Login
SignUp
Contoural - Privacy Program Services

Privacy Program Services

STRATEGIC FOUNDATIONAL EXECUTION MANAGEMENT
Maturity
Assessment &
Strategic
Roadmap 		Records/Data Retention
Policy & Schedule Data Security
Classification Policy 		AI
Governance Privacy
Program 		Discovery
Response &
Legal
Hold 		Governance
Processes
and
Procedures 		Data
Placement &
Automation 		Behavior
Change
Management
& Training 		Legacy
Document &
Data Disposition 		Ongoing
Management &
Monitoring
Information Governance Organizational Development
Foundational Privacy Services
  • Risk tolerance review and targeted program maturity assessment and planning
  • Risk-driven policies and notices development
  • Privacy-enabled incident response development
Operational Privacy Services
  • Privacy subject access and deletion request process development
  • Data retention policy creation and update
  • Privacy training and awareness development and delivery
Organizational, Disposition, and Monitoring Services
  • Organizational privacy roles and responsibilities development
  • Defensible disposition and remediation process development and execution
  • Privacy audit, monitoring, remediation, and recordkeeping processes
Staffing
  • Fractional and Transitional Privacy Manager

Top Three Privacy Program Resources

Executing Privacy Summer School – Part 1: Seven Phases of Getting Started
Read more
Click Here For More Resources
More Resources

Essential Privacy Program Questions

  • What types of personal information do we access, transmit, share, and store across our organization?
  • From what states, provinces, countries, and regions, or jurisdictions, do we collect individuals’ personal information, and which geography-specific laws and regulations govern this information?
  • Does the personal information already reside in a well-governed repository? Can this information be easily accessed, produced, and deleted or de-identified?
  • If the personal information continues to reside in this repository, have the appropriate security controls been applied? If no, should the personal information be moved to a more secure and better governed repository?
  • Is the personal information either expired and of low or no business value? Is it a copy of information that resides elsewhere and perhaps should be deleted?
  • Does the personal information reside in a cloud-based system or other third-party managed repository? Does this repository have the appropriate data security controls and governance capabilities?
  • Has the personal information been sold or shared with a third party, and you are no longer this shared information? Have the information steward requirements?
  • How do we effectively comply with a multitude of different privacy laws?
  • Where is this personal information stored and managed across our structured, unstructured and semi-structured data repositories as well as onsite and offsite paper stores?
  • For personal information stored in a repository, how did it get there? How does personal information flow across our various repositories? How does personal information flow into and out of our systems from and to third parties?
  • What level of maturity privacy should our program be and what level of resources will be required to support this maturity for our company in our industry?
  • Knowing that privacy execution is inherently imperfect, what risks do we face and what level of risk is acceptable for our organization?
  • How do we ensure that we don’t under build or underinvest in our program, and perhaps more important how do create ensure that we are not overbuilding and overspending based on needs and profile?
  • What is the appropriate retention of personal information, and how do document the legitimate business need for retaining this personal information to ensure our practices are defensible?
  • What policies and notices do we need for managing our personal information? Where and how should these be published?
  • How do we respond to personal information subject access requests from individuals?
  • How do we execute “right to be forgotten” and personal information erasure requests from customers, employees and other individuals?
  • What processes should we follow that allow us to both comply with notification procedures and reduce risk in the event of a breach? Have we proactively developed these processes?
  • What gaps do we have in our privacy program, and what is our strategic roadmap over what period of time for addressing these gaps?
  • Who should be involved in developing and executing the privacy program and how do we make this an enterprise-wide effort supported by multiple stakeholders?
  • What internal, external and technology resources will be required to execute our program over what period of time? Can we leverage technology we already own?
  • What groups will be responsible for developing, managing and updating the privacy program?
  • How do we ensure that our privacy program does not conflict with recordkeeping, eDiscovery and other compliance requirements? How do we resolve these conflicts?
  • What the common workstreams across privacy, records management, eDiscovery and other compliance needs that would allow us to avoid duplicating efforts?
  • How do we consistently and defensively delete personal information?
  • How do we train employees on privacy processes?
  • What audit processes are needed to ensure we are compliant?
  • How do we communicate our privacy requirements and strategy effectively and credibility to senior management?

Contoural's Privacy Policy Approach

Contoural’s privacy programs are a combination of policies, processes, technology implementation, training, monitoring and auditing to identify, classify, secure, manage, and delete sensitive information across electronic and paper media.

Ensure Compliance
Ability of the organization to meet a wide variety of legal and regulatory privacy requirements.
Reduce Risks
An organization’s ability to reduce potential privacy-related risks, such as mitigating the potential for data breaches, negative publicity, A7 regulatory actions and fines.
Operability and Scalability
Ability to compliantly manage privacy information in an efficient and effective manner, as well as scale privacy.
Flexibility
Ability to meet new or changing privacy requirements.
Cost Effectiveness
Ability to do all of the above in a cost-effective manner.

