Steps for building a privacy program, plus checklist

Why are privacy programs important?

A good privacy program informs employees how a company plans to keep information secure, who is responsible for managing the plan and what actions will be taken during a security breach. Privacy programs range broadly and can be as short or detailed as needed. Thorough outlines, for example, may include the specific software, protocols, tools and other relevant data protection measures in place.

In the past, corporate privacy was an ad hoc activity with few formal rules for ensuring the privacy of information. Today, information security and privacy are largely inseparable activities due to rising occurrences of cybersecurity threats and internal theft of confidential data, as well as the potential for damage to personally identifiable information (PII).

A privacy program is an integral component of any security program. Unlike security, which aims to protect the confidentiality, integrity and availability of information, privacy focuses on protecting access to personal information and other important company documents. Such protection is often driven by corporate, industry or government compliance standards and regulations, such as GDPR and HIPAA.

Privacy programs are important because they can help enterprises maintain privacy, prevent data breaches, maintain data governance and comply with regulations.

20 steps for preparing an information privacy program

When launching an information privacy program, follow these 20 steps:

1. Prepare a business plan justifying the preparation, management and costs of a privacy program.
2. Secure management approval and funding to develop the plan, based on the business plan.
3. Create an internal privacy team with representation from IT, legal, risk management, business unit leaders and other appropriate members.
4. Consider adding a team of external advisors with expertise in creating privacy programs.
5. Establish a project plan with objectives, target dates and actions to be taken with identified roles and responsibilities.
6. Examine how privacy is currently handled. Consider performing a gap analysis, or review previous audit reports, which address privacy issues.
7. Determine what PII, business identifiable information and other data needs to be protected. Organizations should ask the following questions:
   1. Where is the data located?
   2. Who uses it?
   3. Who has custody?
   4. How is data kept secure while being transmitted and used?
   5. How do authorized users access the data?
8. Review relevant information privacy standards and regulations. Select one or more as guidance in the development stage. This step is important as auditors will want to examine benchmarks when evaluating the program.
9. Prepare and have management approve a privacy policy that establishes the ground rules for information privacy management.
10. Develop a privacy risk management process to regularly ensure privacy risks, threats and vulnerabilities are managed effectively.
11. Decide who will implement the plan and who will manage it after deployment.
12. Define the controls used to manage information privacy -- for example, privacy breach impact assessments, how to deal with contractors and third parties, records management and regulatory compliance -- along with technology controls, such as access controls and user authentication.
13. Define management controls for daily privacy activities, such as differentiating between business and personal information and collecting, handling and transmitting business identifiable information and PII.
14. Establish a process for dealing with breaches, such as incident response and risk management processes. Include information about how to prepare an after-action report for senior management.
15. Establish and deploy an employee awareness and training program on information privacy that includes new hire training, refresher training for existing employees and ongoing reminders to all employees and third parties about the importance of information privacy.
16. Establish a reporting process to provide privacy activity reports to regulatory and other government agencies, if required.
17. Establish a privacy plan review and testing process to evaluate the program's effectiveness, and identify areas for corrective action.
18. Establish a rollout schedule, and update senior management regularly on the program's rollout progress.
19. Schedule a post-rollout evaluation, interviewing employees and others for their views on the plan in the months following the rollout.
20. Establish an annual schedule of privacy activities, aligned with information security activities, to evaluate the program's progress and gather evidence for audit reviews.