Planning A Data Privacy Initiative
Data Privacy and the Typical Challenges
Situation
Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.
Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.
With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.
Challenges
Insight
Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, but as a driver of business efficiency.
Integrate and build by developing a program that promotes:
Privacy standards that are established with respect to how information is accessed.
Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.
If Your Organization Needs To
Understand how to adapt and quantify privacy beyond compliance.
Change the pre-existing perspective on how to assess privacy competency.
Shift the organization’s view of privacy as the enemy of efficiency and innovation.
Build an environment that places privacy ownership in the hands of the business.
Extend the privacy program beyond the privacy team or organizational function.
Take the ambiguity out of privacy program management.
Cover the Major Regulations Applicable
-
GDPR (General Data Protection Regulation): Enforced by the European Union, GDPR aims to protect the privacy and personal data of EU citizens. It mandates organizations to obtain explicit consent for data collection, allows individuals control over their data, requires data breach notifications, and imposes hefty fines for non-compliance.
-
In 2023, several states in the USA enacted new privacy laws to enhance data protection and consumer privacy rights:
Virginia: Virginia passed the Virginia Consumer Data Protection Act (VCDPA), which grants consumers certain rights over their personal data held by businesses, such as the right to access, correct, delete, and opt-out of the sale of their data. It applies to businesses that meet specific thresholds regarding data processing activities.
Connecticut: Connecticut implemented the Connecticut Consumer Data Privacy Act (CPDA), which similarly provides consumers with rights regarding their personal information held by businesses. It includes provisions for transparency in data practices, consumer control over data, and requirements for data security measures.
Utah: Utah introduced the Utah Consumer Privacy Act (UCPA), which focuses on giving consumers more control over their personal data. It requires businesses to disclose data practices, obtain consent for data processing, and allow consumers to access, correct, delete, or opt-out of the sale of their data.
Colorado: Colorado enacted the Colorado Privacy Act (CPA), which establishes requirements for businesses regarding the collection, use, and protection of consumers' personal data. It gives consumers rights to access, correct, delete, and opt-out of the sale of their data and imposes obligations on businesses for data protection and transparency.
New York City (NYC): While there isn't a comprehensive statewide privacy law in New York, New York City has proposed its own privacy regulations, such as the NYC Automated Decision Systems (ADS) Law, which aims to regulate the use of automated decision-making systems by city agencies. These regulations focus on ensuring transparency, fairness, and accountability in the use of AI systems that impact city residents.
-
CCPA (California Consumer Privacy Act) & CPRA (California Privacy Rights Act): CCPA, enacted in 2018 and in effect since 2020, grants California residents rights regarding their personal information held by companies. It requires businesses to disclose data practices, allow consumers to opt-out of data selling, and imposes penalties for data breaches. CPRA, passed as a ballot initiative in 2020 and effective from 2023, enhances CCPA by introducing stricter rules, creating a dedicated enforcement agency, and expanding consumer rights.
-
Canada: Canada has its privacy laws, notably the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. It requires consent for data collection, limits data use to specified purposes, and mandates security measures to protect personal information.
In addition to the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private-sector organizations across Canada, Quebec has its own privacy legislation known as the Act Respecting the Protection of Personal Information in the Private Sector (ARPPIPS). ARPPIPS is often considered to be closely aligned with the principles of GDPR (General Data Protection Regulation). It governs the collection, use, and disclosure of personal information by private-sector organizations operating in Quebec, emphasizing transparency, consent, and individual rights over personal data. ARPPIPS requires organizations to obtain consent for data processing, disclose data practices, and implement security measures to protect personal information, resembling the GDPR framework in many aspects. -
Non-Profit: Non-profit organizations handling personal data are subject to various privacy regulations depending on their jurisdiction. They typically have to adhere to the same data protection standards as for-profit entities, ensuring transparency, consent, and security in handling personal information.
While non-profit organizations typically have to adhere to privacy regulations like GDPR, CCPA, or HIPAA depending on the nature of their activities and the data they handle, there may be certain exemptions or variations in how these regulations apply to non-profits compared to for-profit entities.
