1. Privacy Program Governance
1.1. Organization Level
1.1.1. Create a company vision
1.1.1.1. Acquire knowledge on privacy approaches
1.1.1.2. Evaluate the intended objective
1.1.1.3. Gain executive sponsor approval for this vision
1.1.2. Establish Data Governance model
1.1.2.1. Centralized
1.1.2.2. Distributed
1.1.2.3. Hybrid
1.1.3. Establish a privacy program
1.1.3.1. Define program scope and charter
1.1.3.2. Identify the source, types, and uses of personal information (PI) within
1.1.3.3. Develop a privacy strategy
1.1.3.3.1. Business alignment
1.1.3.3.2. Develop a data governance strategy for personal information (collection, authorized use, access, destruction)
1.1.3.3.3. Plan inquiry/complaint handling procedures (customers, regulators, etc.)
1.1.4. Structure the privacy team
1.1.4.1. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization
1.1.4.1.1. Large organizations
1.1.4.1.2. Small organizations/sole data protection officer (DPO) including when not only job
1.1.4.2. Designate a point of contact for privacy issues
1.1.4.3. Establish/endorse the measurement of professional competency
1.2. Develop the Privacy Program Framework
1.2.1. Develop organizational privacy policies, standards and/or guidelines
1.2.2. Define privacy program activities
1.2.2.1. Education and awareness
1.2.2.2. Monitoring and responding to the regulatory environment
1.2.2.3. Internal policy compliance
1.2.2.4. Data inventories, data flows, and classification
1.2.2.5. Risk assessment (Privacy Impact Assessments [PIAs]) (e,g., DPIAs etc.)
1.2.2.6. Incident response and process, including jurisdictional regulations
1.2.2.7. Remediation
1.2.2.8. Program assurance, including audits
1.3. Metrics
1.3.1. Implement the Privacy Program Framework
1.3.1.1. Communicate the framework to internal and external stakeholders
1.3.1.2. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework
1.3.1.2.1. Understand when national laws and regulations apply (e.g. GDPR, CCPA)
1.3.1.2.2. Understand when local laws and regulations apply
1.3.1.2.3. Understand penalties for noncompliance with laws and regulations
1.3.1.2.4. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
1.3.1.2.5. Understand privacy implications of doing business with or basing operations in countries with inadequate, or without, privacy laws
