Welcome to a four-part series for establishing and maintaining a Data Privacy and Protection Program. This series will cover the people, processes, and technology considerations for your program. This article introduces the series and provides an approach for defining your data privacy and protection program.
Data Privacy and Protection has moved beyond being just a compliance requirement to a business need that establishes trust among all stakeholders. Over ten (10) Caribbean islands have implemented data protection legislation at various levels of enforcement, which shows their commitment to encouraging good data protection practices. Companies that collect, store, or process personal data must implement controls that meet these legal requirements on an ongoing basis. Therefore, consideration should be given to establishing a Data Privacy and Protection Program that will continuously mature within the company.
Some risks associated with non-compliance or breaches of data privacy and protection include:
What is a Data Privacy and Protection Program?
Like any other program within the company, a Data Privacy and Protection Program is the structure for managing Data Privacy and Protection throughout the company. It will govern how data is protected throughout its lifecycle and control processes for meeting legal requirements. A good program will have a mission, vision, defined scope, personnel assigned to the program, and a framework to guide its operations. The size and scope of the program should be driven by the level of risk associated with data privacy and protection, as the greater the risk, the greater the need for investing in mitigating the potential impact.
Where do we start?
To start, organizations may consider forming a privacy committee/task force of existing personnel, focusing on identifying privacy obligations and developing a program to meet these obligations. This committee should include representation from across the organization and include both management and staff to gain insights at all levels. Consideration may also be given to employing the support of an experienced external consultant to evaluate the current environment and establish this program. A combination of the two is also an option.
The committee or consultant should develop a good understanding of the business environment to identify applicable legal requirements and assess the current state of the business against those requirements to detect gaps, develop a target state, and create a work plan/roadmap for getting to the target state.
The target state should clearly outline expectations for the Data Privacy and Protection Program, including:
• People – Staffing and structure of the program,
• Processes – Governance framework to oversee the program, and
• Technology – Tools and or applications to automate your program.
Once the program has been implemented and operationalized, performance metrics should be monitored to measure its effectiveness and identify areas for improvement. A high-level approach is shown below.