[authors: Pam Hrubey, Crowe and Jessica Wilburn, NAVEX]
In a NAVEX 2021 risk and compliance program survey, 66% of respondents indicated that privacy, data protection and security were a priority. This means that confidentiality ranks first along with other more familiar topics, including conflicts of interest; anti-bribery and anti-corruption; diversity, equity and inclusion (DEI); and environmental, social and governance (ESG). Constant regulatory changes are certainly part of why ethics and compliance managers report that privacy continues to be a key area of focus. But the next logical question must be: How can those responsible for privacy and data protection programs cope with the ongoing external regulatory changes affecting their organizations?
2022 is about to be the year that many privacy program managers will focus on implementing privacy frameworks to insulate the privacy program from the winds of change that constantly rock the organization.
Choosing the Right Privacy Framework
Privacy frameworks help organizations deal with change. They provide a structure on which to base both the fundamentals of the program and the critical processes needed to fully support the privacy program and its stakeholders. Program managers looking to effectively leverage a privacy framework must have a clear understanding of the specific information requirements of the organization and the relevant industry or industries in which the organization operates. Using a privacy framework does not eliminate the need to understand the laws and regulations applicable to the business, but with a framework in place it is easier to assess changes that could have a material impact on the organization. It is also important to keep in mind the culture and values of the organization, as well as its appetite for regulatory risk.
Fortunately, there are many privacy frameworks available, including:
- Principles of Fair Information Practices
- Generally Accepted Privacy Principles (GAPP) Maturity Model
- National Institute of Standards and Technology (NIST) Privacy Framework
- Organization for Economic Co-operation and Development (OECD) Privacy Framework
Additionally, work should be done to complete data cards (or records of processing activities) for personal and sensitive data processed by the organization when implementing a privacy framework. Privacy officers should consider the scope of the privacy program and how it aligns with the organization’s values. It is also helpful to be aware of the specific challenges the privacy program may face, including the potential for regulatory enforcement.
Membership and implementation
First and foremost, the privacy program must have full buy-in from the top management of the organization. Privacy officers should leverage departmental or functional champions where it makes sense and ensure that these privacy champions are involved in training events and related workshops for the high direction. There can be additional organizational lift by creating a steering committee and deputizing other leaders to help carry the load associated with implementing the framework.
One of the first steps after selecting a privacy framework is to determine how the privacy regulations your organization must comply with overlap both with your framework and with each other. In some cases, it may be useful to take advantage of multiple frameworks. Some organizations find it useful to start by replicating work done by another part of the organization – for example, the information security team‘s use of the NIST Cybersecurity Framework or ISO 27001. This can establish greater alignment. strong in the naturally overlapping spaces between privacy and security. Mapping areas of control and then making connections within and between regulations can reduce the complexity that naturally exists in the global privacy and data protection arena.
Next comes the creation of action items for steering committee members and privacy officers. These individuals will be in an excellent position to help map the controls of the selected framework into the organization’s personal data collection processes. Privacy officers should help the committee leverage existing policies, procedures and training. Constantly communicating what is going on and why is important to truly gain buy-in. Roles, responsibilities and descriptions created for the framework should be kept simple and clear. Privacy program team members with steering team members and privacy champions need to be aligned so that they can be trusted evangelists for the program without the risk of contradicting each other. Their involvement is also an opportunity for personal and professional development. As with any effective compliance program, monitor regularly to assess progress and verify that the framework continues to be fit for purpose.
It will likely be necessary to tailor the chosen framework to the specific privacy risks and regulatory requirements the organization is required to meet. This is a natural part of the implementation process, and these minor tweaks make implementation easier for everyone. When determining how to adapt the framework, be sure to involve business partners who may be affected by the program or who need to join.
Once the framework is implemented, it can be leveraged whenever a regulatory change occurs – although the framework should remain dynamic and flexible, as static frameworks quickly become obsolete. First, associate the new requirements with the controls you documented in the framework. Where there are gaps in the controls (which can happen from time to time), adjust the controls. Then you’ll be ready to rinse and repeat the next time a regulatory change occurs.
Nowadays, true data privacy protection is impractical without technical automation. Almost all of the collection, storage and use of data is already technology-driven. Data control mapping should also be done using software tools. The need for robust yet flexible data control software tools becomes even more apparent when considering the aforementioned rate of regulatory change. Manual or only partially automated control systems cannot react to changes as quickly as a well-chosen software solution. As such, the necessary technological investments must be a priority.
Data privacy regulations show no signs of slowing down. Organizations should prepare for change by auditing existing privacy frameworks, investing in technology, and preparing to make necessary changes. The coming year will bring increased attention to privacy programs, and current and upcoming legislation will require dedicated resources and organizational buy-in to maintain compliance.
Download the full Top 10 Risk and Compliance Trends 2022
See the original article on Risk & Compliance Matters