- Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
- With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.
Our Advice
Critical Insight
- Take a quantitative approach to data privacy.
- Use metrics and a risk-based approach to drive a privacy framework that not only supports compliance but also considers the custom needs of your organization.
Impact and Result
- Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as not just compliance but also a driver of business efficiency.
- Integrate and build by developing a program that:
- Promotes freedom of information and access to this information.
- Establishes privacy and security standards with respect to access of this information.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.4/10
Overall Impact
$86,089
Average $ Saved
42
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
ProDriven Global Brands
Guided Implementation
5/10
N/A
N/A
Probably not fair to rate this, as we have pivoted internally.
The Boyd Group Inc.
Guided Implementation
10/10
$68,500
120
Witt/Kieffer Inc.
Guided Implementation
10/10
$5,199
5
As usual Alan helped align my direction. His advice is very much appreciated.
Centennial College
Guided Implementation
10/10
$47,500
50
Best is the use of the existing blueprints that I can re-use and support received
Opentech Alliance
Workshop
10/10
$649K
60
Partner with other software solutions to have a repository of where to store the information gathered that is more dynamic than using spreadsheets ... Read More
Environmental Defense Fund, Incorporated
Workshop
10/10
$97,499
60
This was my first experience attending a workshop faciliated by InfoTech. I really enjoyed the workshop. I thought the faciliator (Alan Tang) did a... Read More
Packaging Machinery Manufacturers Institute
Guided Implementation
10/10
$6,499
2
Helmerich & Payne, Inc.
Guided Implementation
10/10
$2,469
5
Sage Therapeutics
Guided Implementation
10/10
$31,499
20
Iris is knowledgeable, friendly and experienced. I am pleased to have had the opportunity to connect with her and consider her an ally on all thing... Read More
Bermuda Monetary Authority
Guided Implementation
10/10
$62,999
50
Feeling assured that Alan and InfoTech have the expertise to review our drafts and provide constructive feedback as and when needed that we can act... Read More
Regional Transportation District
Workshop
10/10
$37,799
120
I'm not sure how you put a monetary value on this. I believe that while you can value staff time, it is hard to put a value on the effects of deve... Read More
Donor Network West
Guided Implementation
10/10
$37,799
14
Alan really knows the Privacy law arena and is invaluable in the guidance that he gives. I leave each session feeling like I have a good handle on ... Read More
Florida State College at Jacksonville
Workshop
10/10
N/A
50
The workshops get the work done much faster and gets everybody on board with what needs to be done.
Bermuda Monetary Authority
Guided Implementation
9/10
$62,999
50
Post workshop having Alan available to call and offer guidance and expertise has been great, he is a guide and a sounding board, offering practical... Read More
Bermuda Monetary Authority
Guided Implementation
9/10
$62,999
20
Alan is great, he provides guidance that I can actually apply. I look forward to engaging further with Alan.
State of South Dakota Bureau of Information and Telecommunications
Guided Implementation
8/10
N/A
N/A
Incredibly valuable guidance on our Privacy Operations roadmap! Still too early to estimate the time and financial impact but we anticipate it will... Read More
KIND
Guided Implementation
9/10
$31,499
10
Marquette University
Guided Implementation
9/10
N/A
N/A
Alan, was very knowledgeable and provided good insight. His follow through was outstanding. At this point, it is difficult to determine how much ... Read More
Government of Bermuda
Workshop
8/10
$1.17M
20
Best - getting so much done in only a few days while still allowing everyone to express concerns, opinions, advice, and even frustrations. Worst... Read More
Wiss, Janney, Elstner Associates, Inc.
Guided Implementation
10/10
$29,609
20
Alan is awesome - he helped to establish our roadmap that gives us a trajectory to succeed. I truly appreciate Alan's help!
Beckman Coulter, Inc.
Guided Implementation
10/10
$31,499
N/A
While still new on approach and hard to estimate, I can see value already.
Metropolitan School District of Lawrence Township
Guided Implementation
10/10
$2,519
5
Understood our challenges and was able to provide actionable data to back future discussions.
Helmerich & Payne, Inc.
Guided Implementation
10/10
$2,393
5
Colorado Housing And Finance Authority
Workshop
9/10
N/A
14
Best: Opportunity to have conversations with our Exec team and key staff on privacy related topics with the expertise of Alan Tang delivering key ... Read More
Packaging Machinery Manufacturers Institute
Guided Implementation
9/10
$12,599
2
Platte River Power Authority
Workshop
10/10
$34,649
100
The best part of the workshop is the roadmap to a data privacy program. In addition, although the resources are available for a self-guided impleme... Read More
OCM Boces / Central New York Regional Information Center
Guided Implementation
8/10
N/A
N/A
Best - learning that such a credentialed expert was part of the Info-Tech team and accessible to us for guidance. Also best - Actual guidance! ... Read More
The Regional Municipality of Peel
Guided Implementation
9/10
$2,000
5
Bermuda Monetary Authority
Workshop
9/10
N/A
N/A
Regarding the estimated savings in cost and time, it is impossible to provide an estimate until we have a full understanding of the work involved. ... Read More
St. Cloud State University
Guided Implementation
10/10
$2,479
2
Great to have a resource with deep expertise and knowledge in the subject matter. The example document included after the meeting was especially he... Read More
Workshop: Build a Data Privacy Program
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Collect privacy requirements
The Purpose
- Understand the key drivers behind privacy in your operating context and begin to assign ownership.
