With privacy becoming an integral part of every organization today, a much more robust approach is needed to handle it. This has resulted in the creation of the ‘Privacy management program,’ which is a much more holistic and unified approach for handling privacy that can be adopted by all organizations, companies, and agencies.
With the introduction of GDPR in 2018 and other privacy laws such as COPPA and PIPEDA (Canada), privacy management programs have been a necessity for different organizations for a variety of reasons. The following list shows the reasons why this is needed:
There are three important components of a PMP. They are
As with all things, organizational commitment is the foremost thing that is needed to implement privacy in an enterprise. Organizational commitment involves:
I. Senior management support
Senior management should endorse a privacy management program fully and wholeheartedly. They should support and endorse the privacy officer and give them complete resources to operate the program effectively and successfully within the organization.
II. Appointing and empowering a ‘Data protection officer’(DPO) or a privacy officer
A ‘privacy officer’ or ‘Data protection officer’ must be appointed for the organization. Once a ‘privacy officer’ or DPO is appointed, their role must be communicated to all within the organization. It is the duty of the privacy officer to establish program controls, design employee training, and conduct regular privacy assessments.
III. Reporting mechanisms must be established
Any good privacy management program needs good reporting mechanisms. Reporting mechanisms ensure that the privacy program is functioning as expected, and the reports can be viewed by the management and the employees of the organization.
Internal review or audit process is one type of reporting mechanism.
Program controls enable the organization to comply with privacy management practices.
Here are a few program controls that can be adopted:
Policies, procedures and guidelines have to be laid out regarding collecting information. These policies enable the employees to understand more about collecting personal information from users, notifying users when collecting the information, obtaining consent when collecting information and more.
Every program needs constant monitoring and revision and the PMP is no exception. This continuous monitoring and assessment ensures accountability and compliance.
Continuous assessment and revision involves two steps:
Develop an oversight plan:
This plan would lay the schedule of when the policies and guidelines will be reviewed. In addition if there is a privacy breach at any point of time, policies and guidelines have to be reviewed and revised immediately.
Assess and review the controls:
All controls should be regularly monitored, audited and revised accordingly. The monitoring should answer the following questions such as:
According to the answers to the above questions, the replies should be documented and addressed accordingly.
These are the highlights of a privacy management program. Each PMP can be modified according to the needs of the organization. For more of InfoSec Train’s courses and webinars, do visit us at this link.