GDPR, CCPA, and other data privacy laws are changing the way companies must approach the personal data they gather, store, process, and disclose. And it’s not just legislation that has businesses concerned. Consumers are more keenly aware than ever of how companies are using their personal data, and potential business partners are reviewing data privacy practices as part of their due diligence measures.
Most businesses are well informed on the “what” of data privacy legislation — what the laws require, which organizations they affect, how they define personal data, etc. — but many are still wondering how to prepare their organizations on a practical level.
We recently presented Data Privacy: The “How” Behind the “What” as part of BrightTALK’s Data Privacy Day Summit. Among the takeaways is a four-step guide to aligning your systems and business processes with data privacy requirements:
Step 1: Analyze
As in any large-scale IT project, you need to start with your “as is” — where you stand today. You’ll spend most of your time in this first step, where you analyze the most critical piece of your data privacy readiness plan: your data. Involve both IT and lines of business to help you determine what data you have, what you’re doing with it, where it’s located, who can access it, and your business reasons for having it.
Quality In, Quality Out
A good rule to remember in your data privacy readiness plan is “quality in, quality out.” By being diligent in the input phase and capturing good information from a variety of sources, you can gain a thorough understanding of your data — what you have, where it’s located, who has access to it, how and where it flows, etc. — which will lay the groundwork for an effective readiness program. Once you understand your data architecture and processes, you can identify gaps between your current practices and the requirements that apply to you, and from there, you can build a plan for bridging the gaps.
This is the “homework” part of this phase that will prepare you for your interviews with business users and IT teams (more on those below). A good first step is leveraging the resources you have already created or implemented:
- Survey Results: Some organizations make the mistake of thinking a survey is all you need in the input phase. While surveys won’t give you all the answers, they can provide valuable information when combined with other input elements, especially your interviews.
- IT System Documents: Chances are you have some kind of documentation of your organization’s IT system. Even if it’s a couple of years out of date, it can offer some valuable insights about how you handle personal data.
- Data Discovery Tool: There are tools on the market that can automatically track down data across your organization; however, not all are equally effective, and not all organizations can afford them. While these tools can be extremely helpful for midsize-to-larger businesses, smaller organizations may not need them due to their smaller number of systems.
Interviews with Business and IT Teams
This is where you start to get a clear picture of how your organization uses personal data as part of your standard operations. Schedule face-to-face interviews whenever possible, and when speaking with business users, steer clear of technical questions and ask them about what they do on a day-to-day basis. Listen closely to their responses, and keep asking questions until you get the insights you need.
Keep in mind that you may not get all the information you need in the first interview, and be prepared to schedule as many follow-ups as needed.
The results of these interviews, combined with the background research you’ve already done, will help you understand the systems and business processes that involve personal data, and you’ll have what you need to move forward with a successful readiness program.
Step 2: Plan
Once you understand your data, you can build a strategy for what you need to accomplish. Identify the gaps between your current state and what the applicable data privacy laws require, and map out the measures you need to take to fill those gaps.
Step 3: Implement
This step is where you implement the changes outlined in your plan, which may include
- Updating existing policies and third-party contracts
- Writing new policies
- Implementing system changes such as access control, consent management, and other security measures, as well as capacities to accommodate data subjects’ rights (halt data processing for those who opt out, delete data without “orphaning” other records, etc.)
- Creating procedures for required actions, such as accommodating a data subject’s request to access or erase her data, after verifying the that data subject is who she says she is so you don’t accidentally contribute to identity theft
Step 4: Govern and Train
It can be tempting to call your project “done” after you complete the implementation step, but your work has actually just begun. Your business needs and technology are always changing, and you need a governance plan for watching over your data privacy practices so compliance can be an ongoing effort.
Conduct training at all levels of your organization — not everyone has to have a detailed understanding of data privacy law requirements, but at a minimum they should understand when they need to ask a question or raise a flag. Remember to build in regular re-assessments of your data systems and processes, so you can identify and address any triggers that could affect your compliance status. And consider gamification to reinforce your training and to keep a data privacy mindset top-of-mind at all levels of your organization.
Need a better understanding of your data? See how Logic20/20 can help: https://www.logic2020.com/data-privacy