Elements of a best-in-class data privacy program

According to the United National Conference on Trade and Development, 107 countries have in place some form of legislation to secure the protection of data and privacy, and many others have similar legislation in the works. Attempting to comply with each one without taking a holistic approach to all is not only a risky undertaking, but also has the potential to drastically increase data privacy compliance costs.

“Where you have some overlap between those various requirements, there are absolutely opportunities for efficiency and to streamline the way that things can be implemented,” says Orson Lucas, a managing director and co-leader for privacy services in the cyber-security practice at KPMG. Take, for example, the handling of requests received from data subjects under both the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act, both of which give consumers greater legal rights to demand that specific data be deleted from an online enterprise’s databases. “With some tuning, you can often leverage the same technologies and a lot of the same processes to help fulfill both of those,” Lucas says.

Recent data reveals that the struggle is real. According to a Thomson Reuters survey on data-privacy compliance, 44 percent of 1,000 data privacy professionals globally said they are presently failing to adhere to data privacy regulations, and 47 percent said they’re struggling to keep up-to-date or are falling further behind.

At a high level, implementing a robust data privacy compliance program is not just about satisfying regulatory obligations, but more broadly thinking strategically about how privacy practices fit into the company or organization’s overall business strategy and making it a core part of the business model. “It’s important at the outset to think about where the business wants to end up on the data privacy maturity scale to ensure alignment between risk tolerance and investment and leverage maturity targets to drive focus on privacy efforts,” Lucas says.

Below is a look at key elements implemented by leading companies as part of a best-in-class data privacy compliance program.

Map your data. Data map exercises—and specifically keeping up with the ever-changing products, service offerings, and systems of a global company—is one of the biggest undertakings to being, and staying, compliant with data privacy laws, like the GDPR. A data map, like any other map, will prevent you from getting lost, but only if you know how to properly follow it. In the context of data privacy, the elements of a data map include an assessment of what data the company collects that’s subject to data privacy laws; how the data is processed; where it is stored; how the data is used; and how long it is retained.

To better understand just how monumental a task this can be, consider Mastercard’s approach. Because the global payments and technology company authorizes, clears, and schedules card transactions on behalf of banks, those card numbers need to be protected in accordance with global data protection laws. At the same time, however, certain business lines within Mastercard collect and process more data than others—in the context of a marketing initiative or loyalty rewards program, for example.

To tackle this compliance hurdle, each business line was asked to provide a data map, documenting all the personal data it handles for each product or service. “We now have 122 data maps covering all our products and services and systems, which double up as our records of processing, should a [data protection authority] ever ask us about how we handle data,” Loretta Marshall, senior regional counsel of privacy and data protection at Mastercard, explained on a recent Webinar. Mastercard also created an automated data inventory to track in real-time what data it has, on which platform it is stored, and what restrictions exist for each data point, she said.

“We now have 122 data maps covering all our products and services and systems, which double up as our records of processing, should a [data protection authority] ever ask us about how we handle data.”

Loretta Marshall, Senior Regional Counsel of Privacy and Data Protection, Mastercard

Get a grip on data privacy obligations. Companies on the lower level of the maturity scale tend to have, at a minimum, a data privacy model that is documented, defensible, and repeatable—processes and procedures they can show regulators, should they come knocking. For some companies, once they meet those data privacy obligations, however, they stop there.

In contrast, companies further along the maturity curve tend to approach privacy as a business enabler. “Privacy done right can help to not only fulfil and satisfy your compliance and your risk-management objectives, but also better position you with consumers—both as a competitive differentiator and to enrich the relationships you have with your customers,” Lucas says. “Approaching privacy in that way is not different from, but rather intertwined with, the need to develop a robust privacy program,” he says.

Privacy-by-design is one such best practice—and, in fact, an express legal requirement under the GDPR, mandating that data protection and privacy controls be considered from the outset. Going back to the example of Mastercard, the company has developed a checklist to help business lines make decisions about what data they collect and process. As part of that checklist, business lines are encouraged to think about how long they need the data; who has access to it; and in which systems the data is stored. They are also encouraged to think about best practices around data minimization, security measures, de-identifying data where possible, and instances in which card numbers can be replaced with tokenization.

Mastercard’s marketing business line, specifically, is encouraged to think about what is meant by embedding privacy into the design of marketing products and services to anticipate and prevent potential privacy threats, Marshall said. They are encouraged to think about what data they really need, or whether the product or service can function without a particular data field.

