Legally Defensible Privacy Compliance Solutions

In addition to serious financial penalties associated with today’s data breaches, organizations can be forced to pay enormous legal costs, face regulatory fines and crippling oversight such as long FTC consent orders. That’s why companies need to systematically and consistently identify privacy and data protection risks, apply the right standards and solutions and defend their decisions to regulatory authorities and judges.

Our solutions:

  • Mitigate legal, regulatory, fiscal and reputational risks caused by a breach
  • Protect customers and the company executives from reputational risks associated with weaknesses in data protection
  • Support business development, investment opportunities and mergers and acquisitions
  • Secure and protect company trade secrets, intellectual property and technology infrastructure from internal and external threats

Threshold Analysis and Privacy Impact Assessments (PIA’s):

  • Policies and procedures review
  • Data mapping and inventories
  • Data protection risk assessments
  • Controls evaluation to best practices and standards
  • Findings and recommendations reports
  • Opt-in / Opt-out consent forms and controls review
  • Impact of mergers and acquisitions

Privacy Program Development:

  • Establish program roadmap and governance
  • Design roles and responsibilities
  • Develop technology infrastructure and support
  • Develop and deliver training
  • Program monitoring
  • Privacy by design support
  • Support for hiring and team building

Third Party and Vendor Due Diligence:

  • Contract due diligence and data collection requirements
  • Cloud computing services policy guidance
  • Build vs Buy advisory services

Additional Services:

  • Comprehensive controls evaluation
  • Cross border data transfer guidance
  • Audit preparation and remediation

Laws and Regulations We Cover:

  • California Consumer Privacy Act of 2018, Amendments and Rulemaking
  • HIPAA/HITECH Security, Privacy and Breach Notification Rules
  • Children’s Online Privacy Protection Act (COPPA)
  • Generally Accepted Privacy Principles (GAPP)
  • EU’s General Data Protection Regulation (GDPR)
  • ISO/IEC 27001-2:2013
  • CIS Top 20 Critical Security Controls (CA AG requires)
  • SEC OCIE Cybersecurity Initiative
  • NIST Cybersecurity Framework
  • U.S. Sentencing/DOJ/OIG Guidelines for Effective Compliance (program foundation)

What you need to know and do to ensure compliance with California’s new Consumer Privacy Act

New regulations governing use of customer and personal data needn’t be burdensome.  Rather, they help reduce expenses and monetize the information lifecycle, identify opportunities for better governance to avoid fines and litigation exposure and foster trust to enhance customer experiences Download A FREE detailed CCPA roadmap to see how you can get your company on the path to compliance.

We follow the IAPP Program Model as a best practice as part of our engagements. Learn more below.

Privacy Program Governance

Organization Level

  1. Create a company vision
    1. Acquire knowledge on privacy approaches
    2. Evaluate the intended objective
    3. Gain executive sponsor approval for this vision
  2. Establish Data Governance model
    1. Centralized
    2.  Distributed
    3. Hybrid
  3. Establish a privacy program
    1. Define program scope and charter
    2. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws
    3. Develop a privacy strategy
      1. Business alignment
        1. Finalize the operational business case for privacy
        2. Identify stakeholders
        3. Leverage key functions
        4. Create a process for interfacing within organization
        5. Align organizational culture and privacy/data protection objectives
        6. Obtain funding/budget for privacy and the privacy team
        7. Develop a data governance strategy for personal information (collection, authorized use, access, destruction)
        8. Plan inquiry/complaint handling procedures (customers, regulators, etc.)
  4. Structure the privacy team
    1. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization
      1. Large organizations
        1. Chief privacy officer
        2. Privacy manager
        3. Privacy analysts
        4. Business line privacy leaders
        5. First responders
      2.  Small organizations/sole data protection officer (DPO) including when not only job
        1. Designate a point of contact for privacy issues
        2. Establish/endorse the measurement of professional competency

Develop the Privacy Program Framework

  1. Develop organizational privacy policies, standards and/or guidelines
  2. Define privacy program activities
    1. Education and awareness ii. Monitoring and responding to the regulatory environment
    2. Internal policy compliance
    3. Data inventories, data flows, and classification
    4. Risk assessment (Privacy Impact Assessments [PIAs]) (e,g., DPIAs etc.)
    5. Incident response and process, including jurisdictional regulations vii. Remediation
    6. Program assurance, including audits

Implement the Privacy Program Framework

  1. Communicate the framework to internal and external stakeholders
  2. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework
    1. Understand when national laws and regulations apply (e.g. GDPR, CCPA)
    2. Understand when local laws and regulations apply  iii. Understand penalties for noncompliance with laws and regulations iv. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.
    3. Understand privacy implications of doing business with or basing operations in countries with inadequate, or without, privacy laws.
    4. Maintain the ability to manage a global privacy function vii. Maintain the ability to track multiple jurisdictions for changes in privacy law viii. Understand international data sharing arrangement agreements

Metrics

  1. Identify intended audience for metrics
  2. Define reporting resources
  3. Define privacy metrics for oversight and governance per audience
    1. Compliance metrics (examples, will vary by organization)
      1. Collection (notice)
      2. Responses to data subject inquiries
      3. Use
      4. Retention
      5. Disclosure to third parties
      6. Incidents (breaches, complaints, inquiries)
      7. Employees trained
      8. PIA metrics
      9. Privacy risk indicators
      10. Percent of company functions represented by governance mechanisms
    2. Trending iii. Privacy program return on investment (ROI) iv. Business resiliency metrics
    3. Privacy program maturity level vi. Resource utilization
  4. Identify systems/application collection points

