Building Your Privacy Program Framework

a guide to data privacy and security_part 1_blog header

Like the Cambridge Analytica scandal and the introduction of Europe’s General Data Protection Regulation (GDPR), the Covid 19 pandemic has reinvigorated the discussion of data privacy and security – once again bringing the issue to the forefront of the business world. In our 8-part guide, we will examine, discuss and share some tips on the different aspects of data privacy and security beginning with: 

Part 1: Preparing And Building Your Privacy Program Framework. In the first part of our guide, we will be covering how you can build your privacy program from start to finish, including some simple, yet crucial tasks that will help you; correctly define objectives, determine your scope and help build a robust privacy program.   

Building Your Privacy Program Framework 

If it’s not already, data privacy and security are challenges that you need to prioritize as an organization operating in a digital world. Any company gathering and using personal data needs to ensure they comply with different privacy regulations around the world. So, how do you ensure compliance is in place? We suggest beginning with a defined privacy framework.  

Before we dive into how you can develop your framework, there are a few factors to note and processes that should be performed to create a comprehensive and secure framework: 

  • Defining data privacy vs data security 
  • Classifying your data and treating it as an asset  
  • Preparing a data processing summary 
  • Define organizational objectives and priorities 
  • Establish scope of privacy program and which frameworks to comply with 

Once you have done the above, you can get to the nitty gritty of developing your own privacy framework. 

Data Privacy vs Data Security 

Data privacy consists of the policies and processes that dictate how your organization collects, uses, shares and stores personal data. Data privacy is generally governed by state/province or federal laws that apply to specific industries and/or locations. 

Data security on the other hand, are the measures taken by an organization to prevent any form unauthorized access, internally or externally. Data security will vary from one company to the next depending on the type and quantity of data being gathered and stored.  

Understanding Your Data as an Asset 

Understanding your data is essential if you want to know how to secure it and prevent incidents at your organization. Determining how to classify your data will depend on your industry, the type of data you collect, use, store, process and transmit. Most data is classified based on the sensitivity and will determine who has access to it and how long it can be stored. 

 3 Basic Classifications 
  1. Public data 
  1. Internal only data 
  1. Client confidential data 

Many privacy acts and regulations will also have specific data classification requirements such as the GDPR and the California Consumer Protection Act (CCPA), that vary depending on the type of data gathered, its use, and how it is managed. While the GDPR initially seemed like a huge hassle for organizations, it presented organizations with an opportunity to step up their compliance efforts and security practices using a well-defined structure to properly create administrative, technical, or physical safeguards. 
 
Treating data as an asset and taking inventory of your data is key to streamlining the development of your privacy program framework and should be the first step you take as a privacy professional. Whether your organization is a small start-up or medium-sized company; preparing a summary with detailed records of data processing activities is critical in defining the objectives and priorities of your privacy program. 

Defining Your Objectives & Priorities With a Data Processing Summary 

When developing a data processing summary, it must include basic information on your key databases, including the purposes for processing and data categories collected, processed, and disclosed. If you are struggling to find this information, a few documents might help define this baseline: 

  • Service level agreements 
  • Master contracts with clients 
  • Agreements with third-party suppliers 
  • Terms of use of online applications and software 
  • Network diagrams  

Most likely, you will be looking for information that clearly indicates what type of data you are dealing with, the location of your servers and third-party datacenters, who has access to this data, purposes of data processing, and international transfers. By answering the former, you will have the information you need to determine objectives and set priorities. 

Determine the Scope of Your Privacy Program 

Based on the strategic objective, the scope of your privacy program can be established. Creating a scope statement and communicating it within your organizations and to your clients helps promote the importance of data privacy. 

The core of your program must always be taken into account when determining your privacy framework – it is the basic structure underlying your data privacy program. All information leveraged, as part of the data summary, will be used to identify legal requirements within privacy regulations based on where data is being processed. 

With the GDPR being the most well-known privacy regulation, many countries will have their own similar privacy laws. Depending on your location, you may have multiple jurisdictions administering privacy laws, in addition to broader legislation. In Canada for example, privacy regulations are segmented by type (public bodies versus private transactions) and locations (federal versus provincial). Companies should take a good look at which are their primary jurisdictions, what are the most relevant regulations, and which are the strictest requirements. 

Companies might have different objectives concerning privacy law compliance depending on budget and time constraints. In addition to doing what is legally required, the privacy program can be a potential competitive differentiator by exceeding your clients’ needs and expectations with respect to privacy and security. 

Establishing Your Program Framework 

Once you have created a data processing summary, defined your objectives and priorities, and established the scope of your privacy program, you can begin constructing your organization’s privacy program framework. When it comes to building your framework, professionals have multiple options at their disposal. If you have decided to use spreadsheets to develop your framework, we wish you the best. Alternatively, there are more efficient and secure solutions such as framework-specific compliance tools, or more comprehensive GRC software. Within the category of GRC programs, there are tools with varying capabilities and customizations. Regardless of what you decide to use, fully consider the implications of each solution, the advantages, and the potential consequences of their use.  

Summary 

While completing your data processing summary may be tedious, it will massively contribute to the successful implementation of your data privacy and security program.  Treating data as an asset will help you determine the key objectives of your privacy program, and correctly identifying the scope of your project will keep you focused and communicate the importance of data security across the company. When it comes time to build your framework, companies have many tools to choose from. However, for the best outcome, we recommend implementing a structured information security and compliance tool. 

Next up in part 2 of our guide to data privacy, we’ll be taking a deep dive into the “whys” and “hows” of privacy – namely, the roles policies and procedures play in data privacy and security. 

A Guide to Data Privacy and Security: 

>> Part 1: Preparing and Building Your Privacy Program Framework  

Part 2: Policies and Procedures  

Part 3: Accountability  

Part 4: Creating a Third-Party Management Program  

Part 5: Supplier Assessment Process  

Part 6: Data Processing Agreements       

Part 7: Data Categorization and Mapping  

Part 8: Privacy Assurance

How Can StandardFusion Help?

StandardFusion GRC supports your compliance and risk management program from start to finish. Easily define your privacy initiatives and build your own powerful privacy and security program. Display your program scope statement, assign ownership of the program, create a follow-up assessment schedule, and create a catalogue of requirements based on one or multiple privacy regulations all within StandardFusion. From a project management perspective, being able to visualize your entire privacy framework in one click saves hours of investigative work allowing you to quickly remediate any issues. Develop a mature privacy program from the ground up with StandardFusion’s GRC software – request your demo today!