Now that laws such as GDPR and CCPA are permanent fixtures on the global business landscape (and amendments to CCPA coming soon)—and customers are highly aware of how their data is being used—most businesses have made data privacy an integral part of their standard procedures. Organizations have devoted extensive resources to developing and executing their readiness plans and operationalizing these changes. And yet, even among those that have a data privacy governance framework in place, one challenge still remains: how to verify that privacy policies and procedures are being followed on a month-to-month basis.
Obviously, the data privacy officer (DPO) and the governance committee cannot continuously look over the shoulders of every employee handling personal information, nor can compliance be verified solely by scrutinizing internal databases. So, what is the solution?
When we work with clients on data privacy governance oversight, we help them implement a simple yet effective system that uses periodic surveys and results in a continuously updated, easy-to-understand data privacy dashboard. This tool helps the DPO and the governance committee monitor privacy practices among lines of business (LOBs) that handle personal data and promptly follow up on developments that could jeopardize the business’ compliance status.
In this article, we’ll review our four-step process for building a monitoring system that allows organizations to keep a close eye on privacy practices without placing undue burdens on their lines of business.
1. Know your baselines
While it can be tempting to jump in and start creating surveys, it’s important to first understand what those surveys will assess. In other words, find out exactly how your LOBs are gathering and using data (making sure those practices are in line with applicable privacy laws), and use this information as a baseline to monitor for changes that could become data privacy compliance violations.
When we develop data privacy dashboard systems for clients, we begin by conducting interviews with each line of business that handles personal data—a process similar to what we do when we begin building an initial readiness plan or creating a Record of Processing Activities (ROPA).
During these interviews, we review their regular business processes to gain a thorough understanding of
• What—and whose—personal data they collect, and how they collect it
• How and why they use the personal data they collect
• Who within the line of business has access to it
• Whether they share it with other lines of business, and if so, with whom and for what purpose
• Whether they share it with or sell it to third parties, and if so, to whom and for what purpose, and whether those partners have been vetted for data privacy readiness
• What they do with personal data when they no longer need it
With these insights documented, we establish a baseline understanding for how each line of business handles personal information. We now have a foundation for developing and implementing a survey plan to monitor for departures from documented procedures that could turn into compliance issues.
2. Create a survey plan
Once we understand each LOB’s standard procedures that involve personal data, we can design surveys that will either affirm the status quo or highlight changes that merit investigation. We design a custom survey for each line of business, tailored to the standard procedures we documented during the interview process. Here’s an example of part of a survey, based on one we recently developed for a client:
This process can flag “secondary uses” of personal data that might otherwise compromise compliance status when one LOB uses personal data for a purpose other than what was originally noticed at the time of collection. We also consider the cadence for sending out surveys—weekly, monthly, or quarterly. Ideally, each LOB’s cadence should correspond to its risk profile. Lines of business that are considered “high risk” include those that
• Collect/handle a high volume of personal data
• Handle highly sensitive personal data, such as social security numbers or health-related information
• Share a high volume of data with external partners
High-risk LOBs merit a more accelerated surveying cadence, while those with a lower risk profile may require less frequent monitoring.
3. Create a dashboard to track KPIs
The data privacy dashboard tracks the survey results to calculate KPIs and flag responses that merit investigation. Each organization’s dashboard will look slightly different, depending on what is being monitored. Here’s an example of an overview screen:
f a line of business reported in their most recent survey a change that could impact the organization’s compliance status, this automatically changes the LOB’s risk profile, which will be reflected on an Overview chart, and details of the change will show up as a risk factor under the Line of Business Risk tab.
As you can see, the viewer has the option to drill down and view reports covering other areas, such as third-party risk levels:
4. Incorporate dashboard reviews and follow-ups into day-to-day governance
Even the very best dashboard will do little good if no one uses it, so it’s important to bring the DPO and governance committee members on board with their new monitoring tool. In our work with clients, we work with governance stakeholders to show them how to navigate the dashboard and to ensure that they can find answers to their questions.
One question that frequently comes up in these sessions is how to prioritize “flags”—survey responses that reflect changes in an LOB’s processes and therefore require follow-up. We advise assigning highest priority to flagged responses from lines of business with a higher risk profile—those that have been tagged as “high risk” due to the nature of their personal data–related practices or those who have gone the longest without responding to a survey—and working down to lower risk levels.
In following up on a flagged response, the governance committee will obtain more details from the LOB about the change and discuss whether it constitutes a compliance risk. For example, if one LOB reported that it is now planning to sell personal data to a third party, the governance committee will establish whether the sale is allowed under applicable data privacy laws and the business’ overall data ethics and risk tolerance profile, as well as details such as how consent will be obtained from data subjects when needed and how the third party’s data privacy practices will be vetted.
The missing piece of the governance puzzle
By implementing a surveying program that feeds into a simple dashboard, DPOs and governance committees can quickly and easily access the information they need to ensure data privacy regulations are followed correctly and consistently. With the “missing piece” of regular oversight in place, the committee can focus more of its efforts in other areas, while lines of business can receive timely guidance and correction on data-related practices before they become compliance issues.
Like what you see?
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy—particularly GDPR, CCPA, CPRA, and other data protection laws. She has spoken on the topic at events sponsored by American Banker, International In-House Counsel Journal, the American Bar Association, TDWI, and other national and international organizations. Jill also serves on the advisory board of the Association for Data and Cyber Governance.