Privacy Operational Life Cycle

Assess Your Organization

  1. Document current baseline of your privacy program
    1. Education and awareness ii. Monitoring and responding to the regulatory environment iii. Internal policy compliance
    2. Data, systems and process assessment
      1. Map data inventories, flows and classification
      2. Create “record of authority” of systems processing personal information within the organization
      3. Map and document data flow in systems and applications
      4. Analyze and classify types and uses of data
      5. Risk assessment (PIAs, etc.) vi. Incident response vii. Remediation
      6. Determine desired state and perform gap analysis against an accepted standard or law (including GDPR)
      7. Program assurance, including audit
  2. Processors and third-party vendor assessment
    1. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer
      1. Privacy and information security policies
      2. Access controls
      3. Where personal information is being held
      4. Who has access to personal information ii. Understand and leverage the different types of relationships Internal audit
    2. Information security
    3. Physical security
    4. Data protection authority iii. Risk assessment
    5. Type of data being outsourced
    6. Location of data
    7. Implications of cloud computing strategies
    8. Legal compliance
    9. Records retention
    10. Contractual requirements (incident response, etc.)
    11. Establish minimum standards for safeguarding information iv. Contractual requirements
    12. Ongoing monitoring and auditing
  3. Physical assessments
    1. Identify operational risk
      1. Data centers and offices
      2. Physical access controls
      3. Document destruction
      4. Media sanitization and disposal (e.g., hard drives, USB/thumb drives, etc.)
      5. Device forensics
      6. Device security (e.g., mobile devices, Internet of Things (IoT), geo-tracking, imaging/copier hard drive security controls)
    2. Mergers, acquisitions and divestitures
      1. Due diligence ii. Risk assessment
    3. Conduct analysis and assessments, as needed or appropriate
      1. Privacy Threshold Analysis (PTAs) on systems, applications and processes
      2. Privacy Impact Assessments (PIAs)
        1. Define a process for conducting Privacy Impact Assessments
          1. Understand the life cycle of a PIA
          2. Incorporate PIA into system, process, product life cycles B. Protect
        2. Data life cycle and governance (creation to deletion)
    4. Information security practices
          1. Access controls for physical and virtual systems
            1. Access control on need to know
            2. Account management (e.g., provision process)
            3. Privilege management Technical security controls
            4. Implement appropriate administrative safeguards
    5. Privacy by Design
              1. Integrate privacy throughout the system development life cycle (SDLC)  ii. Establish privacy gates as part of the system development framework

Sustain

  1. Measure
    1. Quantify the costs of technical controls
    2. Manage data retention with respect to the organization’s policies
    3. Define the methods for physical and electronic data destruction iv. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use
  2. Align
    1. Integrate privacy requirements and representation into functional areas across the organization
      1. Information security
      2. IT operations and development
      3. Business continuity and disaster recovery planning
      4. Mergers, acquisitions and divestitures
      5. Human resources
      6. Compliance and ethics
      7. Audit
      8. Marketing/business development
      9. Public relations
      10. Procurement/sourcing
      11. Legal and contracts
      12. Security/emergency services
      13. Finance
      14. Others
    2. Audit
      1. Align privacy operations to an internal and external compliance audit program
        1. Knowledge of audit processes
        2. Align to industry standards ii. Audit compliance with privacy policies and standards iii. Audit data integrity and quality and communicate audit findings with stakeholders
        3. Audit information access, modification and disclosure accounting
    3.  Communicate
      1.  Awareness
      2. Create awareness of the organization’s privacy program internally and externally
      3. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements
      4. Develop internal and external communication plans to ingrain organizational accountability
      5. Identify, catalog and maintain documents requiring updates as privacy requirements change ii. Targeted employee, management and contractor training
      6. Privacy policies
      7. Operational privacy practices (e.g., standard operating instructions), such as
        1. Data creation/usage/retention/disposal
        2. Access control
        3. Reporting incidents
        4. Key contacts
    4.  Monitor
      1. Environment (e.g., systems, applications) monitoring
        1. Monitor compliance with established privacy policies
        2. Monitor regulatory and legislative changes
      2. Compliance monitoring (e.g. collection, use and retention)
        1. Internal audit
        2. Self-regulation
        3. Retention strategy
        4. Exit strategy

Respond

  1. Information requests
    1. Access
    2. Redress
    3. Correction
    4. Managing data integrity
  2. Privacy incidents
    1. Legal compliance
      1. Preventing harm
      2. Collection limitations
      3. Accountability
      4. Monitoring and enforcement ii. Incident response planning
    2. Understand key roles and responsibilities
      1. Identify key business stakeholders
        1. Information security
        2. Legal
        3. Audit
        4. Human resources
        5. Marketing
        6. Business development
        7. Communications and public relations
        8. Other
      2. Establish incident oversight teams
    3. Develop a privacy incident response plan
    4. Identify elements of the privacy incident response plan
    5. Integrate privacy incident response into business continuity planning
  3. Incident detection
    1. Define what constitutes a privacy incident
    2. Identify reporting process
    3. Coordinate detection capabilities
      1. Organization IT
      2. Physical security
      3. Human resources
      4. Investigation teams
      5. Vendors
    4. Incident handling
      1. Understand key roles and responsibilities
      2. Develop a communications plan to notify executive management
    5. Follow incident response process to ensure meeting jurisdictional, global and business requirements
      1. Engage privacy team
      2. Review the facts
      3. Conduct analysis
      4. Determine actions (contain, communicate, etc.)
      5. Execute
      6. Monitor
      7. Review and apply lessons learned vi. Identify incident reduction techniques vii. Incident metrics—quantify the cost of a privacy incident