High-profile privacy incidents across both public and private sectors, such as recent breaches at Google, Epsilon and Sony and a continuous stream of health information privacy breaches in Canada and the Unites States, are increasing public awareness and concern regarding how organizations handle personal information. In response, regulators in many jurisdictions and industries have introduced new privacy compliance and breach reporting requirements and increased enforcement efforts and penalties for non-compliance. For example, a 2011 Federal Trade Commission (FTC) Consent Order against Google requires the company to implement a comprehensive privacy program and calls for regular, independent privacy audits for the next 20 years, and the United States Department of Health and Human Services’ Office for Civil Rights (OCR) announced recently that it has appointed KPMG to conduct up to 150 HIPAA audits by the end of 2012.
These trends should alert privacy officers everywhere that proactive privacy risk management is what’s needed to avoid large-scale privacy breaches, negative audit reports and increased enforcement actions that impact the organization’s reputation, brand and its bottom line. A Privacy Gap Analysis is an essential risk management tool that can prepare your organization to meet these challenges in a planned and proactive manner. This article explores the benefits of conducting one and overviews the key steps involved.
What is a Privacy Gap Analysis (PGA)?
A PGA is a risk-based approach that is used to determine the condition of privacy practices across the organization in relation to legislation and best-practice standards. A PGA identifies and assesses privacy risks and outlines required improvements to personal information (PI) management practices.
A PGA normally consists of:
Why Conduct a Privacy Gap Analysis?
There are several compelling reasons to conduct a PGA. Privacy leaders should consider each of these and how they apply to their own organizations when preparing to secure support from senior decision makers to move forward with a PGA project.
The benefits of conducting a PGA include:
What are the Main Steps in Conducting a PGA?
Generally, a PGA can be conducted in three phases, which are outlined below.
PHASE 1 – PLANNING AND INITIATION
Conduct initial planning activities:
Design tools and templates:
o an inventory of PI collected, used, disclosed and maintained;
o PI data flows, including methods for collecting, using and disclosing PI, key users and data storage locations;
o responses to questions designed to assess compliance with specific legislation and best practice frameworks such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data or Generally Accepted Privacy Principles (GAPP).
Define project scope:
Project Initiation:
PHASE 2 – INFORMATION GATHERING
PHASE 3 – RISK ANALYSIS AND REPORTING
A Privacy Gap Analysis provides a solid foundation from which to build or strengthen a comprehensive privacy program and demonstrate compliance to stakeholders. It should be viewed by management and the board as an important investment in protecting the organization’s brand and building a culture of privacy within the organization. After reviewing this article, privacy officers should be better equipped to articulate the benefits of conducting a Privacy Gap Analysis in their organizations.
These trends should alert privacy officers everywhere that proactive privacy risk management is what’s needed to avoid large-scale privacy breaches, negative audit reports and increased enforcement actions that impact the organization’s reputation, brand and its bottom line. A Privacy Gap Analysis is an essential risk management tool that can prepare your organization to meet these challenges in a planned and proactive manner. This article explores the benefits of conducting one and overviews the key steps involved.
What is a Privacy Gap Analysis (PGA)?
A PGA is a risk-based approach that is used to determine the condition of privacy practices across the organization in relation to legislation and best-practice standards. A PGA identifies and assesses privacy risks and outlines required improvements to personal information (PI) management practices.
A PGA normally consists of:
- identifying the nature of PI collected, used, disclosed and maintained across an organization or business unit;
- reviewing PI handling practices, including how information is collected, used and disclosed and for what purposes, as well as practices for retaining, disposing of and protecting PI;
- identifying gaps and risks by comparing current practices to specific criteria (including legislative requirements and/or best-practice frameworks), and
- determining risk-mitigation strategies.
Why Conduct a Privacy Gap Analysis?
There are several compelling reasons to conduct a PGA. Privacy leaders should consider each of these and how they apply to their own organizations when preparing to secure support from senior decision makers to move forward with a PGA project.
The benefits of conducting a PGA include:
- Systematically identifies and assesses risks so that effective corrective actions can be implemented before risks are realized in the form of privacy breaches, enforcement actions, etc.
- Provides a baseline assessment of current information practices and risks needed to guide the development of a comprehensive privacy program (new privacy officers and/or organizations new to privacy compliance will benefit). Risks are ranked and prioritized, ensuring that limited resources are focused on higher risk programs, processes and systems.
