How to Build a Privacy Program

Image

Creating or further developing a privacy program is no simple thing. An effective and successful privacy program is built not just on knowledge of the relevant laws and how to comply with them, but also on proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running. This topic page offers tools, guidance and research to help you achieve your goal.

Featured Resources

2023 here we come: Prepare your privacy program

It may feel early to start planning for 2023. However, new U.S. state privacy laws, new laws in Brazil and China, and updates in India and the EU are headed our way, with more likely to follow. This article sets out steps to help companies get organized and head into 2022 with a meaningful strategy for 2023.
Read More

Privacy Program Management, 3rd Edition

This IAPP textbook provides the critical knowledge necessary for anyone responsible for managing privacy program governance and operations. Reorganized with expanded topics relevant to privacy program leaders, the third edition takes a global view of privacy managers’ obligations and practices.
Read More

Metrics to Uplevel Your Privacy Program

In this web conference, panelists share best practices about how to measure the success of your privacy program. Panelists also emphasize which privacy metrics best demonstrate the value of your privacy program to your C-suite, highlight which privacy metrics tend to provide opportunities for improvement as well as which privacy metrics create unhelpful noise.
Read More


Latest News and Resources

Consumers say trust depends on transparency

Consumers worldwide say data transparency is a top priority when it comes to trusting organizations with their personal data. They look to their national government to take a primary role in protecting data and continue to be very supportive of privacy laws in their countries. Consumers are also increasingly taking action to protect their own data by exercising their privacy rights and switching providers when necessary. They tend to support artificial intelligence and automated decision-making,... Read More

Web Conference: Three Ways Privacy and Security Can Crush Third-Party Reviews – as Friends

Original broadcast date: 18 Oct. 2022 Too often, privacy and security teams work separately despite the truth: Many times, they’re working toward the same goals. For example: How many of us have realized duplicative paperwork and questionnaires during the third-party vendor vetting process? But if there’s early collaboration between privacy and security, the efficiencies gained can be game-changing. In this web conference, panelists discuss how organizations can gain privacy champions, learn strategies and tools for cross-functional collaboration and implement frameworks to collaborate efficiently. Read More

Web Conference: Perfecting Privacy Practices

Original broadcast date: 30 Aug. 2022 In this web conference, panelists share common benchmarks and metrics for assessing your company’s data privacy policies, practices and program, how to track if your organization is following generally accepted privacy principles, how this all intersects with proposed changes from regulators via pending legislation and rulemaking in the American Data Privacy and Protection Act, the California Privacy Rights Act, the Terms-of-service Labeling, Design and Readability Act and more.  Read More

