Privacy Advisor

Kick-Starting a Privacy Program

February 1, 2013

Siegel_Robert




By Bob Siegel, CIPP/US, CIPP/IT

It is not enough for a business to create a privacy policy and place it on its website; a business must define policies and practices, verify that their employees are following the practices and complying with policies, and confirm that third-party service providers are adequately protecting any shared information as well. As customer demands and regulatory requirements change, the business’ privacy practices and policies must be reviewed and revised to meet this changing business environment. 

So, how do you get started? Well, every journey begins with the first step. Here are 10 steps to kick-start your organization’s privacy program.

  1. Identify an owner

It is critical to identify someone to own the privacy program and the process to create it. Optimally, this will be someone in your senior leadership team, thereby demonstrating the priority being given to privacy within the business. Appointing a senior leader to this role will also show your customers, staff and partners your commitment to protecting personal information.

You can imagine that different functions within your organization may have different perspectives on privacy. Marketing, human resources and legal, for example, may have very different perspectives on how personal information should be collected and used. Establishing a core team to support the program owner, consisting of members from the various functions within your organization, will allow each of their voices be heard and appropriate balances to be struck as the program gets established.

  1. Take inventory

To develop effective policies and practices, you need to understand what is important to the various functions of your organization. Taking inventory of the personal information already on hand is a great way to gather these requirements. 

Using the core team members to work within their own functional teams, they can determine:

  • What personal information is collected;
  • Why the information is collected;
  • How the information is collected;
  • How the personal information is stored and protected;
  • If the information is shared with a third party and, if so,
    • How it is transmitted and
    • How the third party protects the information, and
  • When the information is destroyed and by what process.

Once created, keeping this inventory current will help ensure compliance with your policies and practices.

  1. Understand your legal, regulatory and partner requirements

In addition to exploring the internal requirements for the use and protection of personal information, you also need to explore external requirements. There are three primary sources for these requirements:

Legislative bodies
Throughout the world, laws have been established governing the collection, use, transfer and protection of personal information. These laws vary by jurisdiction with differences most often based on culture, history and business climate.

Regulatory bodies
Depending upon your industry and the information you collect, there may be requirements that government or industry regulatory agencies impose. For example, if you use credit cards for payment, you should be compliant with the Payment Card Industry Data Security Standards. Participants in the U.S. healthcare industry must comply with The Health Insurance Portability and Accountability Act of 1996. Privacy in the U.S. financial industry is covered in the Gramm-Leach-Bliley Act.

Partners
You may have agreements in place with your customers or your suppliers that specify privacy requirements. Regardless of what you establish as an organizational standard, these agreements will override your standard policies and practices for these stakeholders.

  1. Define your high-level policy

Taking your internal and external requirements into account, you are now ready to define your privacy policy. Often organizations want to become detailed and specific in their policies but this frequently leads to an inability for the business to address unforeseen circumstances.

When you consider your privacy policy, think of it as a moral compass for your organization defining what is “the right thing to do.” Supplement this with some high level guidance on implementation, i.e. personal information will be encrypted in transit, but leave the details for your functional areas to define. This allows for the policy to remain unaffected as technology, requirements or the business climate changes.

The policy should also define the consequences to an employee, contractor or temporary worker if the policy is violated.

  1. Define processes, standards and guidelines

To support your policy and to ensure your staff understands what to do to meet your requirements, supporting documentation needs to be created to specify how the staff should behave. There are three different ways to document these instructions:

  • Process is step-by-step instructions describing how a task must be accomplished,
  • Standards define minimum requirements that must be met (though exceeding these requirements should be encouraged), and
  • Guidelines are suggestions about how things should be done.

The core team can work within their own functional areas to define their appropriate level of documentation for their area. This will engender a sense of ownership of these documents by your stakeholders. However, you should consider using the core team as a whole to review and approve each of these documents.

  1. Train your staff

With everything now in place it is time to train your staff. Simply asking them to read the documented policy, processes, standards and guidelines will not be effective; think of all the email and reading each of us gets in a typical day. A formal training, either face-to-face or computer-based, needs to be undertaken.

Training should occur when the privacy program is initially introduced. New hires should be trained upon joining the organization as should contractors and temporary employees. Annual refresher courses should also be put in place.

Privacy training should be required of every member of the staff annually; completion of the training should be logged and considered part of the performance review process.

  1. Review your vendor/service agreements and third-party practices

Your organization is responsible for data it collects and shares even when it is provided to a third party for processing. To be sure that everyone with whom you share information is protecting the data to your satisfaction, your business needs to consider a few questions:

  • Are the third parties meeting your new policies?
  • If not, are they willing to meet the new requirements?
  • If not, are there ways to remediate or compensate for the requirements in questions?
  • If not, is there a different third party you could use to meet the requirements?

Similar to providing training for your staff, holding a series of webinars for your third parties describing your new policy will give notice to these organizations about the changes in your requirements. You can follow up with a questionnaire to determine if your requirements are being met.

You should also modify your standard contracts to include language that requires your policies be met. This will become a negotiation point for most of your vendors, but if your requirements are reasonable, it will be easy to achieve a meeting of the minds.

  1. Declare victory and celebrate

Establishing a privacy program is a significant milestone in the maturity of an organization. Holding an event to recognize the achievements of the program owner, the core team and the organization as a whole is appropriate. The event will also reinforce the importance placed upon protecting personal information by the organization.

  1. Post a notice to your customers

Having the program publicized internally and with your service providers is a start, but your customers need to be informed as well. Typically this is done through a Privacy Notice, also known as Privacy Statement or Privacy Policy, on your web site.

The notice is not only a legal document; it can be used as a strategic marketing tool. If you do not share information and your competitors do, then call that out. You can make the notice part of an educational experience by explaining why privacy is important, how your customers can protect their own information on a day-to-day basis and how your policy supports their efforts.

The notice should reflect your organization’s perspective on the importance of protecting personal information, giving insight into

  • When you collect personal information;
  • Why you collect personal information;
  • What information is collected;
  • How you protect the information;
  • When you share the information, and
  • What a customer should do if they think their information has been compromised.

This notice should be dated with links provided to it conspicuously throughout your website. If a change is made to the notice, customers should be notified on the website when they visit.

  1.  Review, reassess and revise

Your business and the privacy landscape is changing, so it is important to review your privacy policy and supporting processes, standards and guidelines at least annually. In fact, some legislative and regulatory agencies require this. Ongoing training is also required by some legislative and regulatory agencies.

An annual, independent review is also advisable. This will provide an outside, unbiased look at your privacy program identifying what is working and what can use improvement.

Editor’s Note: For more on how to build a privacy program at your organization, see also Bob Siegel’s “We learned our data privacy basics in high school.”

Bob Siegel, Privacy Ref’s founder and chief privacy strategist, has extensive professional experience in the development of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity and the evaluation of compliance to industry requirements and best practices. He has deep subject matter knowledge surrounding key laws and regulations regarding consumer privacy and information security and is a member of the IAPP Certification Advisory Board for its Certified Information Privacy Manager (CIPM) program as well a member of its faculty. For more information about Bob Siegel and Privacy Ref, please visit www.privacyref.com.