A successful privacy program is a complex undertaking. The privacy team needs to stay abreast of regulatory and statutory changes, watch for potential threats from both external and internal sources, assure compliance in existing or emerging business practices, respond to stakeholder inquiries, and provide privacy leadership to their organization to name just a few of their myriad responsibilities. With this many balls to keep in the air, how can you quickly explain the key attributes of a successful program?
This is the third and final article in a series for The Privacy Advisor suggesting there are three “A"s that answer this question: Alignment, accountability and adaptability. This article focuses on accountability and adaptability.
Your organization must meet your obligations and commitments to protect personal information. Regulators, law enforcement, customers, employees, and investors all are part of the population that will hold your organization accountable. Ensuring these obligations and commitments are met is a responsibility that falls to the privacy team.
In the previous article in this series we discussed ensuring areas outside of the privacy office are aware of their responsibilities for protecting personal information through an alignment process. The next step is to hold these areas accountable for meeting their responsibilities.
Compliance assessments
One part of accountability is to test compliance with the organization’s policies and procedures. Quizzes, as part of a training and awareness program, often provide a mechanism to verify that employees know what they need to do, but this is just a start.
For electronic information, use of technology can play a part in assuring compliance, Data Loss Prevention systems can hinder or prevent the inappropriate transmission of personal information; eDiscovery tools may be used to find personal information that is stored on devices that are not properly secured; and limiting access to websites that may facilitate data loss such as personal email and personal cloud services will also reduce information loss.
However, the users of our computing systems are people. People may not fully understand privacy requirements, people make mistakes, or there may be someone who is intentionally misusing personal information.
A user, for example, may find that an application is inefficient or slow. The user may find a short cut to improve the situation. This short cut may violate privacy policy. For example, a financial services client I work with scans all customer documentation so it may be stored electronically. The original document is then shredded. When an agent is working with a customer, the agent must go, often repeatedly, to the electronic version to view any documents of interest.
Some of the agents discovered that they could speed up the process by saving documents they were viewing to their desktop or laptop. Access to the document was much faster, but the device was not properly secured from a privacy perspective. While an eDiscovery tool could have uncovered this practice, my client did not have one implemented so the practice went unnoticed.
We uncovered the practice during an annual assessment. By having conversations with members of various departments about how they do their jobs, we were able to easily discover this practice and provide an inexpensive solution to the client.
A periodic privacy assessment of departments that handle personal information on a routine basis can assist in determining compliance. The focus of this type of assessment is to affirm that privacy policies and procedures are being met while uncovering behaviors that might place organizational compliance at risk.
When an assessment is performed it should result in a document stating what areas were reviewed, what criteria was used for the assessment (policies, laws, regulations, etc.), an overview of the operations reviewed, and any gaps identified with an indication of risk to the organization and a proposed path to remediation.
Attestation
As discussed in the previous article, while the privacy team is held accountable for protecting personal information, they must rely on other departments to execute many activities that protect that information. The departments to whom these activities have been delegated must, therefore, be held accountable for completing their assigned responsibilities.
For example, organizations generally rely on their IT department to perform backups. The privacy office needs to convey to IT the business/operational requirements to properly protect personal information when backups are performed. IT must execute against these delegated requirements and the privacy office must insure the requirements are being met.
While a privacy assessment or an audit of a department can certainly review compliance, a more efficient approach exists.
In the previous article, a process was discussed that would achieve alignment between the privacy office and operational areas of an organization. An artifact of this effort documents the understanding of what activities have been delegated to the operational area with the privacy office’s expectations.
This document can be used as a foundation for a self-assessment vehicle, constructed by the privacy office, to be used by the operational areas. For each delegated activity, a question may be asked to confirm all requirements are met. Evidence for compliance may also be requested. This approach allows the operational areas to attest, with evidence, that they are meeting the privacy responsibilities.
Continuing the backup example, an IT organization was given the responsibility by the privacy office to ensure that backups of computing equipment located in the EU only be backed up to EU locations. Clearly this approach was being used to minimize the risk of inadvertent data exports.
The question asked in the self-assessment read “During the past three months, have the locations for backups of EU-based computing equipment been verified to reside within the EU?” When the assessment was implemented the responder was sure that the locations had been verified, but not necessarily within the last quarter, so they did a quick review. The review uncovered that a server holding backups in one location had failed so the backups had been redirected to the US.
This problem was quickly resolved by having the backup location moved to another EU location, transferring the backups in the U.S. to that new location, and destroying the data held in the U.S.
The initial question identified an easy action to accomplish, a verification of location. This easy activity resulted in the uncovering of a situation that did not meet regulatory nor policy expectations which compelled a resolution to be implemented.
Accountability
Using a combination of self-assessments and compliance reviews, a privacy office can establish a culture of accountability within an organization. Over time, a privacy office can view the “trend of accountability” for any of the departments being reviewed. The trend will show which departments are improving and which others need some assistance.
This oversight will provide a component to demonstrating that your organization is holding itself accountable for the protection of personal information.
Adaptability
As we all know, there will be changes in the environment in which any privacy office operates. Changes in laws and regulations, the addition of new technologies, establishing or closing operations in a country, changes in public opinion/perceptions towards privacy, and the emergence of new threats and vulnerabilities are prime examples of environmental factors that must be monitored.
Regardless of how well you plan your privacy program, regardless of the contingency planning you have done, any of these changes may cause a privacy office to need to react to address some unexpected situation.
A privacy program must be adaptable to address these events. Whether it is granting a privacy policy exception, fast tracking a privacy impact assessment, or deviating from the written incident response plan, a privacy office needs to avoid following process for process’s sake. A privacy office cannot become overly bureaucratic as it will be perceived as “business prevention."
Ultimately, a privacy office must support business success. Therefore, a privacy office must strike a balance between following process and remaining agile enough to respond to rapidly changing environmental factors.
Similarly, a privacy office should not be in the business of saying “No!” If an approach to the processing of personal information is being proposed, a privacy office should instead offer alternatives to make the proposal acceptable.