How to Build a Privacy Program


How to Build a Privacy Program Topic Page

Creating or further developing a privacy program is no simple thing. An effective and successful privacy program is built not just on knowledge of the relevant laws and how to comply with them, but also on proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running. This topic page offers tools, guidance and research to help you achieve your goal.

Featured Resources


IAPP-EY Privacy Governance Report 2023

The IAPP-EY Privacy Governance Report 2023 builds on previous comprehensive efforts to shine a light on the location, performance and significance of privacy governance within organizations.
Read More


Privacy Risk Study 2023

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Read More


Privacy Program Management, Third Edition

This book provides the critical knowledge necessary for anyone responsible for managing privacy program governance and operations.
Read More


Managing privacy in the era of generative AI

This web conference addresses how the rapid rise of generative AI has created unique challenges for privacy leaders as they look to mitigate risks and ensure personal information is safeguarded.
Read More


Privacy governance: A problem solved or an ongoing challenge?

This article outlines the importance of good privacy governance as professionals address the evolving challenges in the space
Read More


Privacy by Code: Filling the Gap in Your Privacy Programs

This web conference will explain how a Privacy by Code approach can enable organizations to evaluate, prioritize and manage privacy risks and deliver increased productivity, agility and value creation.
Read More

Additional News and Resources

Evaluating the use of AI in privacy program operations

The privacy implications and questions surrounding artificial intelligence dominate discussions among many privacy professionals. How do we untrain an AI model previously trained on personal information in response to a data subject request? How do we explain how a particular AI model processes personal information in our privacy notice? What role does the privacy team play in AI governance? How do we secure our legitimate interests or consumer consent to process data in an AI model, and what do... Read More

Rethinking the role of CPOs: Prioritizing operationalizing privacy controls over legal expertise

In April 2020, I started my role as chief privacy officer of Silicon Valley Bank after serving in the position at Capital One. My time at SVB was both enriching and challenging, marked by the development of a mature global privacy program amid tremendous growth at the bank. Unfortunately, this journey took an unexpected turn earlier this year with the failure of SVB. As I embark on my search for my next CPO role, I’ve been surprised by the prevalence of law degrees being listed as a mandatory qu... Read More

Building effective AI through collaboration

The need for cross-departmental collaboration when deploying artificial intelligence models is not just advisable. It's essential. As head of data privacy and product compliance at Collibra, it is my job to make sense of the emerging AI legal and regulatory landscape and to interpret its implications for our business.  But this is not work I can do alone. I need input from a range of stakeholders to get a full picture of the proposed AI use case — its intended purpose, leveraged data, outputs ... Read More

From overlooked to optimized: Revolutionizing data-retention practices

Data retention — or, more critically, deletion — once again seized the spotlight following New Zealand's largest data breach earlier this year. The country's Deputy Privacy Commissioner Liz MacPherson aptly referred to data retention as "the sleeping giant of data security." The often overlooked data management challenge has grown so extensive and intricate that it can be daunting. In accordance with New Zealand's Privacy Act, organizations are legally obligated under Information Privacy Princi... Read More

The latest dimension of the global race for an AI governance framework

Discussions on the need to establish a governance framework for artificial intelligence took off following the public release of ChatGPT last November, which showed the world the impressive pace large language models, and generative AI in particular, are progressing. The breakneck speed of AI development prompted some business leaders and technologies to call for a six-month hold on the release of powerful models. However, many have written off the initiative as an attempt for Elon Musk to play... Read More

Managing downstream risks of 'do not sell' fulfillment

If you are like many businesses that have implemented solutions to honor consumer do not sell/share requests in accordance with U.S. state privacy laws, you have likely placed a degree of trust on third parties that they will honor the requests they receive. While having an appropriate solution in place to deliver the request — currently in the form of delivery of the IAB Technology Laboratory's U.S. Privacy String — is a key part of the compliance equation, a third party's failure to act on the... Read More

Launching an AI governance program? Start with your ‘why’

Nearly 30 years ago, the great astrophysicist Carl Sagan wrote, "I have a foreboding of an America in my children's or grandchildren's time, when awesome technological powers are in the hands of a very few and no one representing the public interest can even grasp the issues." His words seem prescient now that a tool as powerful as artificial intelligence is pervasive in our everyday lives. Companies are increasingly leveraging AI in various capacities to drive both revenue growth and operation... Read More

