A survey of privacy managers at an Open Compliance and Ethics Group (OCEG) event in January revealed that more than two-thirds are seeing moderate to material increases in external scrutiny – with almost half reporting material increases.
Also uncovered in the survey were the top four privacy concerns of these managers. These four areas are outlined below and can easily be addressed through the implementation and maintenance of a comprehensive privacy program that lays the groundwork for a coherent strategy to accomplish long-term enterprise privacy goals.
Area One: Assessing privacy program performance
Seventy-six percent of survey respondents identified assessed privacy program performance as an urgent problem, making it the most significant challenge faced by privacy managers today. Since most privacy programs are still new and unproven, it is not surprising that assessing performance should be an issue. Now with external scrutiny clearly increasing, it is more imperative than ever to be able to measure program performance against a set of appropriate standards.
Often, the weakest links in a performance measurement exist with suppliers and other business partners. An indemnification clause in a contract with these partners does not by itself provide adequate protection in the event of a breach and such a clause certainly does nothing to actually prevent a breach. Thus, privacy managers must give themselves and external auditors true visibility into the performance of third parties wherever necessary.
So how do they accomplish this task? The key to best measuring a privacy program’s performance, is having privacy managers integrate the following controls and features into their current program:
· A baseline risk framework based on generally accepted privacy principles (GAPP)
· Clear documentation of policies and control procedures
· Practical, easy-to-use assessment templates and distribution tools
· Easy extensibility to support auditing of contractors and vendors
· Flexible reporting
· Best practices templates for remediating discovered issues
When these elements are utilized in a privacy program, the effectiveness of the program is ensured and can easily be reviewed by outside auditors.
Area Two: Assessing policy design
Sixty-eight percent of respondents identified assessing policy design as the next most urgent problem. In fact, most privacy managers are not certain that their procedures and controls are as well-designed as they should and could be.
The privacy failures that result in embarrassing headlines, loss of customer confidence and regulatory intervention aren’t always the result of negligence. Companies that suffer the consequences of privacy breaches typically have some sort of policies and procedures in place. The issue is that these policies and procedures were not sufficient and their inadequacy was ultimately only revealed by a material breach.
To protect themselves from such breaches, organizations need to assess the adequacy of their existing policies and identify any issues requiring remediation. These businesses have to be able to create a well-structured inventory of those policies and compare them to established best practices. They must then be able to determine where their operational idiosyncrasies leave them particularly vulnerable or require them to implement specific types of policies. Organizations also have to be able to see where their policies are sufficiently strong enough so time and resources aren’t spent in areas where it’s not necessary.
To properly and effectively assess the design of a corporate privacy program, companies should implement the following:
· A baseline risk framework based on generally accepted privacy principles (GAPP)
· Best practices templates for evaluating controls and collecting documentation
· Best practices templates for evaluating the impact of new laws or changes in the business
· Best practices templates for remediating inadequate controls
· Reporting tools that highlight shortfalls in the design of policies and controls
The net benefit of these features is that privacy managers can design more effective policies and procedures and then in turn, give corporate executives greater confidence that the interests of all stakeholders are being adequately protected.
Area Three: Mapping of privacy requirements to privacy policies
Sixty-two percent of respondents identified the mapping of privacy requirements to privacy policies as a material problem because it’s not always easy to track the implications that changes in laws, standards and best practices have on enterprise privacy policies and processes.
As new corporate and regulatory requirements emerge and as active requirements change over time (and it’s only a matter of time), it can be very difficult for privacy managers to map those requirements to specific policies and people. For this reason it is important to know how new requirements affect procedures, training requirements and audit documents. Managers must also know if new requirements are already covered by existing privacy policies or if specific additional steps have to be taken to ensure compliance.
This mapping challenge is often exacerbated by the fact that external requirements often don’t align with internal structures. For example, a state may issue specific mandates but the enterprise ERP system may not segment users by state. Nonetheless, organizations must map those state-mandated requirements to a set of state-specific privacy controls.
The following features enable organizations to accurately map privacy requirements to both enterprise privacy policies and the groups of affected users:
· Practical definitions of organizational structure, users groups and other relevant data
· Cross-indexing of requirements, policies, procedures and user groups
· Workflow templates for determining which current policies are affected by changes in mandates and standards
· Full leveraging of data from ERP, HR and other enterprise systems
These controls allow organizations to better ensure that their privacy policies and processes fulfill the requirements of all relevant regulations and mandates.
Area Four: Communicating procedures
Fifty-six percent of respondents identified communicating procedures as a material problem for their organizations because the effectiveness of any set of privacy policies is largely constrained by the behavior of the least aware or most poorly trained individual in the privacy chain.
Privacy policies and procedures don’t do much good if people don’t know about them or fully understand them. Each person in the privacy chain – including employees, contractors and vendors – needs to know what they should do and what they shouldn’t do, based on factors such as the type of information they have access to and the ways in which they use that information. This privacy knowledge can become somewhat complex as people have to deal with various types of information that are subject to different corporate and regulatory requirements. The privacy knowledge that people possess can also change over time as their roles change and as new requirements emerge, which as stated earlier is an inevitability.
A critical component of any effective privacy initiative is therefore the initial and ongoing role-appropriate education of individuals across and beyond the enterprise. Organizations must ensure that they clearly communicate relevant policies and procedures to everyone who can potentially compromise sensitive information. They also need to be able to prove that this knowledge was in fact delivered and that each person receiving the knowledge can confirm their understanding of the information.
The privacy program features below allow organizations to optimize the effectiveness with which they communicate policies and procedures to individuals and groups across and beyond the enterprise:
· Training management that eases the creation, review, updating, assignment and distribution of all courseware, frequently asked questions and written policies
· Role-based user management that simplifies the targeting of individuals and groups of individuals for specific policies, procedures and training
· Automated, rules-based distribution of training, policy attestations, surveys and other deliverables to users and groups of users based on one-time, recurring and contingent requirements
· Integration with HR applications, identity and access management systems and other enterprise resources as required to ease administration and ensure ongoing alignment with changing roles and relationships
· Robust reporting tools that enable privacy managers to confirm completion of requirements, discover exceptions, and eliminate inefficiencies
The net benefit of these features and others is that all process participants understand their responsibilities and that their acknowledgement of that understanding can be appropriately documented.
By incorporating these privacy program features and controls, organizations of every size can fully inventory the information they are collecting from customers, partners, employees, job applicants and others. They can gain full visibility into who has access to the information – internally and externally – and how that information is being used. By equipping corporate privacy managers with this accurate, up-to-date knowledge, a comprehensive privacy program empowers them to successfully and efficiently achieve critical objectives across the enterprise. With privacy pressures mounting every day, the benefits of having a defensible and accountable privacy program in place is nothing short of indispensable.
Ted Frank is president co-founder and director of Axentis.