Privacy: An organization’s responsibility for building trustworthy systems
(IAPP, August 2022)
Privacy with Microsoft Video Series – Episode 3: Privacy Incident Management Program Development
(IAPP, August 2022)
Hiscox Cyber Readiness Report
(Hiscox, August 2022)
Web Conference: Managing Privacy Risk and Safeguarding Personal Information
(IAPP, June 2022)
Running a privacy law-compliant inclusion and diversity data collection program globally
(IAPP, May 2022)
Web Conference: The Importance of Diversity in the Privacy Office: A U.S. Perspective
(IAPP, May 2022)
Assessing risk: Determining the appropriate risk flags for your privacy risk assessments
(IAPP, April 2022)
Risk of What? Setting Risk Priorities for Data Protection and Privacy
(Information Accountability Foundation, April 2022)
Web Conference: Building Your US Privacy Program: Six Steps to US Privacy Compliance
(IAPP, April 2022)
Web Conference: Data Retention: The Blind Spot in Your Privacy Program
(IAPP, March 2022)
Managing an explosion of customer data
(KPMG, February 2022)
Web Conference: Marketing and Consumer Experience Perspectives to Enhance Your Privacy Program
(IAPP, February 2022)
Ransomware: 5 critical tips for organizations
(IAPP, February 2022)
LinkedIn Live: ‘How To Build An Effective Privacy Engineering Team’
(IAPP, February 2022)
Web Conference: The Road to Continuous Compliance: How Future-Proof is Your Privacy Program?
(IAPP, January 2022)
Web Conference: Practical Tips for Building Your Privacy Operations
(IAPP, January 2022)
Web Conference: The Privacy Evolution: Enabling Trusted Data Use
(IAPP, January 2022)
Cisco – Security Outcomes Study
(Cisco, December 2021)
Web Conference: Embracing Today’s Privacy Landscape and Leaning Into Privacy Management
(IAPP, December 2021)
Measuring global diversity and inclusion: The art of the possible
(IAPP, November 2021)
Web Conference: Establishing Repeatable and Scalable Privacy Programs
(IAPP, September 2021)
Data privacy requests metrics: Lessons for your privacy program
(IAPP, September 2021)
PDPC – Guide to Developing a Data Protection Management Program
(PDPC, September 2021)
The Risk of ‘Dumpster Data’ Exposure and How to Prevent It
(Blancco, September 2021)
Web Conference: From Programs to Programmatic: New Mindsets & Methods for Privacy Challenges
(IAPP, August 2021)
Web Conference: A Practitioner Approach to Implementing Data Protection & Privacy by Design
(IAPP, August 2021)
Five Things You Can Learn from a Data Audit
(Aparavi, August 2021)
What are the driving forces of a company’s privacy strategy in a constantly changing landscape?
(IAPP, July 2021)
Web Conference: Building a Resilient Privacy Program and Operation
(IAPP, June 2021)
Web Conference: Building a Next Generation Practice Leadership
(IAPP, May 2021)
Web Conference: Why Privacy Departments Hold the Key to Incident Response
(IAPP, July 2021)
Privacy By Design: From Principles to Requirements
(Mark Settle, May 2021)
ICO: Top tips for dealing with information access requests
(ICO, February 2021)
ICO — Toolkit for organizations considering using data analytics
(ICO, February 2021)
Effective management of cannabis consumer data risk
(IAPP, January 2021)
Web Conference: Privacy Metrics: Measuring Privacy Programs
(IAPP, May 2021)
Web Conference: The 7 Sins of Managing Data Privacy
(IAPP, March 2021)
Web Conference: D&I and Your Privacy Program: A Discussion on Intersectionality
(IAPP, March 2021)
Web Conference: A 360-Degree View of Enterprise-wide Privacy Risk
(IAPP, March 2021)
Privacy with Microsoft Video Series – Episode 2: Implementation of Corporate Privacy Policy
(Microsoft, February 2021)
Privacy with Microsoft Video Series – Episode 1: Enterprise Privacy Management
(Microsoft, February 2021)
Web Conference: Make 2021 the Year of Privacy: Building a Yearlong Privacy Awareness Program
(IAPP, January 2021)
Privacy fatigue and how to combat it
(IAPP, January 2021)
Security and Privacy Controls for Information Systems and Organizations
(NIST, December 2020)
Web Conference: Developing and Embedding a Privacy Program Across a National Organization
(IAPP, November 2020)
Web Conference: Developing and Embedding a Privacy Program Across a National Organization
(IAPP, November 2020)
Web Conference: From Startup to Public: Building a Mature Privacy Program on a Shoestring
(IAPP, October 2020)
Privacy Leaders’ Views – The Impact of COVID-19 on Privacy Priorities, Practices and Programs
(IAPP, October 2020)
Benefits, Attributes and Habits of Mature Privacy and Data Protection Programs
(IAPP, October 2020)
Web Conference: Rising Above the Fray: Building a Privacy Office with Impact
(IAPP, October 2020)
White Paper – The Skill Set Technologists Need to Implement a Privacy Risk Management Framework
(IAPP, October 2020)
Measuring Privacy Operations
(IAPP, November 2019)
From Microsoft’s CPO to Airbnb’s, his goals are the same
(IAPP, October 2020)
Managing Data-Related Enterprise Risks
(Directors & Boards, September 2020)
Evolve your Data Mapping
(Securiti, July 2020)
Web Conference: Building a Privacy Culture in Our Conflicted Age
(IAPP, June 2020)
Web Conference: Practical Primer on Privacy Preparedness
(IAPP, June 2020)
How to operationalize privacy by design
(IAPP, May 2020)
Embedding data ethics into your ‘culture of privacy’
(IAPP, May 2020)
Web Conference: Strategic Vendor Risk Management for Privacy Pros
(IAPP, May 2020)
How to leverage your existing privacy program to manage brand reputation risks
(IAPP, April 2020)
Checklist: Expedited Vendor Privacy and Security Assessment
