"Periodically, industry peers ask me about the effectiveness of a privacy compliance program and the value it brings to an organization. As privacy programs are becoming more common in corporate offices, their value can be questioned when not run effectively," writes Chris Pahl. In this second installment in a series of four articles examining how to run an effective program, Pahl looks at how to create a regulatory and control inventory. 

The last article examined the need for privacy programs to be seen as valuable in an organization. Businesses have needs to ensure innovation and client needs are met. Some managers do not understand potential privacy pitfalls and do not engage the appropriate team members at the beginning of a project or process redesign. Privacy programs must be able to be invited, or insert themselves, throughout key business processes.

However, without documenting relevant regulations, controls, and accountability, privacy programs will not be able to effectively manage risk.

How quickly could you answer a board member’s question regarding how many privacy regulations must companies comply with and the number of associated controls? If you cannot answer this within five minutes, it is time to start building your program’s foundation.

There are different methods to create a regulatory and control inventory. Below is one set of data elements, which can be managed in Microsoft Office tools, such as Excel. 

  • Identify your privacy regulators. This can be done through identifying known privacy regulations, use free or pay-for-service tools, or hire a privacy consultant. 
  • Document privacy regulations. Begin by documenting the regulatory citation and breaking out the regulations, on different lines, by actions. This allows for each action, within the regulation, to be assigned to the appropriate business owner. This also provides the ability for the privacy compliance program to demonstrate to senior leaders how many regulatory requirements must be managed. The appropriate group or individuals in the company must perform the interpretation of the privacy regulations, which in many organizations is the Legal Department. 
  • Assign Accountability. Associated regulatory controls must be assigned to the appropriate business managers to document and implement. For example, a privacy notice requirement may require individuals from marketing, e-commerce, and the privacy office to share the development and implementation of the notice.  This translates into three different areas owning all or part of the control. The control must be documented to the level any individual, not familiar with the business process, to be able to pick up the procedure and execute it. 
  • Test Effectiveness. Controls must periodically be risk ranked and tested. Test plans can be developed in consultation with a company’s internal audit or risk management group. Where feasible, control testing should be included within existing test plans or leverage other metrics.

Remember, maintenance of this catalog is important and mechanisms must be implemented to determine when regulations, controls, or accountability has changed. This is an evergreen process, requiring another control to ensure relevancy.