Are you ready to meet expanding data privacy requirements and demands?

“I believe the way a company treats my personal information is indicative of the way it treats me as a customer.”?

Even though the first data privacy law was enacted in the 1970’s, this isn’t a statement that we would have heard from many customers even five years ago. This year, 81% of respondents to a Cisco survey on data privacy [1] said this was the case.

Since establishment of the European GDPR, consumer and employee concern about data privacy has risen every year. With the California Privacy Rights Act (CPRA) taking full effect on January 1, 2023, including extremely steep penalty provisions, we can expect to see customers and employees not only talking the data privacy talk but also walking the walk away from companies that do not meet their data protection expectations.

Some writers advise that designing a data privacy capability begins with the drafting of a strong data privacy policy, but I believe that is not correct. Having a policy that you are not following – either because it is not well communicated throughout the organization or because you actually don’t have the knowledge of where data is kept and used and so can’t effectively manage it – can be extremely damaging and lead to lawsuits, enforcement actions and extreme penalties.?So-called “paper compliance” with data privacy regulations just won’t suffice.

Nor can data privacy be viewed as purely an IT concern for preventing data breaches. Data privacy management is an organization-wide effort. Business unit heads and senior managers must have data privacy management included in their job descriptions and in their Key Performance Indicators (KPIs). With foundational leadership messages and responsibilities in place, the real first step to improving data privacy management capability is to define the current state of that capability so that weaknesses can be identified and corrected.

Understanding the current state of data management over personal information is challenging. It demands preparation of a data inventory and data flow map to gain a clear view of where data resides and how it is used in both manual and automated processes. You must identify all personal information collection points and methods, determine exactly what personal information is collected and how each is used, and know what personal information is disclosed within and outside the organization or is transferred to another jurisdiction.

It's not enough to gather this information; you must do so in a way that enables sorting of all the collected information including by business unit, type, method of collection, method of handling, and use at a granular level. For example, use of personal information about employees collected by the human resources department will include various activities such as:

• paying employee salaries,
• recording leave entitlements and usage – annual leave, sick / hospitalization leave, parental / childcare leave,
• monitoring internet usage,
• celebrating birthdays, weddings, births, and other life events,
• performance reviews, and
• consideration for promotions, salary increases, bonus payments, etc.

It is equally important to understand the flow of the information throughout the organization and to external parties as these uses are put into effect.

For example: The Human Resources department uses personal information about employees to pay their salaries, which may result in the following internal disclosures:

? the Human Resource department may disclose the relevant personal information – employee name, bank account number, amount of salary due for the current month – to the Finance Department so that the finance department can keep the relevant financial records and/or process the salary amounts to the relevant bank accounts, and

? the personal information may be disclosed to the Internal Audit / Compliance department when it audits the Finance Department’s records and activities, and

? the personal information will be held by the IT department, as custodian, if the records are stored on the organization’s servers (versus being provided by the human resources department in a spreadsheet).

?In addition, the following external disclosures and transfers across jurisdictions may arise:

• the Human Resources department engages an outsourced payroll services provider to process its payroll, including doing its reporting to the relevant government tax authorities and making statutory pension contributions on behalf of the organization and/or
• each employee and discloses employee personal information to that outsourced payroll services provider for those purposes, or
• ?the Human Resources department uses a software-as-a-service application to manage its human resources operations that includes a module for salary payment, etc. and discloses personal employee information to the provider of that application for those purposes, and/or
• the Human Resources department discloses personal information about employees to other service providers, such as insurance brokers and/or insurance companies in relation to the provision of employee health insurance benefits for example, and/or
• the Human Resources department transfers personal information outside of the jurisdiction for some or all of the purposes mentioned above and/or because it is required to report to a headquarters company in another jurisdiction.

This is only one example of the complex ways that personal information may be used and transferred by an organization, and it is unlikely that the data privacy manager knows this level of detail or that any IT plan put in place to manage the data storage and flow is adequate, unless answers to detailed questions about the data are provided by each business unit.

To assist in the collection of this information, OCEG has developed a playbook together with ServiceNow, entitled Preparing for Improvement in Data Privacy, which offers suggested questionnaires for use throughout the organization. Ideally, a technology system of control will be used to collect answers and copies of any forms or online fields used to collect personal information, so that the responses can be sorted, compared and managed across the organization as a whole in accordance with the company privacy policy. Please download a free copy of the Playbook and use it freely to drive improvement projects in your data privacy capability. Then, if you want to take an even deeper dive into standard practices for developing and running a data privacy capability, take a look at OCEG's free and open-source Integrated Data Privacy Capability Model and associated certification opportunity. #dataprivacy #idpp #oceg #datagovernance #certification #servicenow

?

[1] Data Transparency’s Essential Role in Building Consumer Trust