the GDPR to help you understand exactly what the law requires. Concepts of notice, consent and the legal bases for processing data are critically important, along with documentation illustrating how your organization complies with the law’s requirements. As changes to business processes or technical modifications may be required, it is best not to neglect this project until next spring.
Keep building on your privacy program
Once you have made progress on these seven building blocks, you are well on your way to a robust privacy program. As you continue to build and improve your program, there may be challenges, but there are numerous privacy resources to keep you current and help you tackle privacy issues. Being a part of the community of privacy professionals is a valuable resource and can help you navigate your way to the privacy program you hope to build at your organization. Enjoy your progress and don’t forget to stay aligned with senior leadership on your need to keep an ongoing role in all parts of the organization. It will be the secret to your continued success. Best of luck!