News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | For a successful privacy program, use these three As Related reading: Challenge: Using Privacy Strategically

rss_feed

""

Mike Tyson once said “Everybody's got plans ... until they get hit.” Eventually a privacy incident, a data breach, will occur within your organization.While a complete privacy program has an incident response plan in place, it seems that there is always some twist during an event that was not anticipated. 

A successful privacy program is a complex undertaking. The privacy team needs to stay abreast of regulatory and statutory changes, watch for potential threats from both external and internal sources, assure compliance in existing or emerging business practices, respond to stakeholder inquiries, and provide privacy leadership to their organization, to name just a few of their myriad responsibilities. With this many balls to keep in the air, how can you quickly explain the key attributes of a successful program?

This new series for The Privacy Advisor suggests there are three As that answer this question: Alignment, Accountability and Adaptability.

Alignment

Discussions surrounding alignment tend to focus on how a privacy program supports and enhances business goals and strategies. Clearly, this is a key, if not the central component to meeting organizational privacy needs. This, however, is only a single dimension of the alignment focus of a privacy program.

An organization depends on the privacy team to maintain alignment with regulatory requirements. As privacy professionals, we all invest time understanding the laws and regulations related to the collection, processing, and protection of personal information. We attempt to anticipate where these requirements are going in the future, including for emerging technologies. Without regulatory alignment in place we leave our organizations susceptible to fines, oversight, and legal action.

Similarly, the privacy program needs to maintain alignment with the needs of an organization’s stakeholders. Customers, employees, investors, and suppliers all have privacy perspectives that need to be considered. The privacy team needs to provide insight into these perspectives for the organization. The team then must balance these varying and potentially conflicting needs to assure that they do not become an impediment to organizational success.

Regulatory and stakeholder alignment provides vital information to the establishment of organizational goals and strategies. By understanding the external requirements that must be addressed to achieve these alignments, a privacy program adds value to the organization by assuring objections, negative publicity, investigations, and other distracting activities do not impede the efficient achievement of organizational goals. In fact, with proper insight to these two domains, the privacy team could provide a strategic advantage to an organization.

While organizational alignment focuses on the support of goals to be achieved, operational alignment focuses on providing support for how these goals are being achieved. Ultimately, this is the core activity of a privacy program.

Working with departmental leadership, the privacy team provides guidance and assurance of compliance with the organization’s privacy policy, regulations and laws, as well as with stakeholder’s expectations. While accomplishing this, the privacy team also needs to identify areas where the privacy policy and practices they oversee may be impacting organizational effectiveness. The team’s responsibility is to then work with operational leadership to determine how to address any privacy program deficiencies thorough adjustments to the policy or operations.

Accountability

Regulators, attorneys general, data protection authorities, customers, employees, and investors all hold organizations accountable for protecting personal information. Organizations appoint a privacy officer to oversee and respond to this accountability. However, accountability for the execution of the privacy program cannot end there. A successful privacy program recognizes that there are privacy responsibilities throughout an organization.

An organization’s leadership, especially their executives, need to accept and acknowledge their privacy responsibilities through both words and actions. They, in turn, should support the privacy team in working with each department to meet the privacy responsibilities delegated to them, Ultimately, line management must provide that same support to the privacy team to work with individual staff members.

Each level of the organization must be held accountable for meeting their responsibilities. This may only be done through appropriate communication of those responsibilities through a coordinated program of training and awareness followed by compliance testing.

Adaptability

Over time the privacy environment changes. Sometimes it takes years, often the time is minutes. A privacy program needs to be adaptable, some may say nimble, to meet these transformations.

Recent events in the EU are a perfect example of the need for adaptability with respect to the regulatory environment. For many organizations it seemed that in a blink of an eye Safe Harbor was found invalid. While the EU-U.S. Privacy Shield has been announced, the requirements for compliance have yet to be exposed. There is even some uncertainty as to if Privacy Shield will be adopted. There has also been discussion of the long term viability for model contracts, data transfer agreements, and binding corporate rules. Privacy professionals need to be ready for however the chips may fall.

Of course, while regulations and laws are changing organizations morph. New products and services are introduced while some may be dropped; new geographies are entered while some may be exited; acquisitions are made and divestures executed. All of these require privacy programs to be reviewed and for them to be adapted to the new business configuration.

Meanwhile, new technologies are routinely being introduced and organizations are finding ways to integrate them. This integration is either by design or due to employees embracing the technology for personal use. In either case, privacy programs must assess the technology and determine if there are potential privacy compliance issues.

Sometimes the privacy team must provide that assessment in a previously unexplored area. Take, for example, the introduction of drones. From a privacy perspective, a myriad of questions have been raised; from a business perspective, opportunities for efficiency and safety improvements became apparent. Some early adopters began testing before regulatory or legislative action was even being discussed. This required privacy teams in these organizations to provide guidance, adapting their programs to address potential uses for the new technology.

Mike Tyson once said “Everybody's got plans ... until they get hit.” Eventually a privacy incident, a data breach, will occur within your organization.While a complete privacy program has an incident response plan in place, it seems that there is always some twist during an event that was not anticipated. In this situation your privacy team needs to rapidly adapt the incident response plan to address the twist.

Once the situation is remediated, the privacy program may need to be modified to address the root cause of the incident. Once an after event analysis is complete, privacy impact assessments, policy and process improvements, training and awareness additions, or increased compliance oversight are all examples of adaptations to be considered.

The inter-relationship between alignment, adaptability, and accountability

Establishing alignment, implementing accountability, and being adaptable are not one-time events. In fact, the three As all depend upon each other to evolve.

For example, once alignment is established, the accountability activities may uncover areas where the program may need to adapt to new or previously undiscovered business requirements. This, in turn, may require an adjustment to the alignment between business practices and the privacy program.

This interdependency provides a foundation for a privacy program lifecycle consisting of an ongoing review, assessment, and adjustment of an organization’s privacy policies and procedures.

photo credit: Triple A graff [Lyon, France] via photopin (license)

Author
Headshot Bob Siegel, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Tags
Infosecurity
Privacy Business
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
Challenge: Using Privacy Strategically
In part three of this quarterly series for The Privacy Advisor, Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPM, who spent years at tech giant Microsoft, shares some of the strategic and tactical decisions he’s made along the way as a first-time CPO at start-up TeleSign. In part one and part two, Bo...
Read More queue Save This
Getting to Accountability, Nymity's Way
The Nymity Privacy Management Accountability Framework, "an industry-neutral listing of 150-plus privacy management activities within 13 privacy management processes," aims to help privacy pros structure and track both where the privacy program currently stands and where it aims to go. At a recent t...
Read More queue Save This
Accountability: Might Want To Start Now
While there’s no way to know exactly how the trilogue process is going, there seems to be a general consensus that the final version of the General Data Protection Regulation will bring “accountability” to the forefront of privacy programs everywhere. While Canada’s PIPEDA law first introduced the ...
Read More queue Save This
Related Stories
Tags
Infosecurity
Privacy Business
Privacy Operations Management
Recent Comments