In March, the COVID-19 outbreak forced many industries to make an unprecedented shift to working apart and online. In May, an amendment to CCPA, the CRPA, was added to California’s upcoming November ballot, potentially increasing privacy obligations for employers nation-wide. As business leaders begin crafting strategies to return their employees to the office, data privacy is at the forefront of the conversation. From tracking employee health metrics to monitoring physical proximity, new procedures are putting a more personal twist on the importance of data regulations and compliance—with no time to waste.
To find a path in this uncertain time, organizations should strive for one thing: data privacy readiness.
Data privacy readiness is the ongoing state of being prepared and informed about how data is used in and by an organization, as well as being organized and prepared for data subject requests. Data privacy compliance, on the other hand, is fleeting; your company could be compliant one moment and out of compliance the next. This is why it’s important to ignore the “one-and-done” notion of compliance and instead implement broader changes that enable data readiness.
To make these changes, you can follow a 3-step process. How you start or end the process will be unique to your organization and depend on your existing data practices and infrastructure. While many organizations start in the first phase, others may be prepared to start farther along. Some organizations can become “data ready” simply through documentation, while other organizations may require larger updates to policies, software, and/or business practices. See Logic20/20’s example recommendations for businesses starting in each phase
Step 1: Discovery, assessment & readiness
The first phase of any data privacy project focuses purely on data. This involves the processes of discovery and assessment, which together enable you to achieve data privacy readiness.
To start, you should investigate the origins and behavior of all your data, including:
- What type of data it is
- How it comes into the organization
- Where it’s stored
- How it’s being used
- Where it goes
Next, that information can be visualized in a data flow diagram and catalogued in a data inventory. A data flow diagram is a process map depicting the step-by-step movement of data. A data inventory, in contrast, is about storage and access: where the data is stored, what categories of information are collected, and who is using it.
With the diagram and inventory in hand, you will need to assess the overall progress of your organization. What steps are required to transform your current arrangement to one that is data ready? This assessment will likely involve:
- Interviews with stakeholders across diverse lines of your business
- Inspection of existing policies, procedures, and governance
- Review of enterprise data and architecture including data flows, system inventory, architecture diagrams, location of personally identifiable information (PIA), and more
With a thorough understanding of your data and assessment of the next steps required, you can move to the next phase. See Logic20/20’s example recommendations for businesses starting in each phase
Step 2: Alignment & optimization
In the second phase, you will operationalize your data readiness by integrating compliance into your organization. With the data inventory you created in the previous phase, you have clear documentation of existing processes. Your assessment resulted in achievable milestones. Now, you will need to align your people, the processes that comprise their day-to-day work, and the tools they use to do that work. Without active employee participation, the alignment process—and data privacy readiness as a whole—will fail. Employees at all levels must be involved in the change and allowed input to help optimize the organization’s practices.
Step 3: Governance
The final phase of data privacy preparation centers on your organization’s ability to maintain data privacy readiness. As with any major change, this requires establishing a support system to keep the plan on schedule. Your governance should include:
- A data privacy support person. This person will spearhead management of the data privacy remediation plan at scale. Centralizing communication to one person will provide consistency as other parts of the organization change. They should report directly to your CPO, CITO, or equivalent.
- Ongoing optimization. The optimization process is continual and should be adapted as internal and external influences change. Special attention should be paid to the introduction of new data privacy regulations.
- Automation. Data minimization and information sensitivity make data privacy inherently well-suited for automation. Tools like robotic process automation can reduce risk and human error, making data privacy readiness even easier.