- Assesses organizational readiness for the introduction of new legislation so that policies, procedures, training, etc. can be developed or modified accordingly
- Demonstrates accountability to senior executives and the board of directors who must understand the state of compliance with laws and regulations as part of ongoing governance and risk-management duties. The PGA reports on the status of the organization’s compliance with privacy legislation and outlines the initiatives to be undertaken to manage identified risks.
- Demonstrates accountability and fosters confidence with external stakeholders such as regulators, commissioners, data protection authorities and business partners, reducing the probability of strong enforcement actions or negative audit outcomes
- Prepares the organization for an external review or audit, such as a HIPAA audit, by identifying gaps and risks and developing and/or implementing a plan to mitigate them before the audit occurs
- A PGA is not an audit or a PIA. If designed properly, the PGA process can be completed primarily with internal resources, keeping costs in line and increasing accountability and ownership for privacy risk management among management and business partners who are engaged in the process.
What are the Main Steps in Conducting a PGA?
Generally, a PGA can be conducted in three phases, which are outlined below.
PHASE 1 – PLANNING AND INITIATION
Conduct initial planning activities:
- Define project objectives and deliverables clearly.
- Secure necessary resources. Identify existing resources to be used (including privacy office staff and line management) and whether specific external expertise will be needed. If possible, consider engaging an external privacy expert to oversee the project and deliver a final report to lend objectivity and additional credibility to the process. Hold business leads accountable for gathering necessary data and implementing recommendations arising from the gap analysis to increase business ownership and engagement.
- Obtain senior executives’ and/or board of directors’ full commitment, and clearly define the required participation from this group.
Design tools and templates:
- Design the template to be used to gather the facts needed to complete the PGA for each program area. You may be able to start with an existing template or questionnaire that has been developed for your industry but it will need to be tailored to incorporate the legislative and best-practice frameworks that will apply and the specific objectives you’ve identified. Templates should be able to be submitted electronically for ease of compilation and analysis of information.
- The template should be designed to gather
o an inventory of PI collected, used, disclosed and maintained;
o PI data flows, including methods for collecting, using and disclosing PI, key users and data storage locations;
o responses to questions designed to assess compliance with specific legislation and best practice frameworks such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data or Generally Accepted Privacy Principles (GAPP).
- Determine how you will identify and rank individual risks based on template responses (multiple choice questions work best). Use risk assessment tools that already exist in your organization, if possible, or design a privacy risk assessment methodology if no tools exist.
- Consider implementing a scoring methodology to enable a relative risk ranking of each program.
Define project scope:
- Create or obtain an inventory of all programs, services and processes and the related information systems or databases using information from organization charts, business plans, records taxonomies and similar documents.
- Using this initial list, work with business owners to identify those programs, services and processes that collect, use, disclose or maintain PI, and the related information systems or databases that store or process it.
- Consider how you will engage agents and third-party service providers in the PGA process.
Project Initiation:
- Communicate project objectives and engage business leaders in the process.
- Identify one individual to lead the completion of a PGA template for each program area.
- Hold a kickoff meeting to introduce the tools and process to program leads who will be accountable to complete PGA templates.
- Distribute templates to program leads.
PHASE 2 – INFORMATION GATHERING
- Interview executives to determine their views on significant sources of privacy risk and suggested areas of focus. Use interview results to inform the PGA process, ensuring areas of concern are addressed.
- Review privacy and security policies, procedures and notices, and conduct interviews with the chief privacy officer and chief information security officer to obtain an understanding of existing program elements.
- Obtain and review completed templates. Meet with program leads to validate facts, gathering any additional information needed to finalize the templates.
PHASE 3 – RISK ANALYSIS AND REPORTING
- Using template responses for each program, identify individual risks and gaps, documenting them in risk tables.
- Assess risks using the chosen risk assessment methodology.
- Identify actions needed to mitigate each identified risk.
- Summarize findings and recommendations in one or more final report(s) that can be presented to stakeholders.
A Privacy Gap Analysis provides a solid foundation from which to build or strengthen a comprehensive privacy program and demonstrate compliance to stakeholders. It should be viewed by management and the board as an important investment in protecting the organization’s brand and building a culture of privacy within the organization. After reviewing this article, privacy officers should be better equipped to articulate the benefits of conducting a Privacy Gap Analysis in their organizations.
