So far in this series on how to effectively monitor your privacy program, we have had three industry leaders—one from a consulting firm, one from healthcare and one from IT—give valuable insights on what organizations should focus on when developing a comprehensive program.
Half-way through, here's a summary of suggestions made to date. Several major themes have surfaced, regardless of industry. The recommendations for developing a monitoring program center around risk assessments; the importance of documenting your monitoring activities; training, and continuous monitoring throughout the life cycle of the program. Below are excerpts from the prior articles listed by topic that you will want to keep in mind as you evolve your monitoring program:
Risk assessment processes are the center and the life force that will drive your monitoring program.
- PricewaterhouseCoopers (PwC) Data Protection & Privacy Principal Jay Cline, CIPP/US, said changes in laws and standards, levels of compliance and levels of risk in the data life cycle is where to start with a monitoring program. In addition, more advanced clients are measuring the value contribution of privacy to the business ongoing.
- Danette Slevinski, prior vice president and corporate responsibility officer for Bon Secours Charity Health System suggested since there are so many regulations regardless of what industry you practice in, one way to make a monitoring program feasible is to identify the highest risks for noncompliance—risks most likely to cause patient or consumer harm—and over a three-year period, audit those risks. Adjust policies and standards monitored annually or at the end of the monitoring cycle. The key is to address your highest risks.
- JC Cannon, CIPP/US, CIPT, is a leader in privacy and IT. He is the founder of Assertive Privacy, a Washington, DC-based consulting agency. He discussed monitoring your privacy program from an IT perspective. He said a regular risk assessment should be performed to prioritize IT risks and determine which ones will be monitored and how. Compliance and IT departments should have a consolidated view of monitoring programs along with details of individual programs, which should include a step-by-step procedure of how each monitoring program is deployed and administered.
Documenting Monitoring Activities
- Cline said a traditional way of documenting changes in privacy laws has been to write a memo summarizing the changes and business impact of a new law. But Cline said a different approach, which PwC now offers through its global network of firms, which now includes law firms, is to assign a high/medium/low impact rating to each privacy bill, enacted law and court decision and assign it to the impacted place within the client’s global controls framework.
- Cline also said documenting the status of privacy risk and compliance has traditionally been accomplished through risk-assessment and gap-assessment reports, but an increasing number of companies are exploring how to transition this documentation to GRC software tools as well. To be successful in the long run, he said, monitoring programs need to produce output viewed by an executive sponsor. The most effective outputs he sees among PwC's client base are one-page executive privacy dashboards viewed at the audit committee level each quarter. He also recommends starting a monitoring program small and simple and then adding comprehensiveness and complexity over time.
- Slevinski strongly suggests knowing your audience and tailoring the data to meet briefing objective for each audience. Within your industry, there might be governmental websites or proprietary monitoring and risk assessment tools available for download. These tools may help with documentation processes. Resources in staffing, software, training and external consulting are generally hard to come by. The regulatory environment continues to increase in stringency. Make sure to keep leadership briefed on the cost of noncompliance, the monitoring program “wins” and relevant dashboard data to ensure that they are aware of the value of an effective monitoring program.
- Cannon said to try using Harvey balls, charts and graphs. There should also be a detailed description of each area explaining why certain areas are out of compliance and the plan to bring them into compliance.
- Slevinski said it's critical to implement and train your staff on corporate, regulatory, HIPAA Privacy and Security policies and procedures.
- Cannon said organizations often underestimate the importance of training. Having great procedures and monitoring in place are a waste of time if employees aren’t aware of them and how to execute on them. Training should be repeated on a regular basis to catch new employees and update veteran employees on changes to the training.
- Cannon said to first perform a risk assessment before deploying a monitoring program to make sure the most important areas are being addressed. Second, make sure all employees are aware of the risk areas so they can assist with monitoring. And third, go over monitoring results on a regular basis and create a plan for addressing areas that are out of compliance. He said to be sure that your monitoring program is a continuous monitoring program to ensure ongoing compliance. Just because you are in compliance today does not mean that tools, processes, laws and regulation changes will not bring you out of compliance in the future.
Monitoring your program to ensure you stay in compliance is one of the most important activities that you can do as an organization. It is not enough to have training, policies and procedures. You must monitor to ensure that your protocols are being followed and create corrective action plans, continue to monitor risk assessment and continuously reassess your program to be able to show compliance. For more on how to monitor your privacy program, look for the final two installments in this series, with a focus on government and telecoms, in forthcoming editions of The Privacy Advisor.
If you want to comment on this post, you need to login.