Five ways to build a bulletproof PBD program with your security partners

Original broadcast date: 14 Feb. 2023 In this web conference you will learn, strategies on how privacy and security can create processes for pre-deployment insights from product and engineering teams, how to leverage privacy and security teams’ shared needs on third-party vendor reviews and record of processing activities and battle-tested tips on how to avoid getting ambushed for last-minute approval requests from the business. Read More

Top issues to address when using automated employment decision-making tools

As we wait for the EU Artificial Intelligence Act to pass, AI enforcement is imminent in the U.S. On the federal level, we have both joint and individual statements from the U.S. Federal Trade Commission, Justice Department, Consumer Financial Protection Bureau and Equal Employment Opportunity Commission, as well as the White House's Blueprint for an AI Bill of Rights and follow-up Fact Sheet on new actions to Promote Responsible AI Innovation that Protects Americans' Rights and Safety. At the ... Read More

Unlawful data processing claims: An insurance perspective

There has been a steady increase in lawsuits focusing on whether businesses lawfully collect and use personal data. These claims impact a broad range of data processing activities in consumer and employment contexts and are not limited to any particular business sector. Businesses subject to unlawful data processing claims and demands incur serious losses in terms of litigation costs and out-of-court settlements. With the increase in privacy litigation, the insurance industry has experienced a ... Read More

The building blocks for managing privacy risks at Square Enix

Original broadcast date: 11 May 2023 In this web conference, panelists will address how to collaborate with data owners across the organization to complete privacy and data protection impact assessments, how to mitigate privacy risk by operationalizing remediation efforts, how to map business processes and data flows for comprehensive privacy analysis and how to report on compliance status for effective regulatory adherence. Read More

Shifting to first-party data: Privacy pitfalls around consent and transparency

Companies are increasingly pursuing first-party data approaches to move away from third parties that collect and process personal data on their behalf. Instead, they rely on personal data collected themselves, in particular to pursue personalized marketing activities. Naturally, this comes with a number of privacy challenges – most importantly, obtaining valid consent that meets transparency requirements. Characteristics of a first-party data approach Reasons for shifting toward first-party da... Read More

What Your Business Should Be Doing Now to Unlock Privacy Benefits

Original broadcast date: 15 Dec. 2022 This web conference will explain how you can leverage technology to unlock privacy benefits and keep up in today’s dynamic world. Specifically, this conference will look at navigating today’s privacy landscape: from it's ever-evolving global regulations, to earning trust with customers (whilst battling consent fatigue), to keeping up with industry shifts like transitioning to GA4. Read More

Future-Proof Compliance with Breach Notification Regulations

Original broadcast date: May 26, 2021  In this session, you’ll learn the essentials for operational success and actions for improvement across each stage of the incident response lifecycle. We also share key benchmark metrics and program key performance indicators that help you identify the maturity level of your program and ensure you are making data-driven decisions around process improvements. You will walk away with insights that will help you turn aspirational goals into a measurable plan.  Read More

Redefining data mapping

Reflecting upon the 2015 U.S. Office of Personnel Management security breach, former U.S. Department of Homeland Security chief privacy officer Nuala O’Connor, CIPP/G, noted, “The OPM breach was not only the product of bad security practices but also of poor privacy practices … OPM didn’t have the most basic data map.”  “Data mapping” is typically considered the foundational step for any privacy program — but what exactly is it?  To me, data mapping is an umbrella term that depends on context,... Read More

Maximize your minimization and other takeaways from the FTC’s Drizly case

The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization. The FTC reached a settlement with Drizly, an online alcohol marketplace, and its CEO, alleging the company knew about its data security shortcomings and failed to take action to protect personal data from a data breach affecting 2.5 million users. Though the case derives from a security breach, privacy pros should pay close attention to the... Read More

Automated Data Mapping That Charts the Course for Privacy and Beyond

Original broadcast date: 25 Oct. 2022 In this web conference, BigID Product Management Director Tomer Elias and Optiv Privacy and Governance Senior Manager Spencer Kindt, CIPP/E, discuss a new framework for data mapping toward standardization — where this becomes an umbrella term that charts how data is processed from A to Z. In this web conference you will learn what data mapping is along with current terminology and definitions, differences between data mapping and data discovery and more. Read More