Assign ownership. A data privacy program without clear ownership of risk will fail. For companies that fall under the umbrella of the GDPR, appointing a Data Protection Officer (DPO) isn’t enough. The DPO acts as a single source of contact for the relevant supervising authority and is tasked with overseeing compliance with the GDPR, specifically, but that individual still needs to be steered in the right direction.

That is where a steering committee comes into play. From a global data privacy perspective, best practice is to have in place a steering committee with representatives from business units most heavily impacted by privacy obligations. In addition to IT, this steering committee should include reps from privacy, risk and compliance, legal, HR, marketing, and other functions.

The role of internal audit. “For privacy, internal audit is a critical third-line function,” Lucas says. “For mature organizations, internal audit actively participates as a part of the cross-functional privacy governance steering committee, actively engaging in consultative input on governance and to get early visibility into risks to shape and streamline the audit plan.”

“While there is no prescriptive ‘right answer’ about internal audit cadence in the privacy space, many organizations are taking an iterative approach, using the initial audit to drive out compliance posture and gaps and the output of that to drive internal audit and ongoing monitoring frequency,” Lucas adds. “Regardless, regular communication between internal audit, those with operational responsibility for privacy program design and management, and business stakeholders is a critical success factor to the development and monitoring of a better practice privacy program.”

Board and senior-leadership support is key. For any data privacy and data protection compliance program to function properly, ongoing support at the board level and steering committee level is crucial. “I can’t emphasize that enough,” Lucas says.

Getting (and keeping) buy-in from senior leadership helps to ensure that data privacy and data protection initiatives are not only prioritized through the lens of other business objectives and risk appetite, but also ensure ongoing resources and funding for compliance efforts—such as for the necessary training of employees and implementing new technologies.

According to the Thomson Reuters survey, 75 percent of respondents at global organizations said upper management and boards struggle to understand the implications of their data privacy obligations. Such a lack of understanding can seriously hinder data protection and compliance professionals from getting senior-level buy-in if they don’t properly understand the necessity of the investment.

This finding speaks to the importance of speaking the business language of senior leadership, such as the potential for exponential fines. The one that should strike the most fear into companies is the GDPR, with fines up to four percent of total annual global revenue or €20 million (U.S. $25 million), whichever is higher. The avoidance of reputational and legal risk and privacy as a business enabler are other ways to speak the business language of senior leadership.

Mind the costs. Senior-leadership buy-in is also important when considering the cost of data privacy compliance. According to the Thomson Reuters survey, the total global costs of data protection issues cost organizations an average of U.S. $1.4 million annually. Data privacy professionals in the United States reported the highest costs of any country, at $2.1 million, followed by organizations in Singapore (U.S. $1.6 million), and organizations in Hong Kong (U.S. $1.5 million).

Annual global costs of data protection issues for organizations in France and the United Kingdom each showed costs of U.S. $1.2 million, while organizations in Canada and Germany each showed costs of U.S. $1.1 million.

Data privacy training. “Training represents the final mile of mobilizing your workforce to be part of your data security strategy,” says Mark Dorosz, vice president of compliance learning at Interactive Services, a provider of online compliance training. “You can have the best data privacy control framework, but if your people aren’t skilled to adhere to the process and know when to take action, it’s not going to work.”

The best way to deliver impactful training is by making content role-specific: “Relevance drives engagement,” Dorosz says. “Choose data privacy topics based on employees’ real-life responsibilities.”

To make training completion easier to manage at an enterprise level, “aim for one enterprise training program per week that every employee must complete, regardless of role,” Dorosz says. “You can even brand it ‘Data Privacy Week.’ Beyond that, run awareness campaigns throughout the year that touch the physical environment, with workplace posters and elevator bank commercials through to banner ads on you company’s intranet site, and spotlight videos featuring real-life employees contributing your data privacy strategy.”

All told, whether needing to satisfy state, national, or international data privacy laws, the best approach is a holistic approach, and that starts with a cultural shift of looking at privacy as a business advantage—not a regulatory obligation. Take it step-by-step: Establish a cross-functional steering committee; get a grip on the data, with input from reps on the steering committee; and then be prepared to show (not just tell) senior leadership the value of the company’s privacy obligations.

From there, train employees who handle sensitive data to understand their responsibilities—and the importance of those responsibilities. Finally, audit and monitor the progress of your data privacy compliance program. Practice may not make perfect, but it definitely makes progress.