For instance, some regulations may exempt non-profits from certain requirements or provide them with leniency due to their charitable or non-commercial nature. However, the specifics of these exemptions can vary based on the jurisdiction and the particular regulation in question.
For example, GDPR includes exemptions for processing personal data for purely personal or household activities, which may encompass some activities of non-profit organizations. Similarly, HIPAA contains exemptions for certain types of non-profit organizations that do not engage in standard healthcare functions covered by the law.
However, it's essential for non-profits to carefully review the regulations applicable to them and seek legal guidance to ensure compliance with relevant privacy laws. While there might be exemptions in some cases, non-profits still need to prioritize the protection of personal data and respect individuals' privacy rights to maintain trust and integrity in their operations.
-
HIPAA (Health Insurance Portability and Accountability Act): HIPAA is a U.S. federal law that regulates the use and disclosure of individuals' protected health information (PHI) by healthcare providers, health plans, and healthcare clearinghouses. It establishes national standards for securing PHI, limits its use and disclosure without patient consent, and provides individuals with rights over their health information.
-
AI privacy regulations encompass various laws and guidelines that address the ethical and privacy implications of AI technologies. These regulations often focus on transparency in AI systems, accountability of AI developers, fairness in AI algorithms, and protection of individuals' rights when AI is involved in decision-making processes that affect them.
Deliverables
Clarity is important. Having a firm grasp on what’s expected when you engage us, including objectives and deadlines, is crucial to your success. We like to make things clear so you know what you’re getting.
Privacy Program RACI Chart
We leverage this worksheet to identify and understand the owners of the data privacy program within the organization, across the different work units. This RACI chart will help clearly define each organizational team's roles and accountabilities.
Data Process Mapping
The Data Process Mapping worksheet aligns closely with the requirements of the Record of Processing, denoted as a part of Article 30 of the European Union's General Data Protection Regulation (GDPR)
This tool serves as a repository of all processing activities within the organization, and serves the purpose of capturing the minimum required level of information required by Article 6 and Article 30 of GDPR.
Data Protection Impact Assessment
This worksheet is intended to enable organizations to complete a Data Protection Impact Assessment (DPIA). Data Protection Impact Assessments ensure that processing activities are both compliant with data protection regulations, such as the GDPR, and that data processors are cognizant of the risks surrounding the processing of personal data.
Privacy Framework
This worksheet provides us with a framework to start evaluating how to build your privacy program. It includes a gap analysis exercise, which provides mapping to laws like GDPR, CCPA, HIPAA, and NIST Privacy Frameworks. The additional tabs assist with the prioritization of these different projects.
Privacy Policy Templates
We include templates to help expedite communication requirements such as: a Privacy Notice Template – External Facing; a Data Protection Policy; a Cookie Policy; a Data Retention Policy.
Data Privacy Program Report
This deck is intended to be an executive summary for the results of the Data Privacy Program. It is used to document our work on select blueprint activities and to organize all the work in one report to share with your executive team.
We typically use Use this DPIA for the following processing activities prior to processing of personal data (per Article 35 of GDPR) where any of the following applies:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
Where a systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
When processing on a large scale of special categories of data referred to in Article 9(1) or of personal data relating to criminal convictions and offenses referred to in Article 10.
When processing involves systematic monitoring of a publicly accessible area on a large scale OR where the types of processing is identified on a list of processing operations that are subject to the requirement for a data protection impact assessment, as made public by a relevant supervisory authority.
Privacy Automation
We partnered with the leader, OneTrust, to implement a single privacy platform that helps with cross-regulation compliance allowing them to have all the capabilities, guidance, and automation needed to streamline and operationalize their privacy programs.
Contact us.
Find out how to access both business benefits (understanding of the scope; integration of privacy requirements as a part of pre-existing operations; net-new operating procedures; leverage privacy as a competitive advantage; knowing how each of the business units’ processes impact and reference personal data) and information technology benefits of privacy management (information security-specific privacy controls, mapped against governing privacy frameworks; comprehensive inventory of where personal data exists within IT systems; a perspective from a privacy lens on IT controls; roles and responsibilities for privacy-IT integration and individual privacy initiatives).