Consumers say trust depends on transparency

Consumers worldwide say data transparency is a top priority when it comes to trusting organizations with their personal data. They look to their national government to take a primary role in protecting data and continue to be very supportive of privacy laws in their countries. Consumers are also increasingly taking action to protect their own data by exercising their privacy rights and switching providers when necessary. They tend to support artificial intelligence and automated decision-making,... Read More

Three Ways Privacy and Security Can Crush Third-Party Reviews – as Friends

Original broadcast date: 18 Oct. 2022 Too often, privacy and security teams work separately despite the truth: Many times, they’re working toward the same goals. For example: How many of us have realized duplicative paperwork and questionnaires during the third-party vendor vetting process? But if there’s early collaboration between privacy and security, the efficiencies gained can be game-changing. In this web conference, panelists discuss how organizations can gain privacy champions, learn strategies and tools for cross-functional collaboration and implement frameworks to collaborate efficiently. Read More

Perfecting Privacy Practices

Original broadcast date: 30 Aug. 2022 In this web conference, panelists share common benchmarks and metrics for assessing your company’s data privacy policies, practices and program, how to track if your organization is following generally accepted privacy principles, how this all intersects with proposed changes from regulators via pending legislation and rulemaking in the American Data Privacy and Protection Act, the California Privacy Rights Act, the Terms-of-service Labeling, Design and Readability Act and more.  Read More

Privacy Metrics to Uplevel Your Privacy Program

Original broadcast date: 24 Aug. 2022 In this web conference, panelists share best practices about how to measure the success of your privacy program. Panelists also emphasize which privacy metrics best demonstrate the value of your privacy program to your C-suite, highlight which privacy metrics tend to provide opportunities for improvement as well as which privacy metrics create unhelpful noise. Finally panelists also explore how to leverage privacy metrics to better incorporate Fair Information Practices into your day-to-day privacy reviews. Read More

Privacy with Microsoft Video Series

In this Microsoft video series, their experts will provide comprehensive training and best practices for developing enterprise privacy solutions in a complex environment. Topics range from end-to-end privacy policy management and implementation to tactics for incident management and mitigation. These videos can help you gain the data protection knowledge you need to advance your career. expand_more Episode 1: Enterprise Privacy Management In the first episode of this series, Micr... Read More

Privacy: An organization’s responsibility for building trustworthy systems

An organization's handling and use of individual data will impact its long-term success as consumers and governments become more concerned with data privacy and protection. Businesses can no longer sit back and wait to react to these changing market forces. They must realize that building trust with consumers is an essential tenet for their success, and respecting individual privacy is a crucial component of trust. The purpose of this piece is not to discuss regulation but how privacy enforcemen... Read More

Hiscox Cyber Readiness Report

The Hiscox Cyber Readiness Report provides an up-to-the-minute picture of the cyber readiness of businesses big and small, and offers a blueprint for best practice in the fight to counter an ever-evolving threat. Read More

Managing Privacy Risk and Safeguarding Personal Information

Original broadcast date: 21 June 2022 In this web conference, panelists discuss how to identify personal information and critical privacy risks arising from data hoarding, overexposure and transfer, assess your privacy compliance against industry and Canadian regulatory bodies, such as the Personal Information Protection and Electronic Documents Act, automate risk mitigation and prevent privacy incidents, manage subject rights requests at scale and respond with confidence and more.  Read More

Running a privacy law-compliant inclusion and diversity data collection program globally

Many organizations are proactively advancing diversity and inclusion goals globally to include a focus on recruitment and employee-directed initiatives. These efforts are consistent with organizational values and business goals, even in cases where diversity data collection may have the potential to increase (rather than decrease) risks of discrimination claims. Beyond addressing D&I to comply with anti-discrimination laws, most organizations also consider it an urgent business need for comm... Read More

Assessing risk: Determining the appropriate risk flags for your privacy risk assessments

The privacy technology market has been flooded with tools over the past few years — you need only look at the size of the IAPP Tech Vendor report to see it. And while these tools can massively accelerate and support privacy programs, they aren't a silver bullet. All privacy technology requires configuration to meet the specific needs of the business, and that involves expertise — in other words, a privacy professional making informed decisions about how best to implement and operate it within yo... Read More

Data Retention: The Blind Spot in Your Privacy Program

Original broadcast date: 29 March 2022 In this web conference you will learn how understanding and maintaining up-to-date data retention strategies is one of the numerous obstacles privacy professionals deal with and is often the blind spot in the privacy program especially with the varying laws across jurisdictions. You will also learn how organizations can integrate enforcement of policies like data retention, data minimization, access requests, etc., across the organization’s IT ecosystem. Read More

