Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
To establish a comprehensive privacy program, teams should identify drivers, establish a strategy, obtain executive buy-in, meet with stakeholders, document the full lifecycle of all personal data used within the organization, establish goals and more.
This piece walks you through the 12 high-level steps required and explains how to use a privacy framework (e.g., the NIST Privacy Framework) to continuously improve the maturity of your program and meet your organization’s privacy goals.
Before setting up meetings with key internal stakeholders to understand each individual department’s full context of data, it is important to take a step back and focus on some basics to help ensure all key information is identified. This will help
ensure you establish the most effective privacy program for your organization as possible.
The following 12 steps provide an effective roadmap for establishing a privacy program within any type of organization.
The purpose of this step is to identity the drivers that have led to the decision to establish a formal privacy program. Common drivers include:
Those responsible for building the privacy program must be able to clearly articulate the privacy drivers to be successful in obtaining executive buy-in and employee compliance with the privacy actions established within the program
Those responsible for building the privacy program must understand the:
This information helps establish the privacy strategy. It also helps identify the key stakeholders to meet with and the questions to ask them when scoping the program. Key stakeholders for most organizations include the head of each business unit, the
managers for the branch offices and the corporate unit heads (human resources, IT, acquisitions, public relations, physical security, etc.).
Determine the following:
Look at the drivers you established in step one to help you answer these questions.
Use your privacy strategy to clearly articulate to executive management the need for the privacy program, as well as the need for their strong, visible support. If you do not have clear support from executive management, the chances for a successful privacy
program may be much lower.
Privacy programs with no strong executive support get little to no cooperation from all levels of the organization when it comes to complying with established privacy policies and following privacy procedures consistently.
This is where you explain the privacy strategy, communicate the strong support from executives and initiate the collection of information from each stakeholder about what personal data they have, its associated sources and how it is used. For each stakeholder,
All types and categories of personal data collected in their area. Ask each to indicate the categories of personal data they collect, store, process or access in any other way. You can then document specific data items within each of the categories in
a subsequent meeting.
Health: This includes medical record numbers, health or medical information, health beneficiary numbers, drug testing results, body personally identifiable information (PII), biometric identifiers (e.g., DNA, fingerprints, voice prints, iris prints),
body identifiers (e.g., tattoos, scars, etc.), conversations (recorded or overheard), photos, videos, etc.
All third parties contracted and non-contracted, that may have access to personal data in each area. Be sure to document:
Now that you have fully documented where all the personal data is, how it’s used, stored, etc., you have a huge head start on performing a PIA. I find performing a PIA scoped to each stakeholder area makes the process more manageable. It also provides
the opportunity to more clearly determine where privacy vulnerabilities and problems exist throughout the full enterprise, as opposed to trying to do a more high-level PIA of the full enterprise.
There are many different methods used to perform a PIA, and some organizations use different methods based on the scope of the PIA. For example, the U.S. Department of Justice offers this guidance,
and an example of a PIA for an electric utility.
In this step, you should create the privacy program implementation roadmap, establish an improvement target, and then perform a more detailed privacy risk and harms analysis, using the results of the PIAs to identify gaps and potential solutions. You
This step is focused on defining the scope of the privacy program initiative. During this phase, high-level evaluations and metrics can be used to scope and understand where the high-priority areas are located and how to prioritize them. Use the results
of the PIAs to support this assessment.
Use the results of the PIAs to determine:
This step implements the proposed solutions within the documented plan into day-to-day practices. To be successful, executive management must be engaged and demonstrate commitment, and the affected business and IT stakeholders must take ownership of their
In this step, you will see the results of the privacy program development work. This step focuses on the sustainable operation of the new privacy protection enablers and is also where enterprises monitor the expected benefits that are achieved. Actions
In this step, you determine how to keep the privacy management program momentum going. Review the overall success of the initiative, identify further privacy requirements for the organization and reinforce the need for continual improvement. Actions include:
Now that you have a plan for building the privacy program, you need to determine the components of the program. Organizations that have already built security programs around the NIST CSF will find the NIST Privacy Framework (PF) a good framework to first consider. The NIST PF is intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’
The PF approach to mitigating privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete lifecycle
from data collection through disposal. NIST provides a useful crosswalk between the CSF and the PF to support more efficient integration with the existing use of the CSF.
Besides the NIST PF, other privacy frameworks to consider include:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.