Home » Services » Global Privacy » How to Create (or Begin to Create) an Enterprise Privacy Program

How to Create (or Begin to Create) an Enterprise Privacy Program

Understand Your Business and Inventory Data Held & Transmitted

The data your company stores, maintains, transmits, uses, or otherwise handles is a threshold question in the data privacy context.  Is financial information collected?  Does healthcare data reside on any system?  Does a public-facing website exist that targets children?  What other sensitive information flows into or out of the business?  As importantly, one must determine the source of the data – is it collected directly from a customer?  Is it provided by virtue of a subcontract or other agreement?  Is the personal information of the company’s internal staff stored in electronic or hard-copy form?  Along these same lines, don’t forget to track the sensitive information that may flow out of the organization.  Where’s it go?  Why does it go there?  It is necessary for such data to be transferred?

A lot of preliminary thought and investigation is required to set the stage for an enterprise privacy program because getting the program stood up depends on specific business models, industry affiliation, and related organizational practices.  Simply stated, a privacy program has to be tailored to the specific company.

Classify Data

Once all the information that touches the company has been identified, it should be classified according to sensitivity level.  Efficiency dictates that data privacy practices be applied only to sensitive data – not to all the data  – held by an entity.  Customers’ social security numbers, for example, shouldn’t be put in the same privacy bucket as the company’s marketing materials.  Data classification will assist in both understanding what data actually resides in the company, and prioritizing data privacy activities.  The most sensitive data should be addressed first.  Think, metaphorically, “triage.”

Who is responsible for privacy issues, compliance, and data protection

A specific person or team must be identified as the privacy go-to’s.  This is an often overlook aspect of data privacy governance, but it’s essential.  An organization needs to know who is the privacy expert (“expert” being a relative term).  Specific roles lead to accountability, which leads to action and results.  A mish-mosh of finger pointing does not facilitate data privacy program creation.

While defining personnel roles, make sure to also define responsibilities.  These responsibilities will change according to the types of data the organization handles, and in turn, what laws and/or regulations apply.  A Privacy Officer in a hospital will have different responsibilities than the privacy team at Microsoft, who will have different responsibilities than the local college registrar’s office.  The point here is that there has to be a central hub supporting, managing, and/or directing the privacy program, and a known in-house privacy resource for other personnel to avail themselves of.

Determine what laws and/or regulations apply

This step is vitally important.  In many ways, it will dictate how the organization’s privacy program is developed and maintained.  In the U.S., was have a sectoral approach to data privacy.  This means that the privacy of data is to be kept only if a law says so.   So unlike other countries, like those in the E.U., American companies can share, disclose, and otherwise use individuals’ data freely unless a law states otherwise.  Here are a few U.S. statutes that are commonly referenced in data privacy discussions (there are many others):

  • Health Insurance Portability and Accountability Act (HIPAA):  sets requirements on how protected health information (e.g., data held in one’s medical record) must be protected from both an information security and data privacy perspective.
  • Gramm-Leach-Bliley Act (GLBA):  mandates the protection of individuals’ financial information.  Like HIPAA, it has specific requirements governing data security and data privacy.
  • Family Educational Rights and Privacy Act (FERPA):  protects individuals’ education records and creates obligations on schools regarding maintenance and disclosure of the records.

To demonstrate my point with an obvious example, if the organization is a hospital, it would spend its compliance dollars towards HIPAA; not FERPA.  However, the lines are not usually so clearly drawn, making the evaluation of applicable laws imperative to an effective privacy program.   Evaluating the types of data present within an organization, as discussed above, is the primary way to start figuring out with what exactly you need to comply.  There are numerous federal laws, and many more state laws, that impact how sensitive information should be handled.  It’s up to you to find out which ones apply, and which don’t.

Data privacy compliance gets more complex when the data is transferred internationally, or housed in a foreign country.   I won’t derail this post by diving into the nuances of international data transfer law, but will mention this:  if data is held in a foreign country, the privacy of that data will be governed by the laws of the host country.  Chances are very high that the host country’s privacy laws are fundamentally different that U.S. ones, thereby necessitating an entirely different approach to the data privacy program.  If nothing else, just know that privacy compliance issues will probably multiply exponentially if your organization houses or transfers sensitive information internationally. Concepts such as Safe Harbor, Binding Corporate Rules, and Model Contracts will be on your radar.  Those are topics for a later post.

Create Applicable Policies and Procedures

You know what kind of data your organization handles.  You’ve determined who is the privacy lead, and have narrowed down the pool of data privacy laws to just those that are applicable to the company.  Those accomplishments have to be formalized and made consistent across the organization via policies and procedures.

The policies and procedures that are to be developed fall into two broad categories: external and internal.  Both are very important.  External policies are those are public-facing and which are, in most cases, mandated by law or regulation.  These policies, generally referred to as the Privacy Policy, provide notice explaining how the organization uses people’s data, how it’s shared, with who it’s shared, and instructions on how an individual can access and edit the data he/she has provided.  Internal policies dictate the manners in which the organization uses, handles, and discloses the data.  Again, these policies and procedures will differ depending upon the type of data held by the company (and on the applicable laws).  People are every company’s weakest security and privacy link, so creating robust and specific policies and procedures is a must, as is updating them continually and regularly.

There’s a high probability that many of a company’s existing policies and procedures can be leveraged to create a data privacy documentation library.  Many of these policies will be ones that address information security.  Information privacy cannot exist without information security; therefore, InfoSec policies such as access control, physical security, contingency planning, incident response, data storage and destruction, and several others can be updated to be aligned to the data privacy program.  Additionally, many technical considerations play a role in data privacy: firewalls, encryption of data at rest and in transit, data integrity, and logical access controls.  Without these capabilities protecting the security of sensitive information, the privacy of the information is at substantial risk.

Note that the contingency plan and incident response policy may become an integral part of a data privacy program, considering the legal requirements governing a data breach.  As one easy example, take a look at HIPAA’s Breach Notification Rule.

Continuous Training & Monitoring

Policies and procedures, and understanding what laws and regulations apply, are useless if the personnel that handle the data aren’t adequately trained.  One of the toughest and most important tasks in creating and maintaining a data privacy program is ensuring all employees, from the C-suite on down, are aware of their obligations and are appreciative of the consequences for non-compliance.  Monitoring employee training attendance is obviously important, as is monitoring the privacy program in general.  As the program gets up and running, there will no doubt be areas for improvement.

As the Program Matures, Measure and Improve

The data privacy program will mature as iterative improvements are made.  It’s a never ending process, especially in light of the ever-shifting legal and regulatory privacy landscape.  Regular monitoring will (ideally) reveal weaknesses in the program.  It will also oblige stakeholders to stay current with the changing laws and practices of data privacy.  At some point, it may be appropriate to apply metrics to the program to further drill down on program effectiveness.  Then, before you know it, acting in accordance with the data privacy program is part of the everyday culture of the organization.  Success!  Let us know how we can help create and/or maintain your organization’s data privacy program.

About Joshua Merkel

Josh is Lunarline's Director of Privacy. He is a licensed attorney and holds CIPP and CIPM certifications. In addition to data privacy consulting, Josh acts as a subject matter expert supporting HIPAA compliance assessments, and leads FISMA/NIST efforts for several clients.