Developing a Personal Information Inventory

Critical to compliance with privacy rules is tracking both how personal information is collected and flows through an organization, as well as where it is stored. Companies should create a personal information inventory. This inventory should list all relevant processes that involve the collection and use of personal data. The inventory also should address those who have access to the personal data, to whom the data is transferred outside the company (if anyone), and how long the personal data is stored in each location.

This personal information inventory process can identify the patterns that may be unique to your business, which can help you identify privacy data. Some of it can be identified through technology that searches for known patterns such as social security numbers, addresses, driver’s licenses, “regular expressions”, etc. Other types of privacy data such as inference data may require more advanced search techniques.
Once the personal data and its respective data flows have been identified, the personal information inventory should also seek to identify all the places personal data is actually stored. This may include databases, email, and file shares, among other locations. Often, employees will take an extract of a database, for example, and store that as a file on their desktop. The inventory should include all designated locations of this data, such as the original source as well as any inadvertent copies.

Creating a Data Retention Policy

Worldwide, new and existing privacy regulations require that personal information be retained only as long as necessary for legitimate business need. To comply, organizations are developing data retention and disposition policies — which involve much more than privacy — to avoid conflicts while complying with non-privacy regulatory requirements. And more important than just a data retention policy, care and diligence practices need to be implemented and executed.
Many organizations are updating their data/retention policies to address a larger set of requirements. To build a good data/retention policy and schedule attributes should include:
An Inventory of All Information Types
A first step is identifying all the types of information across the organization. This inventory should span all media types including structured data in database systems, unstructured file content, semi-structured emails, social media, etc. as well as paper documents.
Apply Legal and Regulatory Retention Requirements
From the larger inventory, based on the content and independent of media – determine the legal and regulatory requirements. This can include national, state/provincial, local, as well as industry-specific regulations. For organizations that operate across multiple countries these requirements must be identified for each country. In general, where possible create global retention categories and define local exceptions where necessary. Also consider explicitly calling out non-records.
Determine Business Value
Companies can and should define retention based on business value. In other words, a company can declare something a record because it has business value even if there is no underlying regulatory requirement. Business value can include intellectual property, trade secrets, and operational needs.
Address Personal Information
Identify which records and non-records contain personal information, and which privacy requirements may apply.
Include Disposition Requirements
if regulations with “maximum” retention periods exist (e.g., “Destroy after 2 Years”), include these disposition requirements in your retention decision.
Identify Legitimate Business Need
For retention of personal information, include a description of the legitimate business need for the retention as stated.
Consider the Need for Legal Holds
Companies facing or anticipating litigation or regulatory investigations have a duty to preserve that information. This duty to preserve usurps all records expiration or privacy disposition. Data retention polices should acknowledge this responsibility.
Obtain Consensus with the Business
Finally, continue to socialize the policy, business value and retention requirements with business units and other key stakeholders, seeking to achieve reasonable retention periods.

Targeting the Right Privacy Maturity for Your Organization

Different levels of program maturity are required for different companies. Companies vary on the number of consumers whose privacy information they hold, the quantify and breadth of this information, how widely it is shared as well as how this information is stored and managed. A few organizations do indeed need a highly advanced and rather expensive “sports car” level of program maturity; however, more organizations would be better off with a fully capable and more cost effective “sedan” or even “golf cart” level program. It is better to have a well-executed, albeit simpler, approach than a more complex, difficult, and expensive “sports car” target maturity that spends more time in the repair shop than being driven. Savvy privacy professionals know that targeting the right level of maturity is key.

Companies should consciously target a specific maturity level and build their programs to meet that level.  Companies fail in their privacy efforts by overreaching and trying to create too sophisticated program elements as they do by undershooting the needed capability.

Defining Privacy Policies and Procedures

The Act will require many organizations to update or create additional privacy policies as well as implement a series of privacy procedures, to include the privacy rights recognized in the new law. The types of documents that may need to be created or updated include:

  • Updated Privacy Policies
  • Privacy Notices
  • Consent Notices
  • Deletion Procedures
  • Data Security Classification Standards
  • Privacy Impact Assessment
  • Data Breach / Incident Response Plans

Privacy-enabled Incident Response

In addition to disclosing what information is collected about consumers, whether and to whom their information is disclosed, and to access information collected, these laws have strong penalties for organizations in the event of a data breach. While there are existing breach laws with penalties on the books, and with the enforcement of privacy laws and potential penalties, many businesses want to review and strengthen their management and security of personal information. Organizations need to implement data security and privacy controls. The exact protection measures will depend on the type, medium and location of the personal information.
Most organizations have some level of information security capabilities already in place. It is important to make sure these capabilities address and are consistently applied to privacy information.

