Business teams and their requirements
Global and local laws, regulations and standards driving compliance
Risk tolerance levels, cultural expectations and perspectives - values regarding privacy
Types of personal information collected, stored and processed
Regulatory changes that need to be observed (for example in USA, this would be state law changes)
Now you have a Privacy Program Scope, next create a Privacy Strategy
A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.
Generally this strategy crossed multiple functions in your company therefore it is important to consider;
Business alignment of goals
Data governance of personal information
Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **
Now you have a Privacy Strategy, next create a Privacy Framework
A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.
3 elements of a privacy framework are;
Laws, legal policies, regulations and programs. Laws you need to be aware of are;
PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.
APPs - Australian Privacy Principles
EU-GDPR - European General Data Protection Regulation
EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).
HIPAA - Health Insurance Portability and Accountability Act.
Example of a local legal framework is CNIL, France’s Commission.
Principles, standards and guidelines. Examples of principles and standards you need to know about are;
Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.
The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.
The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.
The Canadian Standards Association [CSA].
The APEC Privacy Framework, enables Asia-Pacific data transfers.
Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.
Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;
Privacy By Design - ensures privacy protection at every stage of product development
The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.
AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.
Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.
Organization communication plan to ensure continuous alignment to laws and regulations
The benefits of a privacy framework are;
Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.
Helps to sustain market value and reputation of your company
Provides measurements/metrics for compliance to the law, regulation and standards.