How to establish a privacy program: A primer

  • February 19, 2021
  • Anjana Bhaskaran

Good privacy and data protection practices are considered a competitive advantage in the current data-driven world. It is critical to understand the numerous privacy laws in different jurisdictions and their applicability to ones’ business. With GDPR and the extensive penalties prescribed thereunder, businesses are inclined to create and manage a robust privacy program within their organization. There is an inclination to bring privacy work in-house because that is where people best understand the business. The complexity and cost of creating a program is often the impetus for an in-house solution, but the expertise is not always available since it is a significant project to tackle.

The key element to a strong privacy program is awareness. Every employee is expected to know their rights and obligations around collecting and handling personal information. Instead of the traditional way of managing privacy-related responsibilities through a small team, businesses are now proactively including privacy as part of their strategic mission, vision and values. Some organizations implement the “Privacy by Design” framework, not just within their information and technology systems, but across teams to ensure that everyone’s thought process is preceded by privacy compliance.

Privacy as a strategic goal

A company’s strategy is a set of mission statements through which it seeks to achieve certain goals and attain a competitive advantage in the marketplace. Why do companies want to have a privacy strategy and include their privacy-related goals into their mission statement? Because it has become extremely important for a business to demonstrate the value it places on privacy by showing compliance and commitment. Such privacy mission statements are usually based on confidentiality and integrity that the company upholds, which contributes to customer trust.

Privacy objectives vary based on the industry, location and size of the organization. However, core principles around privacy management remain the same. If the company is creating brand visibility, it cannot market itself effectively if it ignores privacy and security compliance.

The strong inter-link between privacy and strategy is the Board’s fiduciary responsibility to oversee a privacy program that encapsulates data protection and cybersecurity. A director’s fiduciary obligation to “act with a view to the best interests of the corporation” has been interpreted to include their obligation to protect information technology assets of the company that hold personal data and to increase shareholder value through healthy privacy and cybersecurity practices and protocols.

Prelude to setting up a privacy program

Having established the connection between privacy compliance and strategic goals, it is important to know where to start and how-to kick-off a new privacy program. Again, this is not a one-size-fits-all solution, but getting a head start with establishing a privacy program can be challenging if you have not done this in the past. Building a privacy strategy involves a complete revamp of organizational mindset and perspective.

Here are a few steps that small businesses can consider taking in order to move forward:

  • Gap analysis: The starting point is to identify the problem. If there is no privacy program, awareness or knowledge within an organization, the first step would be to conduct an assessment of the company’s existing practices and policies around the collection and handling of personal information. It is critical to know the nature and type of personal information that the organization collects from its employees, vendors, clients and partners in order to run its day-to-day business. This would provide a fair idea of the risks involved.
  • Internal interviews: Organizations may have people involved in privacy and information related practices from the past; these often include member of the marketing, legal, IT, HR and risk management teams, as they deal with more external data collection and handling on a day-to-day basis. They will be a good starting point to understand how the company has been managing personal data to date. Thoughtful questions about existing practices can help to drive the plan for building a robust program. It is also important to get the buy-in of these teams that will be instrumental in reinforcing that privacy is everyone’s responsibility.
  • Heat map: Identifying gaps through the first step allows for the creation of a heat map that divides privacy risks into “Red – Amber – Green” categories. All legal non-compliant blocks will likely be “Red”, warranting immediate attention. For example, this could include the absence of a good consent management practice, the absence of internal privacy and security policies related to tech usage, employee information use and collection, etc. Similarly, the heat map could identify a few “Amber” items, which could be prioritized based on organizational requirements, budget availability and industry practices.
  • On-board a team: Implementation requires leadership and project management skills. A successful privacy program calls for an internal champion who is sufficiently senior in the organization (to demonstrate the corporate significance of the program) and who can lead, understand and implement privacy practices and policies across the board. Once the right person is identified, it allows the organization to move ahead with managing and growing the privacy team.

Things to remember while building a privacy program:

  • Look at it as a “program” and certainly not as a one-off project. Privacy compliance and management are ongoing and need devoted attention, irrespective of the type and kind of personal data that is being collected.
  • Leverage key functions and executives from senior management to ensure there is credibility and visibility to the program; make a privacy pitch to management and present a business case showing the need for a privacy program; this will enable appropriate budgeting and prioritization required for privacy initiatives.
  • Create awareness across the board and market the program as everyone’s responsibility. This is the best way to create a culture of privacy where employees think about privacy principles as a natural part of their day-to-day activities.
  • Document all steps undertaken with respect to privacy and ensure that all privacy practices, procedures and policies are available at all times to the employees and external parties. It should be retrievable from a regulatory compliance perspective as well.
  • Model the privacy program based on an authentic framework. Most Canadian organizations use the PIPEDA Principles for structuring their privacy programs.
  • Don’t forget to designate a privacy point of contact to answer questions, address enquiries and socialize privacy within the organization. Well written monthly newsletters to employees on recent privacy issues can go a long way in developing awareness.

Anjana Bhaskaran is General Counsel, Box of Crayons, Inc. Box of Crayons helps organizations transform from advice-driven to curiosity-led.