Periodically, industry peers ask me about the effectiveness of a privacy compliance program and the value it brings to an organization. As privacy programs are becoming more common in corporate offices, their value can be questioned when not run effectively.
This is the first in a series of four articles examining how to assess a program’s value, take inventory of what matters, use program metrics to show effectiveness and develop a strong communication plan.
First, let’s look at understanding the privacy compliance program’s value.
Privacy maturity differs by industry. However, programs operating in the most mature industries struggle to show its value within their organization. While large scale privacy breaches have helped keep privacy at the forefront of company risk, privacy programs have not seized the opportunity to capitalize on lessons learned.
When assessing the current value of a privacy program, there are several free and subscription services to assess maturity. Most privacy programs have limited budgets and some may not know where to start. Instead of being caught in analysis paralysis, consider conducting an assessment using the below guidelines, which will be discussed in upcoming articles.
- Understand the rules – Assess if there is a centralized catalog of applicable privacy regulations, controls and accountability. If there is no catalog, understanding the program landscape is impossible.
- Assign Accountability – Each regulation has a set of actions, which should be interpreted by the designated groups or individuals. Once each regulation has been interpreted, find the appropriate business individual accountable to executing controls.
- Document Controls – It is common for a regulation to impact multiple parts of the organization, and how a control may be executed may vary based on systems or data usage. The controls must be documented and written at a layperson’s level to ensure any individual can pick up the control and follow it.
- Establish and Distribute Metrics – Assess what metrics matter to company leadership. Metrics, such as current or emerging risks, number of privacy incidents, required breach notifications, authentication failures and status of key programs is a great place to start. Metrics will change over time as the program matures.
Becoming and staying valuable in an organization is one of the ways privacy will be seen as a partner, rather than an obstacle, to business needs. Businesses have a need to satisfy company goals and ensure innovation. However, privacy must be able to provide guidelines to business managers to ensure Fair Information Practice Principles (FIPPs) are implemented in key projects, but also look at innovation to guide the next level of privacy partnership.
Stay tuned for the next article, “Taking Inventory,” which will go into more detail regarding setting up a control structure and establishing accountability.