Marketing and Consumer Experience Perspectives to Enhance Your Privacy Program

Original broadcast date: 3 February 2022 In this web conference, panelists discuss marketing and growth perspectives on privacy, how to collaborate and discuss privacy with marketing teams, and how to navigate complex advertising and marketing ecosystems. Viewers will get up to speed on techniques that build value while honoring values, and turn their privacy program into a growth engine that builds brand value, optimizes data utilization, and enhances the consumer experience. Read More

Ransomware: 5 critical tips for organizations

You may have noticed ransomware attacks and information security incidents, such as personal data breaches, have been growing rapidly and gaining frequent space in the media. With each passing week, one or more events of this nature becomes the subject of articles in newspapers, magazines, radio and television. After helping several organizations (from a legal perspective) respond to security incidents and manage the crises generated by these events, I realized some central aspects to properly ... Read More

How To Build An Effective Privacy Engineering Team

Original Broadcast Date: February 2022 In this LinkedIn Live event, you will learn what inspired and helped others to move into this growing field, what the role of privacy engineering entails, and how to build and support the well-balanced privacy teams needed to put privacy policies into practical state-of-the-art data protection and privacy by default and by design in real-world systems. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

2023 here we come: How to prepare your privacy program

Considering 2022 is just days old, it certainly feels early to start planning for 2023. However, at least three U.S. state privacy laws are set to come into effect in 2023 (California Privacy Rights Act of 2020, Colorado Privacy Act and the Virginia Consumer Data Protection Act), and there is the distinct possibility more laws (both in the U.S. and globally) will follow this year. And this is while companies also work to address new or anticipated privacy laws across the globe (Brazil, China, In... Read More

Practical Tips for Building Your Privacy Operations

Original broadcast date: 26 January 2022 In this web conference WireWheel CPO, Rick Buck, leads a discussion with a consultant from Grant Thornton and an experienced CPO to learn, a framework for privacy assurance, lessons from creating and building privacy programs and tips on where to get started. Read More

The Privacy Evolution: Enabling Trusted Data Use

Original broadcast date: 18 January 2022 In this web conference, you’ll learn how privacy teams can leverage technology to begin this shift by streamlining the ongoing understanding of the data being processed by the business and the laws and requirements that apply, enabling transparency with individuals and facilitating & respecting their choice in how their data can be used and making data use trusted by default by automatically enforcing these policies, principles & choices across the IT ecosystem. Read More

Measuring global diversity and inclusion: The art of the possible

As companies examine and refine their diversity and inclusion strategies, having access to information about the makeup of a workforce has never been so important. The privacy issues that arise in the process of collecting this information can prove difficult for privacy professionals to navigate. These challenges are not just to comply with the law; in practice, it may be as difficult to manage the expectations of stakeholders in terms of what can be achieved and act as a check and balance on t... Read More

Data privacy requests metrics: Lessons for your privacy program

On July 1, the regulations implementing the California Consumer Privacy Act required companies that process large volumes of data about Californians to publicly post metrics regarding data subject requests. While many companies have processed DSRs for years under the EU General Data Protection Regulation and the Privacy Directive that preceded it, the CCPA is the first law that requires companies to publicly disclose information about their DSR process. It provides a unique and unparalleled oppo... Read More

From Programs to Programmatic: New Mindsets & Methods for Privacy Challenges

Original broadcast date: 18 August 2021 There was a time when a competent privacy program could rely on nothing more advanced than documents, checklists, spreadsheets and emails. But that time has passed: the complexity of today’s privacy challenges necessitate smarter, faster, more scalable solutions--the old programs must become programmatic.  The privacy challenges posed by maintaining vast lakes of unruly personal data demand more than manual oversight. Add to that increased regulatory scrutiny and consumer expectation, and the problem looms large. In this presentation you will learn how software can ease your burden with greater data accuracy and integrity. Read More

A Practitioner Approach to Implementing Data Protection & Privacy by Design

Original broadcast date: 1 September 2021 This session shares practical steps to implementing Privacy by Design, also known as Data Protection by Design, for new products and services, venturing outside of the 7 principles that your backend engineers do not understand. It discusses what works and what does not at each different step; preparations, setup, roll-out, and review. Challenges and workarounds will be emphasized. Read More

Why Privacy Departments Hold the Key to Incident Response

Original broadcast date: 27 July 2021  What’s the real role of the privacy department in an incident? Turns out it’s a critical piece of the response puzzle. Through the difficult lessons of past incidents, organizations have learned forensic analysis is a team effort between the privacy and security departments. As it turns out, the services the privacy team provides to the resolution of the incident can extend beyond the singular event, and elevate the status and visibility of the privacy function and team within the broader organization. In this interactive, educational virtual session learn how you can start preparing to effectively handle a future incident, while also making clear the value of the privacy team's critical role within the business.  Read More

What are the driving forces of a company’s privacy strategy in a constantly changing landscape?