1.3.1.2.6. Maintain the ability to manage a global privacy function
1.3.1.2.7. Maintain the ability to track multiple jurisdictions for changes in privacy law
1.3.1.2.8. Understand international data sharing arrangement agreements
1.3.2. Define reporting resources
1.3.2.1. Identify intended audience for metrics
1.3.3. Define privacy metrics for oversight and governance per audience
1.3.3.1. Compliance metrics (examples, will vary by organization)
1.3.3.1.1. Collection (notice)
1.3.3.1.2. Responses to data subject inquiries
1.3.3.1.3. Use
1.3.3.1.4. Retention
1.3.3.1.5. Disclosure to third parties
1.3.3.1.6. Incidents (breaches, complaints, inquiries)
1.3.3.1.7. Employees trained
1.3.3.1.8. PIA metrics
1.3.3.1.9. Privacy risk indicators
1.3.3.1.10. Percent of company functions represented by governance mechanisms
1.3.3.2. Trending
1.3.3.3. Privacy program return on investment (ROI)
1.3.3.4. Business resiliency metrics
1.3.3.5. Privacy program maturity level
1.3.3.6. Resource utilization
1.3.4. Identify systems/application collection points
2. Privacy Operational Life Cycle
2.1. Protect (pag.126)
2.1.1. Assess Your Organization (pag.103)
2.1.1.1. Document current baseline of your privacy program
2.1.1.1.1. Education and awareness
2.1.1.1.2. Monitoring and responding to the regulatory environment
2.1.1.1.3. Internal policy compliance
2.1.1.1.4. Data, systems and process assessment
2.1.1.1.5. Risk assessment (PIAs, etc.)
2.1.1.1.6. Incident response
2.1.1.1.7. Remediation
2.1.1.1.8. Determine desired state and perform gap analysis against an accepted standard or law (including GDPR)
2.1.1.1.9. Program assurance, including audits
2.1.1.2. Processors and third-party vendor assessment
2.1.1.2.1. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer
2.1.1.2.2. Understand and leverage the different types of relationships
2.1.1.2.3. Risk assessment
2.1.1.2.4. Contractual requirements
2.1.1.2.5. Ongoing monitoring and auditing
2.1.1.3. Physical assessments
2.1.1.3.1. Identify operational risk
2.1.1.4. Mergers, acquisitions and divestitures
2.1.1.4.1. Due diligence
2.1.1.4.2. Risk assessment
2.1.1.5. Conduct analysis and assessments, as needed or appropriate
2.1.1.5.1. Privacy Threshold Analysis (PTAs) on systems, applications and processes
2.1.1.5.2. Privacy Impact Assessments (PIAs)
2.1.2. Data life cycle and governance (creation to deletion)
2.1.3. Information security practices
2.1.3.1. Access controls for physical and virtual systems
2.1.3.1.1. Access control on need to know
2.1.3.1.2. Account management (e.g., provision process)
2.1.3.1.3. Privilege management
2.1.3.2. Technical security controls
2.1.3.3. Implement appropriate administrative safeguards
2.1.4. Privacy by Design
2.1.4.1. Integrate privacy throughout the system development life cycle (SDLC)
2.1.4.2. Establish privacy gates as part of the system development framework
2.2. Sustain (pag.155)
2.2.1. Measure
2.2.1.1. Quantify the costs of technical controls
2.2.1.2. Manage data retention with respect to the organization’s policies
2.2.1.3. Define the methods for physical and electronic data destruction
2.2.1.4. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use
2.2.2. Align
2.2.2.1. Integrate privacy requirements and representation into functional areas across the organization
2.2.2.1.1. Information security
2.2.2.1.2. IT operations and development
2.2.2.1.3. Business continuity and disaster recovery planning
2.2.2.1.4. Mergers, acquisitions and divestitures
2.2.2.1.5. Human resources
2.2.2.1.6. Compliance and ethics
2.2.2.1.7. Audit
2.2.2.1.8. Marketing/business development
2.2.2.1.9. Public relations
2.2.2.1.10. Procurement/sourcing
2.2.2.1.11. Legal and contracts
2.2.2.1.12. Security/emergency services
2.2.2.1.13. Finance
2.2.2.1.14. Others
2.2.3. Audit
2.2.3.1. Align privacy operations to an internal and external compliance audit program
2.2.3.1.1. Knowledge of audit processes
2.2.3.1.2. Align to industry standards
2.2.3.2. Audit compliance with privacy policies and standards
2.2.3.3. Audit data integrity and quality and communicate audit findings with stakeholders
2.2.3.4. Audit information access, modification and disclosure accounting
2.2.4. Communicate
2.2.4.1. Awareness
2.2.4.1.1. Create awareness of the organization’s privacy program internally and externally
2.2.4.1.2. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements
2.2.4.1.3. Develop internal and external communication plans to ingrain organizational accountability
2.2.4.1.4. Identify, catalog and maintain documents requiring updates as privacy requirements change
2.2.4.2. Targeted employee, management and contractor training
2.2.4.2.1. Privacy policies
2.2.4.2.2. Operational privacy practices (e.g., standard operating instructions), such as
2.3. Monitor
2.3.1. Environment (e.g., systems, applications) monitoring
2.3.2. Monitor compliance with established privacy policies
2.3.3. Monitor regulatory and legislative changes
2.3.4. Compliance monitoring (e.g. collection, use and retention)
2.3.4.1. Internal audit
2.3.4.2. Self-regulation
2.3.4.3. Retention strategy
2.3.4.4. Exit strategy
2.4. Respond (pag.183)
2.4.1. Information requests
2.4.1.1. Access
2.4.1.2. Redress
2.4.1.3. Correction
2.4.1.4. Managing data integrity
2.4.2. Privacy incidents
2.4.2.1. Legal compliance
2.4.2.1.1. Preventing harm
2.4.2.1.2. Collection limitations
2.4.2.1.3. Accountability
2.4.2.1.4. Monitoring and enforcement
2.4.2.2. Incident response planning
2.4.2.2.1. Understand key roles and responsibilities
2.4.2.2.2. Develop a privacy incident response plan
2.4.2.2.3. Identify elements of the privacy incident response plan
2.4.2.2.4. Integrate privacy incident response into business continuity planning
2.4.2.3. Incident detection
2.4.2.3.1. Define what constitutes a privacy incident
2.4.2.3.2. Identify reporting process
2.4.2.3.3. Coordinate detection capabilities
2.4.2.4. Incident handling
2.4.2.4.1. Understand key roles and responsibilities
2.4.2.4.2. Develop a communications plan to notify executive management
2.4.2.5. Follow incident response process to ensure meeting jurisdictional, global and business requirements
2.4.2.5.1. Engage privacy team
2.4.2.5.2. Review the facts
2.4.2.5.3. Conduct analysis
2.4.2.5.4. Determine actions (contain, communicate, etc.)
2.4.2.5.5. Execute
2.4.2.5.6. Monitor
2.4.2.5.7. Review and apply lessons learned
2.4.2.6. Identify incident reduction techniques
2.4.2.7. Incident metrics—quantify the cost of a privacy incident