Operationalizing Privacy: Where to Begin?
When you think of operationalizing privacy, do you feel stuck on where to begin? Do you question whether you should work on a Privacy Impact Assessment (PIAs) program, a Data Subject Rights (DSAR) program, or a Privacy by Design (PbD) program?
The thing is that all of these are important, but they are elements of a broader privacy program. To move forward, you need to start step by step on each element.
Step 1: Know Which Laws Apply
The foundation of your privacy program is understanding which laws and regulations govern your operations. It might be just one jurisdiction’s law or several at once. Once you know which laws apply:
Identify and note the key requirements.
Establish a framework based on those requirements.
Example: If your company operates in both Canada and the EU, you’ll face differences but also similarities between PIPEDA (and provincial regulations) and GDPR. Map out both, find commonalities (e.g., consent requirements, privacy rights, and data transfers), and build your framework around them. In this step, you can also consider industry guidelines and standards, such as the NIST Privacy Framework. You may want to collaborate with other business units to see their frameworks and the standards they have used to develop them (e.g., IT/Security, Compliance, Audit). This will allow you to utilize established frameworks and procedures while making modifications to meet privacy requirements. The benefit of this would be that a streamlined process for frameworks would be followed in the organization.
Step 2: Translate Requirements Into Functions
After defining requirements, break them down into functions and the procedures needed to operationalize each one. This is how you’ll also begin to set privacy metrics (measuring your maturity and posture over time).
As you are building your privacy program, consider your organization’s business objectives and operations. You can align your privacy framework and program development around them. This will support you in obtaining buy-in with the executive team and other business units. It will show that privacy is there to assist business, not hinder it.
You can consider establishing an internal privacy policy to guide your organizational approach to privacy and program development. The policy can serve as a roadmap for the privacy program development. You don’t just need an external privacy notice; you need an internal one too. This will help foster a culture of privacy in the organization.
Step 3: Go Beyond the Law
Privacy programs are not just about compliance. Regulations rarely tell you how to implement procedures. That’s where best practices and cross-domain inspiration come in:
PbD: How will you embed it in your operations?
PIAs: While laws don’t prescribe methods, resources from privacy commissioners can guide you to adapt them to your organization’s needs.
DSAR: Is the workflow user-friendly, and are all data sources covered in the process?
Think about whether PIAs are a function of your program, or a procedure supporting a larger function like Governance or PbD. You might even consider tools to support consistency and efficiency for each function.
One thing to keep in mind is that there is no single standard that fits all privacy programs. How you build the functions in your programs will depend heavily on your business operations. The privacy functions in your program and associated documentation will be ever-evolving; consider them as living documents and procedures that you will need to constantly modify.
Final Thought
Defining your privacy program is the first and most crucial step in operationalizing privacy within your organization. Rely on privacy laws and regulations, industry best practices, and internal frameworks to establish your privacy framework. Once that foundation is clear, every additional element (PIAs, PbD, DSAR, etc.) will fit into place more naturally. Consider each element as a function on its own that will need to be developed and maintained. Starting with an internal privacy policy can help guide you in bringing your framework to life and understanding which functions you need to build or prioritize first.