By Karen Schuler, CFE, IGP, IGP and Taryn Crane, PMP
Notwithstanding the EU General Data Protection Regulation (GDPR)—the most sweeping change to data privacy in 20-plus years, with extraterritorial scope that went into effect on May 25, 2018—there are numerous privacy laws that are often overlooked.
Earlier this year companies like Facebook have come under fire for privacy violations while Congress is looking for ways to protect the privacy of American citizens. These movements are just the beginning of widespread change that we expect for privacy laws over the next several years.
As discussed in the Spring 2018 issue of the Nonprofit Standard in an article entitled “The Integration of Data Privacy into a Data Governance Program,” nonprofits can’t afford to ignore regulations like GDPR as many organizations are impacted due to their global reach. But now that May 25, 2018 has passed and GDPR officially went into effect, it’s time to think about your holistic privacy program—or implementing a Privacy Operational Life Cycle that helps your organization keep employees apprised of new privacy requirements, embraces recordkeeping and sound data protection practices while offering enhanced data privacy for your donors, employees, and constituents.
Think about these areas to develop a sound Privacy Operational Life Cycle:
- Develop an organizational privacy vision and mission, and document the program’s objectives.
- Identify legal and regulatory compliance challenges that are relevant to your organization.
- Locate and document where personal information resides throughout your organization or across third parties (e.g., hosting vendors, outsourced applications).
- Develop a privacy strategy that identifies stakeholders, leverages key functions throughout the organization, creates a process for interfacing within the organization, and outlines a data governance strategy.
- Conduct a privacy awareness workshop to highlight to the entire organization the goals of the program.
- And, finally, develop a structure for your privacy team with a governance model that is clear and consistent for the size of your organization.
The above-mentioned items are a starting point, but there is more to do after you develop your initial structure and communicate the purpose of the program. Below is a guide to developing the Privacy Operational Life Cycle.
Develop and Implement a Framework
The framework should provide you with an implementation road map that outlines your privacy procedures and processes. Developing a framework helps you identify high risk areas, reduce data loss, and provide a measurement against compliance to laws, regulations, and standards. Frameworks that provide initial guidance include the AICPA and CICA Privacy Framework, ISO 17779/BD7799, or OECD Privacy Guidelines.
Develop Privacy Policies
Once you have selected an overall framework to govern your privacy program, look at your existing policies, procedures, and guidelines. During this phase you should evaluate the goals of the privacy program and determine what business initiatives are the baseline of the privacy program. Just remember, as you look to update policies, procedures and guidelines for the organization, ensure that there is a mechanism to enforce these policies. And don’t forget to review the current website privacy notice. This has become a critical target of privacy watchdogs to ensure that you can fulfill the commitment of the statements in that notice.
Develop Mechanisms to Measure Performance
Within your privacy life cycle, it will be important to develop the ability to measure performance of the program. To implement metrics, consider your audience—will it be the board, external parties, regulatory agencies, or the staff? Determine how you will report on these metrics that you have identified. Decide what measurements you are interested in sharing with your audience and how this could impact funding positively or negatively. Next, determine how you will measure progress toward the organization’s business goals and objectives. Do your best to limit improper metrics that do not support the organization’s mission. And finally, determine the best methods to collect the data you need. Your goal is to demonstrate compliance while establishing the privacy program’s return on investment (ROI).
Develop the Privacy Operational Life Cycle
The Privacy Operational Life Cycle should consider measurement, improvements, and the ability to sustain and support the program. To effectively do this, develop an operational life cycle that considers the assessment, protection, governance, and response phases. Some tips to consider for each aspect of the life cycle:
- Assess – embed Privacy by Design (PbD) into the design of technology, business practices, and physical design of new programs. In addition to PbD, regularly evaluate third-party compliance, as well as internal program compliance.
- Protect – ensure that information life cycle management (ILM) is built into your data protection strategy. While it is important to ensure that your data protection strategies mitigate the risk of a data breach, you need to consider sound ILM practices to promote the organization’s data protection strategies. Remember, the less you have, the less you have to protect.
- Govern – while it’s important to be able to evaluate and protect information, you also need to monitor, audit, and communicate the privacy framework. Develop a strategy and operational procedures that allow your organization to maintain a transparent and visibly sound program. And don’t forget to monitor regulatory changes that impact your organization. Develop ongoing processes that allow you to measure the privacy program’s effectiveness.
- Respond – traditionally privacy and security teams viewed their ability to respond as responding to a security event. Today that has changed – it’s much broader and requires the ability to respond to complaints, requests for information, corrections of inaccurate data, clarifications of privacy matters and access requests. When developing your response capabilities, take into consideration these items in addition to your ability to respond to a security event.
Holistic privacy program development is the wave of the future, especially in a competitive world where data is at the core of every business or organization. Establish a program that fits your organization to ensure that you remain ahead of the curve and out of the sight of regulators.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com