DEVELOPING A PRIVACY COMPLIANCE FRAMEWORK

Author: Dr. Timothy Miller, CISA, CIPP (CA, US, EU), CEP

Privacy compliance depends on developing and maintaining an appropriate framework on which the company collects, stores, processes, and transfers personal data. Not every company needs a finely detailed privacy framework, but every company does need a focus and direction on how it manages and governs data use. Having this focus helps define privacy activities for the privacy team and senior leadership.

While no two privacy programs look alike, as a business’s specific nature and its risks drive program development, there are several universal considerations. Specifically, any privacy compliance framework must reflect:

■  The company’s operations and internal resources.

■  The nature of the company’s data (see Understanding the Data).

■  Legal, regulatory and contractual obligations 

(see Determining Legal and Program Requirements).

■  Key risks to company data (see Performing a Risk Assessment).

■  The company’s privacy principles.

While gathering basic information about many of these issues is a preliminary matter (see Preliminary Considerations), developing the privacy framework requires a deep dive.

Understanding the Data

To properly approach compliance, a business must thoroughly understand the types of personal data it collects and stores. For a new privacy program, an initial project should be to locate the data or create a data map. As a starting point, the privacy team should understand the following about the data the business collects:

•  The types of protected information that the company collects, for example, health or financial information.

•  Whether protected data is kept electronically or on paper, or both.

•  The location of data, both within the company and as it resides with third parties.

•  Countries to or between which the company’s data is transferred.

•  Data security measures that protect data, including for example whether any data is encrypted, either at rest or in transfer.

•  The business unit or individual data owner within the company is responsible for any data.

•   

If the resources are available, the business should create a full data map of the data it collects, processes, and stores. A data map can take many forms, but typically consists of a database, list, or graphic representation of information specific to particular subsets of data. In addition to the elements noted above, a full data map should include as much detailed information as possible regarding:

•  Data use.

•  Data sharing.

•  Data storage.

•  Data retention process and policy.

•  Countries to or between which data is transferred.

•  Where the data is collected.

•  Third-party access to any data.

A comprehensive data map is extremely useful for legal, compliance, security, and business reasons. However, preparing a complete data map is time and resource intensive and, therefore, many companies do not prepare one. At a minimum, to develop a compliance plan, the privacy office should understand the types of data the business collects and generally where that data is collected and stored.

Performing a Risk Assessment

A risk assessment is a key tool for determining where systems may be vulnerable to a data privacy incident. The risk assessment process identifies the company’s unique risk profile, which in turn forms the essential foundation for the company’s privacy program. Companies frequently engage third-party vendors for their risk assessments, though some companies may perform risk assessments using qualified internal personnel.

A risk assessment generally examines:

■  Threats to the business and its data.

■  Vulnerabilities of the business that may be exploited.

■  The likelihood of any given threat occurring.

■  The harm that may result if any given threat occurred.

Some risk assessments solely examine information technology (IT) systems. Others look at the fuller picture and take into account:

■  Access controls.

■  Internal policies and practices.

■  Other compliance measurements.

Determining Legal and Program Requirements

While the specific resources and references most applicable to a given business vary depending on its risks and compliance needs, many sources of information  may be useful in crafting a privacy compliance framework. As an initial matter, companies should develop their privacy framework by reference to their specific legal compliance obligations. This is particularly important for companies in regulated industries.

The US, however, does not have a comprehensive privacy or data protection law. 

A patchwork of state and federal laws instead applies to the collection 

and use of individuals’ personal information. Many foreign countries do have  comprehensive laws governing the treatment of personal information, notably 

EU countries that have adopted the EU directive and must comply with its replacement,  the General Data Protection Regulation (EU GDPR) by May 15, 2018. For more information on US and EU privacy and data protection laws, see Practice Notes,

US Privacy & Data Security Law: Overview (6-501-4555) and Overview of EU data protection regime (8-505-1453). Determining applicable law and the corresponding legal

requirements is a fact-specific analysis, but typically depends on:

■  The type of information the company collects.

■  The jurisdictions:

•  in which the company operates;

•  stores data; or

•  where the people whose personal information is collected reside.

■  The use or other treatment of personal information.

However, the company should not limit its scope of reference to only applicable law.  Whether or not the company is regulated, federal regulatory agency guidance provides a useful reference point for developing a privacy compliance framework. The Federal Trade Commission (FTC) in particular, which has broad regulatory authority over privacy and  data security, has released guidance across many privacy topics, including:

·       Fair information practices and protecting consumer privacy generally (see Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers).

·       Privacy of children’s information (see for example, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business and Complying with COPPA: Frequently Asked Questions).

·       The internet of things (see Internet of Things: Privacy & Security in a Connected World).

·          Mobile applications (see Marketing your Mobile App: Get it Right from the Start).

·       Data security (see Start with Security: A Guide for Business).

DEVELOPING POLICIES AND INTERNAL CONTROLS

The privacy team must create and maintain the policies and internal controls that ensure the company is complying with key laws and regulations on an ongoing basis. Key policies and internal controls include:

■  External privacy statements provided to consumers and others regarding the company’s collection and use of data, including:

•  website privacy policies;

•  mobile app privacy policies; and

•  policies that apply to offline collection and use of data (see Practice Note, Drafting Privacy Notices (w-000-9621)).

■  Internal privacy policies and procedures, such as those that govern how the company collects, uses, protects, retains, and shares consumer and employee personal information (for example, see Standard Document, Personal Information Protection Policy (Internal) (8-596-0085)).

■  Policies and procedures related to privacy and security breaches, such as incident:

•  response plans and procedures; and

•  reporting and tracking tools.

■  Internal reporting mechanisms for:

•  communicating privacy concerns; and

•  reporting to the board of directors or senior management.

■  External reporting mechanisms for reporting privacy:

•  issues to law enforcement or regulators; and

•  risks to the Securities and Exchange Commission.

■  Policies and procedures that address communicating with persons whose personal information the company has collected, such as:

•  personal information access and correction policies; and

•  procedures for handling privacy complaints.

■  Policies that address the use of company IT and communications resources, such as:

•  acceptable use of company IT systems (for a sample, see Standard Document, IT Resources and Communications Systems Policy (8-500-5003)).

•  social media policies (see Standard Document, Social Media Policy (US) (5-501-1524)); and

•  bring your own device policies (see Standard Document, Bring Your Own Device to Work (BYOD) Policy (1-521-3920)).

■  Tools that address managing privacy risk and assessing program success, including:

•  privacy by design policies and practices (see Box: Privacy by Design);

•  risk assessment tools (see Practice Note, Data Security Risk Assessments and Reporting (w-002-2323));

•  privacy impact assessments; and

•  privacy measures.

■  Data governance practices and policies that guide compliance and address data privacy regulations, such as:

•  records retention schedules;

•  records disposal policies and procedures; and

•  records storage policies and procedures (see Records Management Toolkit (2-520-1257)).

■  Internal policies that address the governance of corporate crown jewel (intellectual capital) data.

■  Supplier, vendor, and other third-party privacy requirements.

■  Controls directed to tracking and complying with any jurisdiction- specific requirements, such as registering with foreign data

protection authorities.