Privacy Is a Must Have These Days–Guide to Implementing a Holistic Privacy Program
Notwithstanding the EU General Data Protection Regulation (GDPR) that went into effect on May 25, 2018—the most sweeping change to data privacy in 20-plus years, with extraterritorial scope—there are numerous privacy laws that are often overlooked.
Earlier this year, companies like Facebook have come under fire for privacy violations while Congress is looking for ways to protect the privacy of American citizens. These movements are just the beginning of widespread change that we expect for privacy laws over the next several years.
As discussed in the Spring 2018 issue of the Nonprofit Standard
in an article entitled “The Integration of Data Privacy into a Data Governance Program
,” nonprofits can’t afford to ignore regulations like GDPR as many organizations are impacted due to their global reach. But now that May 25, 2018 has passed and GDPR officially is in effect, it’s time to think about your holistic privacy program. This may mean implementing a Privacy Operational Life Cycle that helps your organization keep employees apprised of new privacy requirements and embraces recordkeeping and sound data protection practices while offering enhanced data privacy for your donors, employees, and constituents.
Think about these areas to develop a sound Privacy Operational Life Cycle:
- Develop an organizational privacy vision and mission and document the program’s objectives.
- Identify legal and regulatory compliance challenges that are relevant to your organization.
- Locate and document where personal information resides throughout your organization or across third parties (e.g., hosting vendors, outsourced applications).
- Develop a privacy strategy that identifies stakeholders, leverages key functions throughout the organization, creates a process for interfacing within the organization and outlines a data governance strategy.
- Conduct a privacy awareness workshop to highlight the goals of the program to the entire organization.
- Develop a structure for your privacy team with a governance model that is clear and consistent for the size of your organization.
The above-mentioned items are a starting point, but there is more to do after you develop your initial structure and communicate the purpose of the program. Below is a guide to developing the Privacy Operational Life Cycle.
Develop and Implement a Framework
The framework should provide you with an implementation road map that outlines your privacy procedures and processes. Developing a framework helps you identify high risk areas, reduce data loss and measure against compliance to laws, regulations and standards. Frameworks that provide initial guidance include the AICPA and CICA Privacy Framework, ISO 17779/BD7799, or OECD Privacy Guidelines.
Develop Privacy Policies
Once you have selected an overall framework to govern your privacy program, look at your existing policies, procedures and guidelines. During this phase, you should evaluate the goals and determine the business initiatives at the baseline of the program. As you look to update policies, procedures and guidelines for the organization, ensure that there is a mechanism to enforce these policies and don’t forget to review the current website privacy notice. This has become a critical target of privacy watchdogs to ensure that you can fulfill the commitment of the statements in that notice.
Develop Mechanisms to Measure Performance
Within your privacy life cycle, it will be important to be able to measure performance of the program. To implement metrics, consider your audience—will it be the board, external parties, regulatory agencies or the staff? Determine how you will report on these metrics that you have identified. Decide what measurements you are interested in sharing with your audience and how this could impact funding positively or negatively. Next, establish how you will measure progress toward the organization’s business goals and objectives. Do your best to limit improper metrics that do not support the organization’s mission. And finally, determine the best methods to collect the data you need. Your goal is to demonstrate compliance while establishing the privacy program’s return on investment.
Develop the Privacy Operational Life Cycle
The Privacy Operational Life Cycle should consider measurement, improvements, and the ability to sustain and support the program. To do this effectively, develop an operational life cycle that considers the assessment, protection, governance and response phases. Some tips to consider for each aspect of the life cycle:
- Assess – Embed Privacy by Design (PbD) into the design of technology, business practices and physical design of new programs. In addition to PbD, regularly evaluate third-party compliance, as well as internal program compliance.
- Protect – Ensure that information life cycle management (ILM) is built into your data protection strategy. While it is important to ensure that your data protection strategies mitigate the risk of a data breach, you also need to consider sound ILM practices. Remember, the less you have, the less you have to protect.
- Govern – While it’s important to be able to evaluate and protect information, you also need to monitor, audit and communicate the privacy framework. Develop a strategy and operational procedures that allow your organization to maintain a transparent and visibly sound program. And don’t forget to monitor regulatory changes that impact your organization.
- Respond – Traditionally, privacy and security teams viewed their ability to respond as responding to a security event. Today, that has changed: It’s much broader and also requires the ability to respond to complaints, requests for information, corrections of inaccurate data, clarifications of privacy matters and access requests.
Holistic privacy program development is the wave of the future, especially in a competitive world where data is at the core of every business or organization. Establish a program that fits your nonprofit to ensure that you remain ahead of the curve and out of regulators’ sights.
Be sure to keep up with the latest happenings in the nonprofit industry by subscribing to our blog and following us on Twitter @BDONonprofit.