As companies aim to keep pace with an ever-expanding privacy regime, the question of how they should meet new privacy compliance requirements is a hot topic. Privacy managers and counsel are faced with the following options: Should they apply a uniform standard across all jurisdictions, adopt an individualized approach to each jurisdiction or adopt a combination of standard practices with a “lift, shift and drop” for individual requirements?  Why is a uniform approach difficult? While a unifor... Read More

Building a Next Generation Practice Leadership

Original broadcast date: May 20, 2021  Next Generation Practice Leadership is more than operational compliance with applicable laws and industry codes of practice and the detection of bias and discrimination. It requires a team that looks beyond compliance and considers what is fair and respectful to people. This session provided insights and principles you can implement with your team. Read More

Effective management of cannabis consumer data risk

With cannabis now legal for recreational use in 15 U.S. states and medical use in 35 states, the cannabis industry has moved strongly toward broad-based legitimacy. As is often the case with new and high-value business opportunities, there has been a rush to engage consumers, move product and achieve profitability, often without recognizing or acknowledging relevant privacy and data security risks. In the cannabis industry, those risks manifest in numerous ways across business systems and proces... Read More

The 7 Sins of Managing Data Privacy

Original broadcast date: March 18, 2021  Join privacy veteran Marty Collins from QuinStreet and Vivek Kokkengada from Securiti as they reveal the 7 Sins of Managing Data Privacy and how to avoid them. You'll learn best practices for discovering, protecting and governing data across multi-cloud environments, what pitfalls to avoid with regards to honoring consumer rights, managing risks for vendors handling sensitive data and strategies for efficiently implementing privacy by design. Read More

D&I and Your Privacy Program: A Discussion on Intersectionality

Original broadcast date: March 9, 2021  This session will identify challenges that contemporary privacy frameworks present for addressing intersectionality concerns, and suggestions for resolving those challenges. Panelists will discuss governance, consent/legal basis, and vendor management. They will also examine the role of employers, tensions between commitments to customers and employees, and how attempts to use data for good and justified purposes can be hindered by bias. Prepare to learn best practices and opportunities for addressing privacy concerns while advancing diversity, equity, inclusion and intersectionality as part of your business initiatives. Read More

A 360-Degree View of Enterprise-wide Privacy Risk

Original broadcast date: March 2, 2021  Join this discussion between privacy specialists on this how global companies are managing and addressing a rapidly changing regulatory environment by putting into place a cross-organization, centralized privacy program based on a risk-based approach. Panelists will provide an overview of how they rely on a data-driven, centralized, flexible, risk-based framework to identify hidden risks, quantify their privacy “debt,” and use industry-specific benchmarking to measure privacy risk exposure. Read More

Privacy fatigue and how to combat it

As we enter 2021, organizations are facing fatigue across multiple fronts, including the onslaught of new privacy legislation and enforcement, while trying to balance these risks with skyrocketing interest in data around the world. In this difficult time, organizations confronting competing demands on other regulatory fronts, along with budget and personnel cuts made worse by the ongoing COVID-19 pandemic, can easily feel overwhelmed at the challenges that come with addressing new privacy laws y... Read More

OPC – Privacy Guide for Businesses

The Office of the Privacy Commissioner of Canada developed a privacy guide to help organizations adhere to the Personal Information Protection and Electronic Documents Act. The guide contains a summary of principals within PIPEDA organizations should follow, as well as the meaningful consent and privacy breach requirements they must meet. Read More

From Microsoft's CPO to Airbnb's, his goals are the same

As Airbnb's chief privacy officer, Brendon Lynch, CIPP/US, may be managing a privacy program at a younger and much smaller company than at his last gig, but his mission is the same: To build and implement a program that aligns privacy with the business strategy in a way that creates stakeholder trust.    After 16 years at Microsoft as its CPO, Lynch joined Airbnb in January, transitioning from Microsoft's 150,000 employees, multiple business components and a specialized privacy program, to a 5,... Read More

