CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
February 6, 2023
For what was once a niche profession, the privacy role is booming. According to research by the International Association of Privacy Professionals (IAPP):
Source: IAPP-EY Annual Privacy Governance Report 2022
All of this investment and growth makes sense—data privacy has never been more top of mind for businesses as new regulations are created and amended on a yearly basis.
So, what are all these new privacy professionals doing with all this extra investment?
They’re setting the foundations for privacy-consciousness at their organizations, identifying and implementing the right organizational and technical measures to protect privacy rights, reducing risk and measuring outcomes—in short, they’re building privacy programs.
There’s a difference between, say, having a consent management system implemented on your website and having a full-blown data privacy program.
A data privacy program serves as the framework through which you can find solutions to data privacy problems. It’s the collection of approaches, processes, and tools that you use to protect the privacy of your customers, employees, partners, and other stakeholders. Ultimately, it improves your organization’s ability to collect, process, and store personal information in a way that complies with the relevant data privacy laws.
Data privacy programs will differ from organization to organization, as every organization works with personal information in different ways. But so long as you focus on building a framework first, there are best practices and standards you can follow that will lead to a data privacy program that works for your organization.
When asked why they need to have a privacy program, the first response that comes to mind is, “So we don’t get fined for breaking the law.”
There’s nothing wrong with this being your motivation for implementing a data privacy program. To date, there have been over 1,200 GDPR fines totaling more than €2.3 billion. And although U.S. privacy regulations are just getting started, authorities like states’ Attorneys General and the California Privacy Protection Agency (CPPA) have shown that they intend to enforce the law. While enforcement is still in early days, you can review our analysis of the Sephora case, which was the first enforcement action under the CCPA/CPRA
But even if these regulations didn’t exist, it would still be a good idea to implement a data privacy program at your organization. After all, the point of these regulations isn’t to collect fines; it’s to protect consumers and businesses. Here are some additional reasons why you need a data privacy program:
As we alluded to above, data privacy programs will look different at each organization, but there are some basic steps you can follow to establish a program that fits your organization.
Before you do anything, it’s essential to learn all you can about the drivers behind your need for a data privacy program. Understand the applicable data privacy laws and regulations that apply to your operations, such as the GDPR or CCPA/CPRA. There might be other reasons why your organization needs a privacy program—such as reducing the risk of a data breach, building trust with your customers, and so on. Study these drivers as well and consider how they’ll shape your privacy program.
Once you understand the specific requirements that your privacy drivers have, you can review the guidance in this and other resources on building a data privacy program to establish a formal strategy. Don't stress about having all of the answers at this point; your plan might involve a few steps where the plan is to investigate and plan further. Even if there are still gaps like these, it’s important to show that you have a direction and a strategy to move ahead—this is especially important for the next step.
You need commitment from the top levels of your organization in order to implement your privacy program. They’re going to want to know what the organization stands to gain, how this will impact operations, how it’ll impact the budget, and so on. Most non-privacy professionals underestimate the amount of effort it takes to become compliant. Laying out the steps will help clarify and secure the resources you need to be successful from the start.
Furthermore, getting organizational buy-in will help you be more effective once your privacy program is live. If the whole organization understands that privacy is something they need to factor into their day-to-day responsibilities—such as team leads understanding the need to collaborate on DSARs or R&D understanding privacy-by-design principles—you’ll be more efficient and better situated to scale.
Most businesses haven’t had a reason to identify and track the personal data they collect until recently; as a result, many organizations have consumer data spread across multiple systems and databases. Discovering all of this data, classifying it, recording where it’s going and where it came from, and more is crucial for all downstream compliance activities. If you don’t know about it, you can’t do anything about it.
The GDPR refers to the classification and recording process as a record of processing activities (RoPA). Even if you aren’t subject to the GDPR, following its RoPA guidelines is a good approach to this process.
Given the privacy drivers at play in your organization and the current state of your data processing activities, where are you currently exposed to significant risk? You might discover that your security measures are not applied evenly across the organization, or that you aren’t able to quickly process requests to opt out of data collection. Flag these risk areas so you can prioritize controls to mitigate them.
With a full sense of the scope of your privacy drivers, data processing activities, and privacy risks, now you can identify the specific steps you need to take. That might involve identifying a DSAR solution, revamping how your website secures consent, formalizing a vendor assessment process, and more. Almost certainly, you’ll have multiple goals—it's important to prioritize based on the relevant regulations and your organization’s biggest gaps
Once you have your plan, it’s time to put it into practice.
You’ll need to implement technical and organizational measures to protect personal data, including encryption, access controls, consent management, vendor onboarding processes, incident response plans, and more. Make sure you include education and training in this step—privacy is not possible without collaboration and buy-in from across the organization, so you’ll need to ensure your coworkers are equipped with the resources they need to comply with policies and procedures.
After implementing the various technical and organizational measures contained in your data privacy program plan, you’ll want to see whether they work.
Can you respond to a DSAR within the 30 days required by law? Does vendor onboarding take too long? Do your colleagues feel burdened and confused by the new data privacy considerations they have to take into account? Measure and monitor these and other data privacy metrics to identify whether you’ve been successful and how you can improve.
Data privacy laws and regulations are constantly evolving. Organizations need to stay up to date with the latest developments and changes in the legal landscape to ensure their data privacy program is compliant.
Not only will the laws and regulations change, but your internal processes will change too. You’ll collect and process data in new ways that may require data privacy impact assessments (DPIAs) or other evaluations.
And most significantly, your business will hopefully grow! As you grow larger, your data privacy program will need to grow and evolve commensurately.
Following the above steps is a good start, but you might be looking for a greater level of detail. In that case, you may want to study one of the existing privacy program frameworks.
Here are some frameworks you might consider adopting at your organization:
The activities we recommend in this article are significant, but they’re just the tip of the iceberg. Educating and training your colleagues on privacy responsibilities is an entire initiative in and of itself, but it's just one component of a comprehensive data privacy program.
That’s why it’s essential to make use of the data privacy tools that are available to you. Non-privacy professionals might think that it's feasible to build the necessary infrastructure for data privacy compliance in-house, but often, this assumption doesn’t take into account the many complexities that data privacy compliance poses. In-house development also commits you to maintenance and updates every time the law changes—which it does often.
Without external support, you won’t have the time or resources it takes to develop a data privacy program that truly fits your organization. Osano can be the partner that automates the most tedious compliance activities like consent management, vendor assessments, DSAR workflow, and more, leaving you with time to tend to the unique needs of your organization.
Score and evaluate your privacy program's operational efficiency with the Osano Privacy Program Maturity Model. With this model, you'll pinpoint gaps, identify next steps, and ultimately grow your privacy program's maturity.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.