Operationalizing a Privacy Program

As with any complex task, instead of executing a series of ad-hoc, one-off steps it is always better to create an end-to-end plan. This is particularly true for privacy as these projects can involve a multitude of policies, processes, technology and training often involving multiple groups addressing different types of media. Especially when facing a tight timeframe, defining upfront what you want to do when, and how much makes these tasks easier. Particularly for a privacy program, “look before you leap.”
Organizations should start with an Assessment process that in turn feeds into a program roadmap. Through a high-level interview process the assessment discovers the types of personal data an organization collects, how it is managed, how it is protected and the current processes in place to communicate with customers and regulators on privacy compliance, including the reporting of data breaches. The information learned during the assessment can then be used to identify gaps between current state and the required state for privacy compliance, and a roadmap developed to address those gaps. The roadmap should also contain resources required for each step, any new technology that may be required as well as cost information for each step, and include a timeline that achieves compliance well before the deadline. Equally important, the assessment and roadmap process engages a number of key stakeholders required for a successful program early in the project.

Creating Data Security and Privacy Controls

In addition to disclosing what information is collected about consumers, whether and to whom their information is disclosed, and to access information collected, the Act has strong penalties for organizations in the event of a data breach. While there are existing breach laws with penalties on the books, with the enforcement of privacy and potential penalties many businesses want to review and strengthen their management and security of personal information. The exact protection measures will depend on the type, medium and location of the personal information. Organizations need to implement data security and privacy controls. Some typical controls include:
  • Preventing or controlling movement between repositories
  • Tightening access controls
  • Securing and encrypting data at rest
  • Preventing data from being shared, printed or stored elsewhere
  • Scanning Repositories for Inappropriate data

This step highlights the importance of the previous step: creating a comprehensive personal information inventory that maps out all locations where data is stored is critical as breaches can affect not only repositories of record, but also secondary copies of data in less protected areas.

Structured Data Personal Information Capability

Significant stores of privacy information live in applications which store their information in structured databases. These databases are part of customer applications. Privacy information often flows from one system to another, sometimes creating many copies of the same data. Companies need to develop capabilities for managing this structured privacy data.
Privacy requires the capability of not only identifying and securing privacy information in these structured databases, but also producing this information in response to a consumer access request, as well as deleting or “de-identifying” it through pseudonymization procedures.

Unstructured and Semi-structured Data Capability

While privacy information is typically associated with information in databases, large amounts of privacy information exists in files, emails and other types of unstructured and semi-structured information. Many privacy programs do not address this unstructured and semi-structured information, creating real non-compliance issues and risks. Under European, California and other laws this type of information is in scope, and can be particularly challenging to manage.

Paper Information Capability

Paper documents tend to accumulate in both onsite and offsite storage facilities, some of which contain privacy information. The new and emerging privacy laws do not exclude paper, and as such identifying and producing this paper-based information can be particularly burdensome. Hence programs must have the capability of addressing paper.
Often paper-based privacy information is either scanned into an electronic format, or even better -destroyed as soon as its retention period is reached.

Third Party Data Capability

Companies must have the capability to address the privacy information they collect that is either sold or shared with third parties, or likewise they receive themselves. This includes developing the appropriate service level agreements (SLAs) as well as ensuring that these third parties have the capability of complying to the privacy requirements. Many companies are surprised to find out the extent this information is shared.
Well-designed third-party capabilities set clear expectations over who is responsible for what. This is always easier to address proactively.

Personal Information Governance and Remediation

It is likely that the Personal Information Inventory will reveal personal information resides through the enterprise, including in databases but also in unstructured media including files on desktops and file shares. Companies need to engage in a triage process for this personal information:
  • Does the personal information already reside in a secured and well-governed repository? Can this information be easily accessed, produced and deleted or de-identified? If the personal information will continue to reside in this repository, have the appropriate data security controls been applied?
  • Should the personal information be moved to a more secure and better governed repository?
  • Is the personal information either expired and of low or no business value, or is it a copy of information that resides elsewhere, in which case it should be deleted?
  • Does the personal information reside in a cloud-based system or other third-party managed repository for which your are the custodian? Does this repository have the appropriate data security controls and governance capabilities?
  • Has the personal information been sold or shared with a third party, and you are no longer this shared information?
This step highlights the importance of the previous step: creating a comprehensive personal information inventory that maps out all locations where data is stored is critical as breaches can affect not only repositories of record, but also secondary copies of data in less protected areas.