Practical Primer on Privacy Preparedness

Original broadcast date: June 17, 2020 In this privacy education web conference, former U.S. Federal Magistrate Judge Ronald Hedges and practicing Privacy and Information Governance Attorney John Isaza will share their practical insights on privacy preparedness for audits and consumer requests. The web conference will cover the expectations an outside auditor or data protection authority might expect organizations to have in place when it comes to privacy compliance workflows, plus best practices for how to be ready in the event of a consumer’s right-to-be-forgotten request. Overarching these practices tips will be a discussion of the role of the organizational retention program as a centerpiece to compliance. Read More

How to operationalize privacy by design

Privacy professionals generally understand, at least conceptually, what it means to implement privacy by design. If further guidance is needed, we can look to the NIST Privacy Framework or ISO 27701. If we want to better anticipate regulator expectations around PbD, we can refer to the European Data Protection Board Data Protection by Design and by Default Guidelines or U.K. Information Commissioner's Office guidance, among other resources. We can even go back to the original seven foundational ... Read More

Embedding data ethics into your ‘culture of privacy’

This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this fourth article, we’ll provide a look at the role data ethics plays in a culture of privacy. Find the first three articles in the series here. “In civilized life, law floats on a sea of ethics,” former U.S. Supreme Court Chief Justice Earl Warren said, but we know priva... Read More

How to leverage your existing privacy program to manage brand reputation risks

The impact privacy laws, such as the California Consumer Privacy Act and EU General Data Protection Regulation, have for organizations goes beyond just privacy. This is similar to other regulations, such as the U.S. Sarbanes-Oxley Act of 2002, which changed the corporate world permanently. Challenges for management and the controls needed for implementation deeply reflect that, as they span across departments, information systems and business processes. How companies deal with such laws and obl... Read More

How to Build a Culture of Privacy – Article Series

This new series for The Privacy Advisor by the team at Sentinel, a privacy consultancy and the company behind the privacy program management technology Ethos, will examine the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. Read More

Building a culture of privacy: Legal compliance as a result, not a goal

This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this second article, we’ll provide a look at how a culture of privacy can help you reach your legal compliance goals and some tips on how to implement one within your organization. For companies that deal with personal information, which is most companies these days, privac... Read More

Measuring Privacy Operations

In Measuring Privacy Operations 2019, the IAPP and TrustArc offer privacy professionals around the globe a look at how their colleagues are implementing privacy requirements. This is the latest in a series of reports designed to help companies benchmark their own privacy practices against those of their partners and competitors. Read More

Building a long-lasting privacy program in an ever-changing regulatory landscape

The U.S. regulatory scope that privacy professionals are staring down pales in comparison to the global scale, which features 130 regulations to contend with and more on their way. Yes, the number of U.S. states with regulations greatly differs from the global range, however, developing privacy programs isn't any easier from either angle. A&E Networks Vice President of Privacy and Compliance Counsel Maggie Gloeckle, CIPP/US, CIPM, CIPT, FIP, sees the U.S. regulatory landscape for privacy as... Read More

Tool helps map out relevant privacy laws for organizations

Privacy regulations have appeared all over the world, and TrustArc Senior Vice President of Marketing and Product Management Dave Deasy, CIPM, finds all indicators show this current trend is unlikely to slow down any time soon. As the requirements for these laws differ between countries and states, Deasy and TrustArc decided to create a new tool to help privacy professionals figure out under which laws they fall. Within TrustArc’s Privacy Profile solution, privacy professionals answer question... Read More

Privacy Management Program Self-Assessment

This tool from the Office of the Information & Privacy Commissioner for British Columbia helps organizations meet legal obligations and the expectations of clients and customers for the privacy and security of personal information. This self-assessment form will help organizations decide whether improvements are needed to better protect the personal information they collect to comply with the law. Click To View (PDF) ... Read More

How do organizations demonstrate a positive privacy impact?

