12 Steps to Build and Improve Your Privacy Program

To establish a comprehensive privacy program, teams should identify drivers, establish a strategy, obtain executive buy-in, meet with stakeholders, document the full lifecycle of all personal data used within the organization, establish goals and more.

This piece walks you through the 12 high-level steps required and explains how to use a privacy framework (e.g., the NIST Privacy Framework) to continuously improve the maturity of your program and meet your organization’s privacy goals.

Before setting up meetings with key internal stakeholders to understand each individual department’s full context of data, it is important to take a step back and focus on some basics to help ensure all key information is identified. This will help ensure you establish the most effective privacy program for your organization as possible.

The following 12 steps provide an effective roadmap for establishing a privacy program within any type of organization.

1. Identify Privacy Drivers

The purpose of this step is to identity the drivers that have led to the decision to establish a formal privacy program. Common drivers include:

• To meet data protection compliance requirements.
• To avoid non-compliance sanctions and penalties.
• To meet requirements of business partners and/or board members.
• To establish a competitive differentiator.
• To gain, or maintain, customer and/or employee trust.
• To protect customer and employee personal data.

Those responsible for building the privacy program must be able to clearly articulate the privacy drivers to be successful in obtaining executive buy-in and employee compliance with the privacy actions established within the program

2. Establish a Privacy Strategy

Those responsible for building the privacy program must understand the:

• Breadth and depth of the proposed privacy program and associated changes.
• Various stakeholders affected.
• Nature of the impact on and involvement required from each stakeholder group.
• Current readiness and ability to adapt to change.

This information helps establish the privacy strategy. It also helps identify the key stakeholders to meet with and the questions to ask them when scoping the program. Key stakeholders for most organizations include the head of each business unit, the managers for the branch offices and the corporate unit heads (human resources, IT, acquisitions, public relations, physical security, etc.).

Determine the following:

• The goals of your privacy program. Certainly, an important goal is to meet legal and corporate policy compliance requirements, but what else?
• The risks of not having a privacy program. These could include non-compliance fines and penalties, privacy breaches, bad PR, etc.
• The benefits of having a privacy program. Some common examples include to protect brand value and/or company image, maintain customer trust, and protect customer and employee data.

Look at the drivers you established in step one to help you answer these questions.

3. Obtain Executive Buy-in and Sponsorship

Use your privacy strategy to clearly articulate to executive management the need for the privacy program, as well as the need for their strong, visible support. If you do not have clear support from executive management, the chances for a successful privacy program may be much lower.

Privacy programs with no strong executive support get little to no cooperation from all levels of the organization when it comes to complying with established privacy policies and following privacy procedures consistently.

4. Meet with Key Stakeholders and Document the Data

This is where you explain the privacy strategy, communicate the strong support from executives and initiate the collection of information from each stakeholder about what personal data they have, its associated sources and how it is used. For each stakeholder, determine:

All types and categories of personal data collected in their area. Ask each to indicate the categories of personal data they collect, store, process or access in any other way. You can then document specific data items within each of the categories in a subsequent meeting.

1. Sensitive/prejudicial: This includes such information as racial origin, ethnic origin, philosophical beliefs, criminal charges and convictions, military history, marital status, sexual identity, political beliefs and affiliations.
2. General: Examples include name (first, middle or middle initial, and last), geographic position (longitude, latitude, GPS), mailing address (street, P.O. Box, city, state, country, ZIP code, etc.), phone number, fax number, personal email address, social media account information, electricity usage patterns/trends, other utility usage patterns/trends, meter numbers, etc.
3. Employment: This includes data such as taxpayer number, employee number, employment history, work email address, wage, W-2, etc.
4. Financial and tax-related: This includes Social Security numbers (SSNs), account numbers (credit cards, debit cards, checking accounts, memberships, etc.), credit reports and credit scores, license numbers, certificate numbers, vehicle identifiers (VIN and license plate number), stock account information, 401K information, deferred compensation, membership IDs, bar information, bar codes with SSNs, etc.

5. Health: This includes medical record numbers, health or medical information, health beneficiary numbers, drug testing results, body personally identifiable information (PII), biometric identifiers (e.g., DNA, fingerprints, voice prints, iris prints), body identifiers (e.g., tattoos, scars, etc.), conversations (recorded or overheard), photos, videos, etc.

All third parties contracted and non-contracted, that may have access to personal data in each area. Be sure to document:

• How each type of data is collected.
• The source of each type of data.
• How each type of data is secured throughout the data lifecycle, including while being collected, transmitted, processed, stored and disposed of.

