Six-Step Process of Implementing an Effective Security and Privacy Program
There is no single set of best practices when it comes to managing data protection programs. I have summarized and consolidated the management guidance in this section from a number of privacy and security management frameworks, including the Generally Accepted Privacy Principles, materials from the International Association of Privacy Professionals, and the Cybersecurity Framework of the National Institute of Standards and Technology. I suggest reviewing these frameworks over time to supplement what appears in the six steps described in this section.
Aligning Data Protection Strategy with Overall Strategy
Step 1: A data protection program begins with aligning the business’s overall strategy with its data protection strategy. With the business’s culture in mind, this step involves planning the strategic direction and commitment of the business to data protection. The business will need to understand critical business requirements and imperatives that affect the program. Also, are there opportunities that dovetail with the business’s strategy, such as positioning in the marketplace as a leader in data protection as part of an overall marketing strategy? Finally, the business will need to allocate sufficient resources for the program. The businesses should craft this strategy with the features, capabilities, and vulnerabilities associated with advanced technologies.
Develop a Series of Controls
Step 2: The business will need to understand its current data protection posture. Most fundamentally, it will need to know what kind of personal data it is collecting and the flow of personal data throughout its systems during the entire data lifecycle from collection or generation to disposal or long-term archiving. It will need an understanding of all the information assets (its, customers, and vendors’ networks, sets of servers, workstations, mobile devices, and storage systems) within the scope of the program. The business will need to understand the applicable laws creating data protection compliance requirements, contractual requirements, and industry requirements such as the Payment Card Industry Data Security Standard. Moreover, the business should conduct and update a risk assessment of the universe of potential data protection threats associated with advanced technologies, the likelihood, and frequency of these threats coming to pass, the impact of the harm from these threats, and the controls available to mitigate these threats or their impact. The business’s risk management process should prioritize a set of controls to mitigate the threats analyzed. Inevitably, the business will identify gaps between its current data protection posture and its target (ideal) profile of its organization. The business will need to prioritize the identified gaps and develop an action plan to address these gaps.
Program Implementation
Step 3: This step consists of implementation of the program of controls developed in the previous step. For instance, the business should implement its action plan to begin closing gaps in its data protection program as it relates to advanced technologies. The business may assign people to implement specific programs to improve its data protection posture. In addition, this implementation phase involves ongoing data protection support of day-to-day business line operations. For example, data protection attorneys may be involved in regular negotiations of customer and vendor contracts or mergers and acquisition activities, including the due diligence involved in these transactions. They may also work with cross-functional teams to support new infrastructure, products, and services relating to advanced technologies. They may be involved in advising clients on data protection issues that come up in operations, such as questions about implementing data protection instructions or advising marketing professionals about data protection in connection with advertising campaigns. Data protection attorneys may provide advice about specific customer or employee situations that arise. Litigation data protection counsel may be involved in defensive or offensive claims relating to breaches, defects in products or services, or defaults in product or service agreements.
Monitoring and Oversight
Step 4: Businesses should take steps to sustain and manage their data protection programs. They will need to monitor and provide day-to-day oversight over the implementation of the program to detect issues and violations, and report and respond to them. A key part of the oversight function is providing training of personnel to make sure they understand their data protection functions. Moreover, data protection attorneys should facilitate the process of holding personnel accountable for compliance with the program. For instance, they may promote the use of data protection goals and objectives during employment reviews and advise internal clients concerning disciplinary actions taken following violations.
Auditing Your Program
Step 5: Businesses should have formal programs of assessment and auditing of their data protection practices covering advanced technologies. Data protection attorneys may work together with internal and external auditors to assess and audit privacy and security compliance. Periodic audits may occur in connection with internal audits and external audits for privacy and security attestations or certifications, such as SOC reports on security or privacy or ISO 27001 security certifications.
Feedback and Adjustments
Step 6: Businesses should periodically evaluate their data protection practices and make adjustments to their data protection programs. They may need to make changes because of information gleaned from data protection assessments, for instance, to upgrade certain aspects of the program, undertake new privacy programs, or acquire new security tools. Businesses may need to integrate changes to applicable law or industry practice into their compliance programs and data protection controls. Changes in business models, advanced technology capabilities or vulnerabilities, or security threats may call for other changes.
Don’t Go it Alone
Data protection attorneys play a vital role in overseeing these six steps. They can provide advice and counsel to data protection professionals and lines of business. Finally, they can report on the data protection program to upper management and boards.
Stephen S. Wu is a shareholder with Silicon Valley Law Group in San Jose, California. He advises clients on a wide range of issues, including transactions, compliance, liability, security, and privacy matters regarding the latest technologies in areas such as robotics, artificial intelligence, automated transportation, the Internet of Things, and Big Data. He has authored or co-authored several books, book chapters, and articles and is a frequent speaker on advanced technology and data protection legal topics.