In his speech at the 2018 International Conference for Data Protection and Privacy Commissioners conference, European Data Protection Supervisor Giovanni Buttarelli stated that the European legislature did not think about ethics when drafting the EU General Data Protection Regulation. The GDPR is clearly a law that establishes a data protection compliance framework, but should the practice and interpretation of the GDPR include an ethical dimension? There's been much discussion about this relat... Read More

How to drive effective privacy operations with functional requirements

In the run-up to May 25, 2018, many businesses that thought they were well-prepared to meet their new General Data Protection Regulation obligations discovered that operationalizing many components of a GDPR-compliant privacy program requires more than simply drafting a new or updated set of policies and procedures. With GDPR now in full effect, these businesses are quickly realizing that truly effective GDPR compliance is a highly complex undertaking requiring active, cross-functional collabora... Read More

A Guide to Privacy by Design

This guide from the Spanish data protection authority, the AEPD, introduces the concept of privacy by design, principles that go with it and design strategies for organizations to implement.  Click To View (PDF) ... Read More

Privacy Compliance Meets IT

Original broadcast date: Sept. 15, 2020 Have you ever talked to your IT teams and wondered, “Do they even understand what I am saying?” or, conversely, struggled to comprehend the mishmash of technological jargon and process hurdles IT teams throw up that impede your efforts at compliance? If you've been in these situations or want to improve communication with your IT teams, please join us for this live interactive virtual conversation in which we will share what it is like to “think like an engineer.” Dataguise's Christopher Glover and Microsoft's Chris Longman will discuss how to align these teams to effectively operationalize privacy programs. Read More

3 benefits for businesses to adopt PDS

Collection and analysis of personal data on a mass scale are essential for businesses to enhance their decision-making processes, better understand their customers and serve them personalized services. While individuals enjoy reaping the benefits of personal services, there is a growing concern over privacy. According to Pew Research, 81% of Americans report they feel a lack of control over their personal data and are highly concerned about how their data is used and shared. To give individual... Read More

Beyond a compliance mindset: How we communicate about privacy impacts our influence

If you want to earn a seat for privacy at the same table as revenue-generating departments, you must communicate like one. Learn how privacy impacts your business’ bottom line: Conduct market research; study external reports; dig into brand perception; gather stakeholder feedback from externally facing teams, like customer support, business development, public policy, etcetera; and find out where subpar privacy practices are creating friction for your business.  It’s a common misunderstanding t... Read More

Building a culture of privacy: Privacy as a strategic initiative

This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this final article, we’ll provide a look at how a culture of privacy can help organizations achieve their strategic goals. Find the first five articles in the series here. New privacy and data protection laws and proposals pop up seemingly every day. Privacy stories make to... Read More

Study finds 93% of US citizens would switch to privacy-conscious organizations

Transcend CEO Ben Brook said it was roughly around 2017 when he and his company began to notice a key trend emerging around privacy in the U.S. Brook pointed to that year as the time American customers started to both demand privacy rights and cast a more critical eye on companies misusing their information. Given the results of Transcend's recently released "Data Privacy Feedback Loop 2020" report, customers' feelings toward privacy have only intensified over the past three years. Transcend ... Read More

Privacy Program Remediation to Incorporate Legacy Systems

Original broadcast date: Aug. 18, 2020 Join us for this anonymized case study covering a large, multinational organization in a highly regulated environment and their project to implement EU General Data Protection Regulation–based privacy retention requirements in a large-scale IT environment with thousands of systems of all types, ages and characteristics. Read More

Building a Privacy Culture: A Conversation with Privacy Program Managers

Original broadcast date: Aug. 6, 2020 In this privacy education web conference discussion, we’ll hear from several privacy program managers about their successes and challenges with building a data privacy culture with their organizations. You’ll learn what they tried, what worked, what didn’t and other real-world lessons from these experts as they sought to increase awareness of privacy best practices and encourage consistent data-protecting behavior. Read More

How to make responsibly sourced data the rule, not the exception

Data has become a four-letter word. We even worry about the application of data in estimating disease spread or planning health care for fear that once collected and shared, the data could eventually be misused and applied to an altogether different use. Consumers have been conditioned to look for data misuse. Accidental data leaks (Virgin Media), concerns about national election security or simply poor data protection practices (British Airways) are fueling suspicions. Rapid technological inno... Read More

Building a culture of privacy: Be customer-centric 

This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this fifth article, we’ll provide a look at how putting your customers at the center of your privacy decisions can help you reach your organizational goals, plus some ideas on how to do it. When we talk about creating a culture of privacy, what does it mean? In simple words... Read More

Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes

(July 2018) – Implementing a “positive-sum” approach, one of the seven principles of privacy by design, in which stakeholders share a single set of objectives driving the design, development and implementation of business initiatives or technologies, provides a strategic boost toward attaining effectiveness and sustainability. In this white paper get insight on the benefits of a positive-sum approach and operationalizing it in your organization. Read More

They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)

Employees are required to remember seemingly countless privacy regulations and policies, which requires privacy programs to monitor and reinforce positive behaviors all the time. Still, when a privacy incident is reported the privacy office, it’s easy to become dismayed at how the mistake could have possibly occurred. Many incidents occur even as employees believe they are doing the right thing, but are instead burdening the company with unnecessary risk. In this white paper, learn about the top mistakes employees make, absent proper awareness and training. Read More

Benchmarking your Privacy Incident Management Program – Article Series

Last Updated: August 2018 This series written for The Privacy Advisor by the team at Radar is about establishing program metrics and benchmarking your privacy incident management program. Radar provides purpose-built software designed to guide users through a consistent, defensible process for incident management and risk assessment. A significant volume of incidents involving regulated personal data is processed through the Radar platform, and that number grows every day. The Radar team will... Read More

Under Armour takes 'honorable mention' for building innovative privacy program

As thousands of privacy professionals flock to Austin this year for Privacy. Security. Risk. 2018, all will surely be eager to hear who will be announced as this year’s HPE-IAPP Privacy Innovation Award winner. And while the winner's podium is narrow, that doesn't mean there aren't additional companies also doing some pretty impressive work on privacy. This year, an honorable mention goes to Under Armour. The HPE-IAPP Privacy Innovation Awards recognize unique programs and services in global pr... Read More

A lean approach to compliance: Minimum viable privacy program

As we are all explicitly aware, privacy and data protection compliance is not a one-time job. It is a continuous process. The key is to build a sustainable compliance model, thereby creating a proactive culture that responds effectively to privacy-related matters. Currently, there is a data protection hype in Turkey. With the new data protection legislation in force, almost all companies are in a rush to ensure that they are compliant with the law because of the hefty fines and criminal conseq... Read More

For a Successful Privacy Program, Use these Three A's – Article Series

Last Updated: May 2016 A successful privacy program is a complex undertaking. The privacy team needs to stay abreast of regulatory and statutory changes; watch for potential threats from both external and internal sources; assure compliance in existing or emerging business practices; respond to stakeholder inquiries; and provide privacy leadership to their organization to name just a few of their myriad responsibilities. With this many balls to keep in the air, how can you quickly explain the... Read More

How the C-Suite Should Talk About Cybersecurity – Article Series

Last Updated: June 2016 Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices — or lack thereof. This series provides high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part 1: What is Cybersecurity? Part 2: Liabilities... Read More

Building a Privacy Program from Ground Zero

Original broadcast date: June 22, 2015 Have you been charged with building a privacy program from scratch with few or no resources? If so, you’re not alone. But fear not; it can be done! Join us for this very practical presentation from two seasoned veterans and learn not only what you need to do to get started but also how to prioritize your checklist. You’ll hear about how to identify the people, processes and technologies you need to accomplish your goals when given a very limited budget to work with and what the most important first steps are in standing up your program. Read More

Building a program? Better get your internal audit game right

In the wake of several major data security breaches and increasing regulatory pressure on companies to protect confidential information, building an effective privacy program is crucial. Privacy practices are rapidly developing in all sectors and industries, and while non-compliance with the numerous industry, state, federal, and international regulations can cut heavily into profit margins, the effects of a data security breach can kill relationships with customers, vendors, and even stakeholde... Read More

Starting Up Privacy at a Startup – Article Series

Last Updated: November 2015 In this four-part series, Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPM, who spent years at tech giant Microsoft, shares some of the strategic and tactical decisions along the way as a first-time CPO, as well as some observations on the differences and similarities between privacy programs and roles at a large multinational versus a small tech start-up. Part 1: Identifying and triaging any clear gaps in compliance Part 2: Building privacy into the culture of yo... Read More

Chief Privacy Officer: Sample Job Description

Published: August 4, 2014 Back in 2006, then IBM CPO Harriet Pearson, CIPP/US, said, "a good CPO must do more than just ensure that companies comply with the present-day law. They must also attempt to second-guess future innovation and design company security policies and procedures accordingly.” While the position of the CPO has most certainly changed in the past eight years, as has Pearson’s, this quote has stood the test of time as innovations in technology—and with that, data collection,... Read More