5. Conduct a Privacy Impact Assessment (PIA)

Now that you have fully documented where all the personal data is, how it’s used, stored, etc., you have a huge head start on performing a PIA. I find performing a PIA scoped to each stakeholder area makes the process more manageable. It also provides the opportunity to more clearly determine where privacy vulnerabilities and problems exist throughout the full enterprise, as opposed to trying to do a more high-level PIA of the full enterprise.

There are many different methods used to perform a PIA, and some organizations use different methods based on the scope of the PIA. For example, the U.S. Department of Justice offers this guidance, and an example of a PIA for an electric utility.

6. Establish Goals

In this step, you should create the privacy program implementation roadmap, establish an improvement target, and then perform a more detailed privacy risk and harms analysis, using the results of the PIAs to identify gaps and potential solutions. You must also:

• Re-engage with executive management to ensure the privacy strategy continues to be supported.
• Formally document the goals, such as to protect brand value/company image, maintain customer trust and protect customer/employee data. Use the results of the PIAs to inform your decisions, refer to the strategy you established in Step 2, and use additional privacy guidance as needed.
• Set the correct target goals based on applicable privacy requirements. Every organization will have different goals based on their unique operating, technical and geographical environments, and associated obligations.

7. Assess the Current State

This step is focused on defining the scope of the privacy program initiative. During this phase, high-level evaluations and metrics can be used to scope and understand where the high-priority areas are located and how to prioritize them. Use the results of the PIAs to support this assessment.

For example:

• Assess the current state of all privacy enablers (what is necessary to meet privacy goals). Are privacy enablers missing? Do more need to be added?
• Scope privacy processes based on the privacy goals.
• Develop privacy risk scenarios to highlight key privacy protection processes and controls. For example, if your organization cannot answer the following types of questions from your customers, what would be the possible impacts to your organization?
  • How can I get a copy of the personal information you have collected from me?
  • How can I correct errors I’ve found in the personal information you have about me?
  • How will you notify me of breaches of my personal information?
  • With what third parties do you share my personal information?
  • How can I restrict who has access to my personal information?

8. Develop an Implementation Plan

Use the results of the PIAs to determine:

• Necessary privacy controls to implement throughout the enterprise.
• Needed privacy projects supported by justifiable business use cases.
• A project schedule for implementation. Actions include:
  • Develop appropriate business use cases.
  • Document an implementation project schedule.
  • Identify potential benefits.
  • Define necessary metrics and monitoring.
  • Monitor and document benefits.

9. Implement the Plan

This step implements the proposed solutions within the documented plan into day-to-day practices. To be successful, executive management must be engaged and demonstrate commitment, and the affected business and IT stakeholders must take ownership of their responsibilities.

Actions include:

• Communicate the plan to executive management and verify their clear and strong executive management support.
• Obtain clear and strong support from the impacted business units and IT stakeholders.
• Embed the proposed solution into daily business activities. For example, implement or update identity verification procedures used by your call centers for callers using identity verification questions not easily found online and that do not violate legal requirements applicable to your organization.

10. Assess Success

In this step, you will see the results of the privacy program development work. This step focuses on the sustainable operation of the new privacy protection enablers and is also where enterprises monitor the expected benefits that are achieved. Actions include:

• Determine whether the goals are reached.
• Establish new goals for necessary improvement.
• Determine how to sustain the successful activities.

11. Develop Sustainability

In this step, you determine how to keep the privacy management program momentum going. Review the overall success of the initiative, identify further privacy requirements for the organization and reinforce the need for continual improvement. Actions include:

• Obtain commitment from executive management and key stakeholders to support the program improvement plan.
• Review the effectiveness of the privacy initiative.
• Determine where additional privacy protections are necessary.
• Establish a program improvement plan that follows the lifecycle iteratively, while building a sustainable approach to privacy.

12. Use a Privacy Framework to Establish the Privacy Program

Now that you have a plan for building the privacy program, you need to determine the components of the program. Organizations that have already built security programs around the NIST CSF will find the NIST Privacy Framework (PF) a good framework to first consider. The NIST PF is intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

The PF approach to mitigating privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete lifecycle from data collection through disposal. NIST provides a useful crosswalk between the CSF and the PF to support more efficient integration with the existing use of the CSF. 

Besides the NIST PF, other privacy frameworks to consider include:

• ISACA Privacy Principles and Program Management Guide
• AICPA/CICA Generally Accepted Privacy Principles (GAPP)
• ISO/IEC 29100:2011 - Information technology -- Security techniques -- Privacy framework

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.