Monitoring to ensure that your privacy policies, procedures and guidance are being followed is a key component of a successful end-to-end privacy program. You don’t know what you don’t know. How do you find out what you don’t know? Monitor your program. How do you know if people are following your policies and procedures? Are business areas that you have designated privacy-related work to doing it appropriately? Is your customer service area appropriately logging authorizations received? Are access requests being processed appropriately? No one wants surprises when a regulator, key business partner or a customer performs an audit of your privacy practices. Monitoring your program can help prevent being surprised with audit findings that you were not aware of. This is the first in a series of articles where industry experts describe the importance of monitoring your program and provide guidance on what to focus on.
This series of articles will take a look at monitoring programs across industries including recommendations from the privacy consultant, healthcare, IT, finance, government and telecom industries. To start the series, I spoke with PricewaterhouseCoopers LLP Data Protection & Privacy Principal Jay Cline, CIPP/US, and asked him from a privacy consulting perspective about what every organization needs to consider when establishing a monitoring program.
The Privacy Advisor: Why is developing a monitoring program important?
Cline: Multinationals need to monitor changes in privacy laws occurring across various jurisdictions in order to keep their privacy programs current. Regulated companies need to monitor their level of privacy compliance to provide accountability to their regulators. Organizations in unregulated industries will want to monitor their level of privacy risk across the enterprise in order to keep their executive leadership team fully informed about the level of risk they’re accepting.
The Privacy Advisor: How should people determine what to monitor?
Cline: We advise our clients to monitor three things: changes in laws and standards, levels of compliance and levels of risk in the data life cycle. Our more advanced clients are also measuring the value contribution of privacy to the business on an ongoing basis.
The Privacy Advisor: How should they document their monitoring program and the results of any monitoring that they are performing?
Cline: The traditional way of documenting changes in privacy laws has been to write a memo summarizing the changes and business impact of a new law. A different approach that we offer through our global network of firms, which now includes law firms, is to assign a high/medium/low impact rating to each privacy bill, enacted law and court decision and assign it to the impacted place within the client’s global controls framework.
Documenting the status of privacy risk and compliance has traditionally been accomplished through risk-assessment and gap-assessment reports. An increasing number of companies are exploring how to transition this documentation to GRC software tools as well.
The Privacy Advisor: What are three key tips that you would give to someone developing a monitoring program?
Cline: I would recommend starting a monitoring program small and simple and then adding comprehensiveness and complexity over time. Involve attorneys experienced in privacy-related litigation to make sure that the facts being documented are accurate and not overstating gaps and risks.
The Privacy Advisor: What are pitfalls to watch out for and how should those be addressed?
Cline: To be successful in the long run, monitoring programs need to produce output viewed by an executive sponsor. The most effective outputs we see among our client base are one-page executive privacy dashboards viewed at the audit committee level each quarter.
Jay offers sage advice regarding where to start building a monitoring program. Know the laws and regulations that apply, understand how you comply, measure your privacy risk and develop dashboards for leadership to keep them informed. Focusing on a monitoring program for your organization can help reduce risk to your company and show you where you need to focus your resources.
If you want to comment on this post, you need to login.