Ten steps to privacy maturity
How can CDOs get a good night’s sleep?
As the world sees more rigorous controls being applied in the form of globally-relevant policies like CCPA (California Consumer Privacy Act) & GDPR (General Data Protection Regulation), it’s becoming increasingly necessary to leverage technologies (e.g. a data catalogue) to help ensure organisations adhere to these in order to continue to operate lawfully.
Those two regulations, and the increasing number of their spin-offs (e.g. Brazil’s General Personal Data Protection Law), share a common ground requiring at very least:
- a glossary of understood terms found in regulations
- a data domain representing the regulation & its appication
- all subject categories specific to the regulation
The steps
Process register & data mapping
Needed in order to respond to access requests, and to meet the general transparency & security measures required by CCPA/GDPR; these enable organisations to leverage investments that have been, and/or have yet to be, made in order to comply with specific regulations.
Data Governance
Roles & responsiblities, accurate definitions, and the ability to identify/trace personal information and where it resides.
Lawful bases
Personal information must be processed on a lawful basis; in the case of CCPA there are six of these (consent, contract, legal obligation, vital interests, public task, and legitimate interests). The basis/bases must be documented in a privacy notice served to the person/s providing the data, along with the impact on their individual rights e.g.
- Right to Erasure
- Right to Portability
- Right to Object
Privacy by design
This is the least “tangible” principle of the ten, and more of a statement/emphasis of the fact that customer privacy must be a first priority.
Assessments
Privacy impact & related assessments, are the data governor’s equivalent of a laboratory risk analysis/assessment/evaluation or hazard perception exercise.
Data retention periods & management
In the event of a data breach it’s of paramount importance to be able to point to retention periods that have been enforced across the period in question, e.g. where communications channels, servers, databases etc are regularly expunged of material older than some known number of days/weeks/months/years.
Data subject rights
How can we manage access requests in timely, cost-effective ways?
Data breach response
Make tools available for your team to be able to report breaches, assign issue manager/s, and report to relevants stakeholder/s.
Third-party privacy profiles
Managing the risks of disclosing personal information to third-parties.
Privacy reporting
Tracking the maturity of a privacy program and provide regulatory reports to supervisors.
Closing remarks
In summary we’re looking for:
- a framework to aid implemention ofa privacy & data protection program
- a view of processes that use sensitive enterprise information
- a view of the people that have access to sensitive data
These can be achieved by combining four domains of effective management:
- People
- Processes
- Data
- Technology
Which can be applied in an Organisational Structure of the kind:
- Domains
- Sub-communities (which contain domains)
- Communities (which contain sub-communities as well as domains)
Further information
Introduction to Collibra Privacy & Risk from Collibra University
This introduction demonstrates the R&P product from Collibra (a data catalogue) but also crucially gives insight & examples toward a more general fundamental understanding of privacy and policy. You need to register an account in order to access the materials and take quizzes/challenges/quests. The R&P product itself (an upgrade/add-on to the main Collibra catalogue product) comes bundled with example/template materials e.g. the processes, data dictionary, and policies, of a fictitious enterprise contained within a “Sample Content Community”.
Privacy Law & Data Protection from UPenn on Coursera
I enjoyed Lauren Steinfeld’s taught materials so much that I’ve rattled through this course more than once, often leaving it playing in the background as a sort of audiobook refresher albeit with a more US-centric take on things.
