Data Privacy.

Assessment and Strategy

Your Situation and Challenges

Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.

With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.

With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.

Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, but as a driver of business efficiency.

Integrate and build by developing a program that promotes:

  • Privacy standards that are established with respect to how information is accessed.

  • Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.

Situation

Challenges

Insight

If Your Organization Needs To

  • Understand how to adapt and quantify privacy beyond compliance.

  • Change the pre-existing perspective on how to assess privacy competency.

  • Shift the organization’s view of privacy as the enemy of efficiency and innovation.

  • Build an environment that places privacy ownership in the hands of the business.

  • Extend the privacy program beyond the privacy team or organizational function.

  • Take the ambiguity out of privacy program management.

Deliverables

  • We leverage this worksheet to identify and understand the owners of the data privacy program within the organization, across the different work units. This RACI chart will help clearly define each organizational team's roles and accountabilities.

  • This worksheet provides us with a framework to start evaluating how to build your privacy program. It includes a gap analysis exercise, which provides mapping to laws like GDPR, CCPA, HIPAA, and NIST Privacy Frameworks. The additional tabs assist with the prioritization of these different projects.

  • The Data Process Mapping worksheet aligns closely with the requirements of the Record of Processing, denoted as a part of Article 30 of the European Union's General Data Protection Regulation (GDPR)

    This tool serves as a repository of all processing activities within the organization, and serves the purpose of capturing the minimum required level of information required by Article 6 and Article 30 of GDPR.

  • We include templates to help expedite communication requirements such as: a Privacy Notice Template – External Facing; a Data Protection Policy; a Cookie Policy; a Data Retention Policy.

  • This worksheet is intended to enable organizations to complete a Data Protection Impact Assessment (DPIA). Data Protection Impact Assessments ensure that processing activities are both compliant with data protection regulations, such as the GDPR, and that data processors are cognizant of the risks surrounding the processing of personal data.

    We typically use Use this DPIA for the following processing activities prior to processing of personal data (per Article 35 of GDPR) where any of the following applies:

    - Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

    - Where a systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

    - When processing on a large scale of special categories of data referred to in Article 9(1) or of personal data relating to criminal convictions and offences referred to in Article 10.

    - When processing involves systematic monitoring of a publicly accessible area on a large scale OR where the types of processing is identified on a list of processing operations that are subject to the requirement for a data protection impact assessment, as made public by a relevant supervisory authority.

  • This deck is intended to be an executive summary for the results of the Data Privacy Program. It is used to document our work on select blueprint activities and to organize all the work in one report to share with your executive team.

Clarity is important. Having a firm grasp on what’s expected when you engage us, including objectives and deadlines, is crucial to your success. We like to make things clear so you know what you’re getting.

Privacy Automation

We partnered with the leader, OneTrust, to implement a single privacy platform that helps with cross-regulation compliance allowing them to have all the capabilities, guidance, and automation needed to streamline and operationalize their privacy programs.

Contact us.

Find out how to access both business benefits (understanding of the scope; integration of privacy requirements as a part of pre-existing operations; net-new operating procedures; leverage privacy as a competitive advantage; knowing how each of the business units’ processes impact and reference personal data) and information technology benefits of privacy management (information security-specific privacy controls, mapped against governing privacy frameworks; comprehensive inventory of where personal data exists within IT systems; a perspective from a privacy lens on IT controls; roles and responsibilities for privacy-IT integration and individual privacy initiatives).