(IAPP, April 2020)
How to Build a Culture of Privacy – Article Series
(IAPP, March 2020)
Building a culture of privacy: Legal compliance as a result, not a goal
(IAPP, March 2020)
How to build a ‘culture of privacy’
(IAPP, February 2020)
IAPP-EY Annual Governance Report 2019
(IAPP, September 2019)
Building a long-lasting privacy program in an ever-changing regulatory landscape
(IAPP, September 2019)
Tool helps map out relevant privacy laws for organizations
(IAPP, July 2019)
Privacy Management Program Self-Assessment
(Office of the Information and Privacy Commissioner for British Columbia, July 2019)
How do organizations demonstrate a positive privacy impact?
(IAPP, February 2019)
The Privacy Advisor Podcast: Santa Clara County’s CPO on building a privacy program from the ground up
(IAPP, January 2019)
How to drive effective privacy operations with functional requirements
(IAPP, August 2018)
Personal Data and the Organization: Stewardship and Strategy
(Future of Privacy Forum, July 2019)
A Guide to Privacy by Design
(AEPD, February 2020)
Web Conference: The Information Protection Blueprint: Ideas for Modern IT Security and Compliance
(IAPP, September 2020)
Web Conference: Privacy Compliance Meets IT
(IAPP, September 2020)
Web Conference: The LGPD, GDPR, CCPA and More – How to Abide by Multiple Privacy Laws
(IAPP, September 2020)
3 benefits for businesses to adopt PDS
(IAPP, September 2020)
Beyond a compliance mindset: How we communicate about privacy impacts our influence
(IAPP, September 2020)
Web Conference: The Relationship Between Organizations’ Privacy Practices and Data Breach Risk
(IAPP, September 2020)
Zoox Smart Data — Privacy Program Implementation Guide
(Zoox, August 2020)
Building a culture of privacy: Privacy as a strategic initiative
(IAPP, August 2020)
Study finds 93% of US citizens would switch to privacy-conscious organizations
(IAPP, August 2020)
Web Conference: Privacy Program Remediation to Incorporate Legacy Systems
(IAPP, August 2020)
Web Conference: Building a Privacy Culture: A Conversation with Privacy Program Managers
(IAPP, August 2020)
Web Conference: Global Privacy Survey: How Does Your Privacy Program Compare to Others in 2020?
(IAPP, June 2020)
How to make responsibly sourced data the rule, not the exception
(IAPP, June 2020)
Building a culture of privacy: Be customer-centric
(IAPP, June 2020)
Survey of Fortune 500 Companies’ Privacy Representations
(Bryan Cave Leighton Paisner, January 2020)
Measuring Privacy Operations
(IAPP, December 2018)
White Paper – Applying the Positive-Sum Principle for Successful Privacy by Design Outcomes
(IAPP, July 2018)
White Paper – They Did What? Top Privacy Mistakes To Watch Out For (and How To Avoid Them)
(IAPP, June 2018)
White Paper – Must-Have Privacy Training Features for Your Team
(IAPP, June 2018)
White Paper – Check or Mate? Strategic Privacy by Design
(IAPP, October 2017)
Benchmarking your Privacy Incident Management Program – Article Series
(IAPP, July 2017)
Deep Dive into the technology of corporate surveillance
(Electronic Frontier Foundation, February 2020)
Under Armour takes ‘honorable mention’ for building innovative privacy program
(IAPP, October 2018)
A lean approach to compliance: Minimum viable privacy program
(IAPP, May 2017)
For a Successful Privacy Program, Use these Three A’s – Article Series
(IAPP, July 2016)
How the C-Suite Should Talk About Cybersecurity – Article Series
(IAPP, July 2016)
Web Conference: Building a Privacy Program from Ground Zero
(IAPP, October 2016)
Building a Program that Provides Value – Article Series
(IAPP, July 2016)
Kick-Starting a Privacy Program
(IAPP, February 2013)
Ten Steps to a Quality Privacy Program – Article Series
(IAPP, December 2012)
Building a program? Better get your internal audit game right
(IAPP, August 2016)
What’s a nonprofit to do? How to create the (best) privacy program, on the cheap
(IAPP, April 2016)
Are You a Completely Green CPO? Here’s Somewhere To Start
(IAPP, September 2015)
Starting Up Privacy at a Startup – Article Series
(IAPP, July 2016)
Designing and Implementing an Effective Privacy and Security Plan
(IAPP, March 2014)
Chief Privacy Officer: Sample Job Description
(IAPP, August 2014)
Good Cybersecurity Means Good Info Governance
(IAPP, March 2014)
How To Measure Your Privacy Program, Step-by-Step
(IAPP, May 2014)
Exploring model privacy programs at organizations both large and small
(IAPP, December 2012)
View More Resources

Definitions

Privacy Program Framework

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.... Read More

Privacy Champion

An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.... Read More

Privacy Operational Life Cycle

Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain) and support (respond), and then start again. Associated term(s): Assess; Protect; Sustain; Respond... Read More

COVID-19 Privacy Program Resources

How to employ privacy by design in the fight against COVID-19

As COVID-19 is rapidly spreading around the world, public health authorities are eagerly searching for effective measures to flatten the curve and decrease the rate of contamination. Among others, many governments are using or considering using surveillance technology to track the movements of people infected by COVID-19 and notify those who may have been exposed to the virus. Naturally, the use of such measures on a wide scale raises serious privacy concerns. In Israel, for example, there is a ... Read More

Canada: Mitigating Privacy Risks For Teleworkers
(Pallett Valo LLP, March 2020)
View More Resources