Conducting Privacy Communications and Training

Once a company has its roadmap, policies and processes, tools, and technology in place, a critical task remains: employee behavior change management. Change management is a formal discipline that combines messaging, communication, training and auditing to get employees to follow a new process. Often, as part of a revamped privacy program, organizations will implement change management to ensure appropriate handling of privacy information. When organizations effectively apply change management, even stodgy, disinterested and uncooperative business groups will get on board.
A business’ privacy program should train staff with specific responsibilities for handling personal information, as well as employees who are going to be responding to consumer information access requests. Actually, it is a good idea that all employees receive some general privacy training that addresses, for example, why privacy is important and the company’s overall responsibilities for handling personal information.

Privacy Program Integration with Other Compliance Programs and Processes

One of the problems that has emerged from current privacy requirements is the need for these programs to coordinate with other compliance regimes, including records management and eDiscovery and legal holds. The California Act, for example, suspends deletion requests for personal information under legal hold. But these two groups of processes need to be coordinated.

Monitoring and Enforcement

Holding on to privacy information that is obsolete, expired and not needed for legal, regulatory or business use increases the risk of PRIVACY non-compliance, and increased exposure should a data breach occur. Likewise, implementing personal data deletion requests in environments with large amounts of legacy data is both difficult and expensive. To that end, privacy and other Information Governance programs should implement ongoing disposition of old, unneeded documents and data. This legacy deletion should encompass older structured data in databases, unstructured data including files on file shares, desktops and within SharePoint and other content management systems, legacy semi-structured data such as email, as well as inactive data held in backup tapes and onsite and offsite paper records.

Developing a Privacy Organization

A privacy project is not a check-the-box operation – it is a living program with ongoing responsibilities throughout the organization. Even when organizing the implementation project, there are questions of ownership, including:

  • Identifying the right coordinators
  • Identifying the right stakeholders
  • Organizing a steering committee
  • Identifying who should be part of the steering committee, including executive-level personnel

The creation or update of a matrix structure of the steering committee will help to drive ongoing privacy activities and maintain organizational compliance, in addition to other information governance responsibilities. The committee should bring together diverse professional viewpoints from various key business functions from across the organization. It should also ensure that there is good communication of requisite concepts, promote best practices for the management and control of the organization’s sensitive information, establish cross-functional ownership of the privacy program, articulate goals and business benefits, and define ongoing roles and responsibilities for privacy managers, compliance leads, and champions.

Thinking Beyond a Single Privacy Law - Creating Privacy Agility

A risk of privacy programs is designing a program to meet a single state or country’s privacy requirements, only to have to update and redesign the program as new privacy laws emerge one-by-one. Instead companies should consider building a baseline privacy capability that can then be more easily adapted as new requirements emerge. We call this baseline capability Privacy Information Agility.

Common Roadblocks to Successful Program Execution and Compliance

As part of good program planning, it is useful to identify potential roadblocks that could either halt or delay program completion. When it comes to implementing a privacy program, some common roadblocks could include:
“Policy-itis”
A common roadblock to privacy programs – focusing on the development of a privacy policy to the exclusion of policy execution. This risk is particularly acute for PRIVACY as it is expected to be updated by the Attorney General prior to its enforcement. Compliance is achieved not just through having a policy, but also by faithfully implementing it as well.
Siloed Approaches
Effective privacy takes a team, including privacy, legal, compliance, IT and business units. Any single group that takes on this task by itself is likely to falter.
Manual or Unworkable Processes
Manually compiling personal information access and deletion requests is likely to become overwhelming quickly. Organizations need to consider making this an automated, streamlined approach.
Starting too Late

The grace period for most privacy laws has already passed, and regulators are actively enforcing the rules. Organizations that start creating their programs too late run the risk of not completing on time.

Contoural Fractional and Transitional Privacy Manager Service

Contoural’s privacy programs are a combination of policies, processes, technology implementation, training, monitoring and auditing to identify, classify, secure, manage, and delete sensitive information across electronic and paper media:
  • Day-to-day support of privacy programs
  • Manage subject access requests and deletion
  • Participate in privacy and governance Steering Committee meetings
  • Participate in development of privacy technology strategy
  • Coordinate privacy activities with other functions, including records management, eDiscovery data governance and information security
  • Execute privacy training
  • Manage and drive privacy implementation roadmap
  • Evaluation of and development of departmental and division privacy coordinators
  • Support implementation of privacy technology
This position is flexible and can be staffed full-time, part-time with a specific number of days per week, or for a specific transitional period.
Contoural

Contoural is the largest independent provider of strategic Information Governance, Privacy, and AI Governance consulting services, including records and information management, litigation readiness and control of privacy and sensitive information.

Quick Links
Help and Support
Legal
Social

Copyright 2024. All Rights Reserved