The 4-step guide to data privacy

GDPR, CCPA, and other data privacy laws are changing the way companies must approach the personal data they gather, store, process, and disclose. And it’s not just legislation that has businesses concerned. Consumers are more keenly aware than ever of how companies are using their personal data, and potential business partners are reviewing data privacy practices as part of their due diligence measures.

Most businesses are well informed on the “what” of data privacy legislation — what the laws require, which organizations they affect, how they define personal data, etc. — but many are still wondering how to prepare their organizations on a practical level.

We recently presented Data Privacy: The “How” Behind the “What” as part of BrightTALK’s Data Privacy Day Summit. Among the takeaways is a four-step guide to aligning your systems and business processes with data privacy requirements:

Step 1: Analyze

As in any large-scale IT project, you need to start with your “as is” — where you stand today. You’ll spend most of your time in this first step, where you analyze the most critical piece of your data privacy readiness plan: your data. Involve both IT and lines of business to help you determine what data you have, what you’re doing with it, where it’s located, who can access it, and your business reasons for having it.

Quality In, Quality Out

A good rule to remember in your data privacy readiness plan is “quality in, quality out.” By being diligent in the input phase and capturing good information from a variety of sources, you can gain a thorough understanding of your data — what you have, where it’s located, who has access to it, how and where it flows, etc. — which will lay the groundwork for an effective readiness program. Once you understand your data architecture and processes, you can identify gaps between your current practices and the requirements that apply to you, and from there, you can build a plan for bridging the gaps.

Background Research

This is the “homework” part of this phase that will prepare you for your interviews with business users and IT teams (more on those below). A good first step is leveraging the resources you have already created or implemented:

Interviews with Business and IT Teams

This is where you start to get a clear picture of how your organization uses personal data as part of your standard operations. Schedule face-to-face interviews whenever possible, and when speaking with business users, steer clear of technical questions and ask them about what they do on a day-to-day basis. Listen closely to their responses, and keep asking questions until you get the insights you need.

Keep in mind that you may not get all the information you need in the first interview, and be prepared to schedule as many follow-ups as needed.

The results of these interviews, combined with the background research you’ve already done, will help you understand the systems and business processes that involve personal data, and you’ll have what you need to move forward with a successful readiness program.

Step 2: Plan

Once you understand your data, you can build a strategy for what you need to accomplish. Identify the gaps between your current state and what the applicable data privacy laws require, and map out the measures you need to take to fill those gaps.

Step 3: Implement

This step is where you implement the changes outlined in your plan, which may include

Step 4: Govern and Train

It can be tempting to call your project “done” after you complete the implementation step, but your work has actually just begun. Your business needs and technology are always changing, and you need a governance plan for watching over your data privacy practices so compliance can be an ongoing effort.

Conduct training at all levels of your organization — not everyone has to have a detailed understanding of data privacy law requirements, but at a minimum they should understand when they need to ask a question or raise a flag. Remember to build in regular re-assessments of your data systems and processes, so you can identify and address any triggers that could affect your compliance status. And consider gamification to reinforce your training and to keep a data privacy mindset top-of-mind at all levels of your organization.

Need a better understanding of your data? See how Logic20/20 can help:

Enabling clarity through business and technology solutions.