Building a Holistic Privacy Management Program

Governments around the world have been taking consumer data privacy very seriously recently, with the European privacy law (General Data Protection Regulation, or GDPR) being perhaps the most significant enacted to date. There’s also Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA – originally passed nearly 20 years ago, but getting more attention lately) and Brazil’s General Data Protection Law (LGPD), effective as of 2020.

To this we can add a host of newly enacted or proposed US data privacy laws. The California Consumer Privacy Act of 2018 (CCPA) is the most prominent, but more than a dozen other states (including Texas, Illinois, New York and Washington) have either enacted or proposed similar legislation.

This collective emphasis on safeguarding the interests of private citizens has established a new set of assumptions for organizations doing business in these countries (or with their citizens). For businesses, then, the current environment is one rife with uncertainty and concern. At an operational level, how can an organization (especially one that does business globally) make sure it’s in compliance with all these new laws?

The good news is these various regulations are more alike than they are different. Definitions of Personally Identifiable Information (PII) are pretty similar, as are the elements that fall within the regulatory scope. CCPA is more of an opt-out framework while GDPR defaults to the opt-in side, and the bar may be higher or lower from one jurisdiction to another. But the primary distinctions have to do with how and when to report incidents to the responsible governing bodies.

As such, there’s no need for organizations to focus too deeply on the minute differences from one regulation to the next. Rather than building consumer privacy programs for individual jurisdictions, it’s possible (and preferable) to develop holistic programs that address the overarching commonalities.

At its core, an effective privacy management program looks and acts like an integrated cybersecurity and risk management program.

Begin with these questions:

An organization that’s already doing enterprise cybersecurity risk management properly – including things like basic data management and identity and access management (in alignment with a cybersecurity and privacy management framework like NIST CSF, NIST PMF, ISO 277001 or Nymity) – is 90% of the way there. In practice, this encompasses:

Data Risk Governance: Understanding what kind of data you collect, how you use it, who you share it with, your privacy obligations and the privacy risks to individuals.

Data Classification: Establishing expectations and capabilities for users to identify data within your environment that’s relevant to privacy regulations.

Data Discovery: Using manual and technical means to discover where sensitive data lives within your environment and setting up structures for ongoing management.

Data Access: Determining who has access to the data (both structured and unstructured) and setting up the rules for ongoing monitoring and management of access.

Data Handling: Defining standards and establishing rules for storage, processing and transmission of privacy related data and enabling users to operate within the standards.

Data Protection: Planning, building and running an appropriate risk management and security program for the protection of sensitive information and preparing for the chance of an incident.

Since the regulations are pretty similar, organizations can generally prepare for them all at once, and a host of online checklist resources helps. For instance, Optiv’s comprehensive GDPR checklist distills best practice advice from multiple sources. A Google search for [ccpa checklist] returns thousands of results, including on-point guides from dozens of top analysts. The same goes for Brazil’s data privacy codes. A review of these resources reveals a number of commonalities, including maintenance of data privacy notices; procedures for responding to requests for information, requests to be forgotten and requests for erasure of data; and policies/procedures for collection and use of children and minors’ personal data, security training, etc.

So when taking on this plethora of new privacy laws, relax: they all share similarities and there are checklist resources to help you get organized. Still have questions about developing and implementing a privacy management program in your organization? Contact us.