The Best Practices For Privacy Management

The law is clear on the responsibilities of organisations that collect and process personal data. You must have policies and procedures in place and ensure that all personnel are aware of and trained on the General Data Protection Regulation. Failure to comply may result in data breach fines adding up to millions of pounds - and this is not counting the associated legal costs and reputational damage.

Despite this, in 2019, 88% of UK businesses suffered a data breach. More recently, research conducted by the Ponemon Institute revealed the average cost of a data breach for UK businesses in 2020 was $3.9m (£2.75m). That's marginally higher than the global average of $3.86m, which was slightly down from $3.92m in 2019. Now in its 15th year, the IBM sponsored study analysed 524 breached organisations across 17 countries to arrive at these conclusive findings. These reports confirm that the reality your organisation needs to accept isn't if it will suffer a major data breach, but when. The only question to ask is, what are the best practices to protect the personal data that you collect and process?

Notwithstanding these statistics, which clearly illustrate the risk of a data breach occurring, only a third of UK organisations have completed a cyber risk assessment in the past 12 months. A risk assessment, along with other policies and procedures should be part of an effective privacy framework laid down in all organisations that process personal data.

What Is A Privacy Programme?

To meet data protection compliance, organisations need to understand the following:

• What personal data is being collected, processed, and held across your organisation (including any subsidiaries) and where is it stored?
• The motivations, goals, requirements, and any other operational considerations that may be relevant to your organisation’s data protection compliance.
• The privacy and data protection laws, regulations, or industry codes of conduct your organisation must comply with.
• What contractual arrangements are in place with external providers acting as (data) processors, or any other agreements that involve the processing of personal data with customers or commercial partners?
• How employee personal data is handled.

You will also need to undertake a data mapping exercise, so you understand:

• What are the entry and exit points (email, phone, instant messaging, website, social media) for personal data coming into and leaving your organisation?
• For what purpose is the personal data collected and processed?
• Where does the personal data come from, for example, customers, suppliers, employees?
• Where is the data stored and what legal jurisdiction applies?
• How is the data accessed and who has access to it?

A robust privacy management programme considers all these factors and provides a solid foundation that allows your organisation to manage data processing operations effectively, with an aim to developing a business-wide culture of privacy and data protection compliance.

How Do You Implement A Privacy Programme?

Developing and implementing a privacy programme takes commitment and investment, in time and money. Once the above questions have been answered, you need to conduct a risk assessment. This involves looking at the personal data you collect, process, and hold and analysing the following:

• What processors are involved in processing the personal data your organisation collects? Do they have a strong privacy framework and compliance culture?
• How sensitive is the personal data you hold? Should it be classified as Special Category Data?
• Who has access to your company’s data? Can it be accessed from external devices such as employees’ or third parties’ mobile phones, iPads, and/or laptops?
• What is the procedure for dealing with a data breach, both within your organisation and your contracted processors? How have breaches been managed in the past? What lessons were learned and were weaknesses in the process addressed?

Once the risk assessment is completed and agreed on, the next step is to choose a privacy framework.

Establishing An Effective Privacy Framework

A privacy framework will provide the basic structure and offer guidance about how to integrate any compliance requirements applicable to your organisation. It will ensure you have the right compliance policies and procedures in place whilst providing flexibility to adapt processes to suit your commercial requirements.

A good privacy framework will assist you with:

• Identifying and prioritising risks to your business.
• Reducing the threat of a data breach occurring.
• Measuring compliance against privacy and data protection laws, regulations, and industry standards.

The right privacy framework depends on your business's unique requirements, structure, and organisational culture. The following are a selection of popular frameworks:

• AICPA privacy framework is a tool for organisations that allows them to build a foundation for their privacy program and is an update to the Generally Acceptable Privacy Principles (GAPP). AICPA looks at an organisation’s activities relating to the collection, creation, storage, and transmitting of personal data. You must be an AICPA member to be able to download the framework.
• NIST privacy framework is a voluntary and free resource tool that assists organisations in integrating privacy practices with the cybersecurity elements. Organisations can take on the aspects that apply to them rather than adopting the entire framework.
• ISO/IEC 27701:2019 specifies how to create, implement, maintain, and improve the organisation's personal information management system (PIMS). The ISO standard option is an extension to the ISO/IEC 27001:2013, which provides requirements for an information security management system (ISMS) and maps into other ISO/IEC 27000 family standards. ISO standards are not free, but if you are compliant/certified under IOS 27701, your PIMS will most likely be GDPR compliant. The ISO standard will also map across to US laws such as the California Consumer Privacy Act (CCPA), Consumer Data Privacy and Security Act (CDPA), and Health Insurance Portability and Accountability Act (HIPAA).
• BS 10012 is another framework for a Personal Information Management System (PIMS). It aligns more towards the GDPR, and there are costs and certification elements to consider similar to the ISO framework.

The ISO/BSI frameworks are typically the most popular choice when it comes to privacy frameworks as they include certification. Acquiring certification shows that your organisation has invested in privacy compliance and training, which provides a strong selling point when approaching investors or applying for tenders, contracts, and/or joint ventures. However, if you feel you only require a foundation to build your privacy compliance on, the AICPA or NIST frameworks are an excellent starting point.

How Can I Support The Privacy Programme Lead?

Establishing, implementing, and running a privacy programme requires specialist skills. You may wish to consider appointing a Data Protection Officer (DPO) to ensure the process runs smoothly and the result is effective. The advantages of appointing a DPO and investing in the required training to ensure they can meet their set objectives include:

• Your organisation will benefit from the expertise of someone who has an up-to-date knowledge of privacy and data protection regulations, project management, and IT security.
• They are required to operate independently and cannot face disciplinary actions for performing their duties. A DPO also has the interpersonal skills required to manage strong personalities and push the privacy programme through to completion.
• You can choose a DPO who knows your industry sector.

Competition for an experienced DPO is fierce, and even if you manage to recruit someone suitable, they will command a premium salary and bonus package. For all but the largest organisations, providing such a package, no matter how well-deserved, often proves impossible. Therefore, it is usually more realistic to appoint someone from within the business as the DPO and then invest in developing their skills and knowledge so that they can head up your privacy programme.

Certified Privacy Management Training

Of all the training programmes available for DPO's, few courses address the specialist knowledge required to implement and manage privacy operations. This is why the IAPP Certified Information Privacy Manager (CIPM) is a unique qualification.

IAPP CIPM addresses how to translate knowledge of data protection law into policies and procedures. It enables holders to develop effective practices, including implementing a privacy programme framework, measuring performance, and understanding the operational lifecycle of privacy programmes. CIPM is the perfect companion to the Certified Information Privacy Professional Europe (CIPP/E) or the BCS Practitioner Certificate in Data Protection, which, when combined, cover all the key areas required to become a DPO or equivalent Head of Privacy in the UK and Europe.

Investing in training an internal resource also means you guarantee your DPO will be familiar with your business, its customers, and the wider industry in which you operate.

This article is part one of a two-part series. In the next article, we will examine the privacy technology landscape and how investing in the right software can help cement a robust privacy and data protection culture within your organisation.

To find out more about data protection and privacy law training, please email us at contact@freevacy.com or call 0370 04 27701.