The 4-step guide to data privacy

GDPR, CCPA, and other data privacy laws are changing the way companies must approach the personal data they gather, store, process, and disclose. And it’s not just legislation that has businesses concerned. Consumers are more keenly aware than ever of how companies are using their personal data, and potential business partners are reviewing data privacy practices as part of their due diligence measures.

Most businesses are well informed on the “what” of data privacy legislation — what the laws require, which organizations they affect, how they define personal data, etc. — but many are still wondering how to prepare their organizations on a practical level.

We recently presented Data Privacy: The “How” Behind the “What” as part of BrightTALK’s Data Privacy Day Summit. Among the takeaways is a four-step guide to aligning your systems and business processes with data privacy requirements:

Step 1: Analyze

Quality In, Quality Out

Background Research

  • Survey Results: Some organizations make the mistake of thinking a survey is all you need in the input phase. While surveys won’t give you all the answers, they can provide valuable information when combined with other input elements, especially your interviews.
  • IT System Documents: Chances are you have some kind of documentation of your organization’s IT system. Even if it’s a couple of years out of date, it can offer some valuable insights about how you handle personal data.
  • Data Discovery Tool: There are tools on the market that can automatically track down data across your organization; however, not all are equally effective, and not all organizations can afford them. While these tools can be extremely helpful for midsize-to-larger businesses, smaller organizations may not need them due to their smaller number of systems.

Interviews with Business and IT Teams

Keep in mind that you may not get all the information you need in the first interview, and be prepared to schedule as many follow-ups as needed.

The results of these interviews, combined with the background research you’ve already done, will help you understand the systems and business processes that involve personal data, and you’ll have what you need to move forward with a successful readiness program.

Step 2: Plan

Step 3: Implement

  • Updating existing policies and third-party contracts
  • Writing new policies
  • Implementing system changes such as access control, consent management, and other security measures, as well as capacities to accommodate data subjects’ rights (halt data processing for those who opt out, delete data without “orphaning” other records, etc.)
  • Creating procedures for required actions, such as accommodating a data subject’s request to access or erase her data, after verifying the that data subject is who she says she is so you don’t accidentally contribute to identity theft

Step 4: Govern and Train

Conduct training at all levels of your organization — not everyone has to have a detailed understanding of data privacy law requirements, but at a minimum they should understand when they need to ask a question or raise a flag. Remember to build in regular re-assessments of your data systems and processes, so you can identify and address any triggers that could affect your compliance status. And consider gamification to reinforce your training and to keep a data privacy mindset top-of-mind at all levels of your organization.

Need a better understanding of your data? See how Logic20/20 can help:

Enabling clarity through business and technology solutions.