Now that laws such as GDPR and CCPA are permanent fixtures on the global business landscape (and amendments to CCPA coming soon) — and customers are highly aware of how their data is being used — most businesses have made data privacy an integral part of their standard procedures. Organizations have devoted extensive resources to developing and executing their readiness plans and operationalizing these changes. And yet, even among those that have a data privacy governance framework in place, one challenge still remains: how to verify that privacy policies and procedures are being followed on a month-to-month basis.
Obviously, the data privacy officer (DPO) and the governance committee cannot continuously look over the shoulders of every employee handling personal information, nor can compliance be verified solely by scrutinizing internal databases. So, what is the solution?
When we work with clients on data privacy governance oversight, we help them implement a simple yet effective system that uses periodic surveys and results in a continuously updated, easy-to-understand data privacy dashboard. This tool helps the DPO and the governance committee monitor privacy practices among lines of business (LOBs) that handle personal data and promptly follow up on developments that could jeopardize the business’ compliance status.
In this article, we’ll review our four-step process for building a monitoring system that allows organizations to keep a close eye on privacy practices without placing undue burdens on their lines of business.
1. Know your baselines
While it can be tempting to jump in and start creating surveys, it’s important to first understand what those surveys will assess. In other words, find out exactly how your LOBs are gathering and using data (making sure those practices are in line with applicable privacy laws), and use this information as a baseline to monitor for changes that could become data privacy compliance violations.
When we develop data privacy dashboard systems for clients, we begin by conducting interviews with each line of business that handles personal data — a process similar to what we do when we begin building an initial readiness plan or creating a Record of Processing Activities (ROPA).
During these interviews, we review their regular business processes to gain a thorough understanding of
• What — and whose — personal data they collect, and how they collect it
• How and why they use the personal data they collect
• Who within the line of business has access to it
• Whether they share it with other lines of business, and if so, with whom and for what purpose
• Whether they share it with or sell it to third parties, and if so, to whom and for what purpose, and whether those partners have been vetted for data privacy readiness
• What they do with personal data when they no longer need it
With these insights documented, we establish a baseline understanding for how each line of business handles personal information. We now have a foundation for developing and implementing a survey plan to monitor for departures from documented procedures that could turn into compliance issues.
2. Create a survey plan
Once we understand each LOB’s standard procedures that involve personal data, we can design surveys that will either affirm the status quo or highlight changes that merit investigation. We design a custom survey for each line of business, tailored to the standard procedures we documented during the interview process. Here’s an example of part of a survey, based on one we recently developed for a client:
This process can flag “secondary uses” of personal data that might otherwise compromise compliance status when one LOB uses personal data for a purpose other than what was originally noticed at the time of collection. We also consider the cadence for sending out surveys — weekly, monthly, or quarterly. Ideally, each LOB’s cadence should correspond to its risk profile. Lines of business that are considered “high risk” include those that
• Collect/handle a high volume of personal data
• Handle highly sensitive personal data, such as social security numbers or health-related information
• Share a high volume of data with external partners
High-risk LOBs merit a more accelerated surveying cadence, while those with a lower risk profile may require less frequent monitoring.
3. Create a dashboard to track KPIs
The data privacy dashboard tracks the survey results to calculate KPIs and flag responses that merit investigation. Each organization’s dashboard will look slightly different, depending on what is being monitored. Here’s an example of an overview screen:
If a line of business reported in their most recent survey a change that could impact the organization’s compliance status, this automatically changes the LOB’s risk profile, which will be reflected on an Overview chart, and details of the change will show up as a risk factor under the Line of Business Risk tab.
As you can see, the viewer has the option to drill down and view reports covering other areas, such as third-party risk levels
To view the 4th step, read the full article: https://www.logic2020.com/insight/data-privacy-dashboards-analytics-guide-governance?utm_source=medium&utm_medium=social&utm_campaign=insights_2021_04_01