Five key privacy programme elements that make it work

Aligning them to the organisation’s business goals and strategy is essential for effective governance

Updated: Sep 16, 2015 09:12:45 AM UTC
privacy_programme
The privacy program must be kept simple with minimal jargon and easier to understand expressions for all levels of stakeholders

Image: Shutterstock

Although privacy is making rapid strides, one big challenge remains – how do organisations demonstrate that they respect the data subjects’ right to privacy? In fact, the challenge has increased multifold due to greater awareness, regulations, and incidents. Today, enterprise data privacy programmes must address both privacy and security needs. Meeting these needs and creating privacy programmes call for a systematic approach to designing it. The privacy programme must be kept simple with minimal jargon and easier to understand expressions for all levels of stakeholders. While the programme can be driven with regulatory compliance as the stick, the carrot would be ease of understanding and implementation. But ensuring its sustenance and scalability calls for making it part of the organisation’s culture and not merely an organisational policy. This is, perhaps, the hardest job in hand of an implementer and often, leads to a pertinent question: Is there a simple design that can be scaled at the pace the organisation needs?

In my experience, five steps go into designing a simple data privacy programme that can be scaled as per the organization’s needs:

privacy_programme

1.    Data visibility Conduct a data visibility exercise for the entire organisational processes in scope. Such an exercise will be an enabling tool for all process owners to disclose personal data controlled and processed by them. It will help put together an inventory of personal data managed by the organisation with details such as, but not limited to:

  • Who is the owner of the data?
  • Why is the data required?
  • How is it stored / processed?
  • Who can access it and why?
  • How long is it retained?
  • How is it disposed?
  • What is the nature of the data (PI, PII, or SPI)?

Set up a process to update this inventory real-time or periodically, in line with the legal requirement to ensure continuous data visibility. Data visibility of this sort provides implementers, attorneys, and regulators with the data they need to understand the privacy protection needs of the organisation.

2.  Privacy protection need analysis
The data visibility exercise should be followed by a privacy and protection need analysis. Define your requirements and commitments to ensure that the data subject’s right to privacy and protection, of data within the organisation’s gamut. Look into the local regulatory regime in the geographies the organisation has scoped-in. Privacy protection needs may differ across countries and industries. In addition, consider the relevant published standards. Such an analysis enables making informed decisions to ensure balanced privacy protection controls. Controls today considered to be excessive may be considered essentials or vice-versa later. Thus, a periodic analysis will help strike a balance as the practice matures globally.

3.  Privacy protection controls
Design and adopt privacy protection controls based on privacy protection need analysis, cost-benefit analysis, regulatory requirements, the organisation’s commitments, and risk assessment. Privacy protection controls can be, but may not be limited to: Data masking, encryption, data transfer contracts, privacy policy and procedures, incident management, internal audit, information security controls, privacy notice, consent acquisition, retention and disposal policy, and more. The design and selection of controls must be aligned with data protection principles.

4.  Privacy incident reporting and management
Put in place an effective incident reporting mechanism that enables all stakeholders to report any privacy incident. All stakeholders must be made aware of this mechanism continuously through various communication mediums such as emails, posters, quizzes, trainings, etc. In addition, define the process for acting on the reported incidents and ensure the process includes privacy impact analysis, root cause analysis, RACI (Who’s Responsible, Accountable, Consulted, and kept Informed) matrix for the stakeholders involved, SLAs for closure, provisions for actions to be taken, documentation of learnings, and measurement of effectiveness of privacy incident management.

5.  Governance
A key ingredient in a robust privacy programmeme is top management involvement. This will ensure the privacy programmeme is effective at various levels in the organisation. Also, define the metrics that the organisation wants to monitor, against the thresholds, as per the organisation’s risk appetite, reflecting the health of the programmeme. Aligning the privacy programmeme to the organisation’s business goals and strategy is essential for effective governance.

Every day a new outlook on privacy appears. While it is true that we cannot design and adopt a perfect privacy programmeme, we can definitely build a reasonable assurance model. Begin by keeping these five basic elements in mind and strive to improve the programmeme by building depth in activities under the design.

There is no end to what can be done, so it is important for the implementer to strike a balance between protecting the interest of all stakeholders and continuously refining the programmeme to keep it relevant and friendly. Only then will it function as an enabler in achieving business goals.

- By Rajeev Thykatt, Group Leader, Risk Management, Infosys BPO

The thoughts and opinions shared here are of the author.

Check out our end of season subscription discounts with a Moneycontrol pro subscription absolutely free. Use code EOSO2021. Click here for details.

Post Your Comment
Required
Required, will not be published
All comments are moderated