Key Benefits Achieved
- Level-setting between IT and the business with respect to privacy best practices.
- High-level understanding of risk associated with personal data collected by the organization.
Activities
Outputs
Define and document program drivers.
Establish privacy governance structure and define scope.
Build the Privacy RACI.
Build the risk map.
- Business context and drivers behind privacy program
- Privacy RACI chart
Module 2: Conduct a privacy gap analysis
The Purpose
- Connect with each of the business units with respect to current privacy practices and gain insight into how personal data is handled throughout the organization.
Key Benefits Achieved
- Alignment with business unit privacy champions
- Understanding of current state of privacy in the organization
- Uncovered gaps in the organization’s privacy practices
Activities
Outputs
Conduct interviews and complete Data Process Mapping tool.
Compare compliance and regulatory requirements with current privacy practices of the organization.
Identify gap areas.
Review the DPIA process and identify whether threshold assessment or full DPIA is required.
- Data Process Mapping tool draft
- Mapped privacy control gap areas to relevant privacy laws, frameworks, or industry standards
- Optional: Walkthrough of DPIA tool
Module 3: Build the privacy roadmap
The Purpose
- Ensure that the privacy program is functional and caters to the environment assessed over days 1 and 2 by building a custom-fit privacy initiative implementation roadmap.
Key Benefits Achieved
- Quantitative prioritization of each of the privacy gap closing initiatives
- High-level initiative implementation roadmap
Activities
Outputs
Complete business unit gap analysis; consolidate inputs from Day 2 interviews.
Apply variables to privacy initiatives.
Create a visual privacy roadmap.
Define and refine the effort map; validate costing and resourcing.
- Privacy Framework Tool
- Privacy Roadmap and prioritized set of initiatives
Module 4: Implement and operationalize
The Purpose
This portion of the workshop ensures that the privacy program can be put into action and moves beyond static policies to foster the integration of privacy metrics across the organization.
Key Benefits Achieved
A full set of privacy metrics, as well as tactics to implement and monitor on an ongoing basis.
Activities
Outputs
Review Info-Tech’s privacy metrics and select relevant metrics for the privacy program.
Operationalize metrics.
Input all outputs from days 1-3 into the Data Privacy Report.
Summarize and build an executive presentation.
Set checkpoints and drive continuous improvement.
- Completed Privacy Roadmap
- Completed Data Process Mapping tool
- Review of any outstanding privacy collateral (Privacy Notice, Data Protection Policy, etc.)
- Privacy Program Report document
Build a Data Privacy Program
Take out data privacy’s grey areas with a quantitative approach to your program.
Executive Brief
Analyst Perspective
Privacy can no longer be subjective. Quantify and measure to drive a more effective privacy program.
With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business.
This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area.
But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.
As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business.
Cassandra Cooper Senior Research Analyst, Security, Risk & Compliance Info-Tech Research Group |
Executive Summary
Your Challenge
- Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
- With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.
Common Obstacles
- Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.
- With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.
Info-Tech's Approach
- Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, as a driver of business efficiency.
- Integrate and build by developing a program that promotes:
- Privacy standards that are established with respect to how information is accessed.
- Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.
Info-Tech Insight
Take a quantitative approach to data privacy. Use metrics and a risk-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.
Your challenge
This research is designed to help organizations who need to:
- Understand how to adapt and quantify privacy beyond compliance.
- Change the pre-existing perspective on how to assess privacy competency.
- Shift the organization’s view of privacy as the enemy of efficiency and innovation.
- Build an environment that places privacy ownership in the hands of the business.
- Extend the privacy program beyond the privacy team or organizational function.
- Take the ambiguity out of privacy program management.
Data Privacy Program
- Understand – Collect Privacy Requirements
- Assess – Conduct a Privacy Gap Analysis
- Bridge – Build the Privacy Roadmap
- Implement – Implement and Operationalize
Life after the GDPR
May 2018 saw the introduction of the General Data Protection Regulation across the EU, which has since become somewhat of a global standard when it comes to data protection best practices. However, many organizations still fall short of what is considered “compliant” by GDPR standards.
- 43% of organizations for whom GDPR compliance is of primary concern, consider themselves “moderately compliant.”
- 38% of organizations under GDPR compliancy still reported experiencing a data breach occurring during 2019.
- 94% of organizations that leverage third-party data processors rely on contractual assurances for data safety and protection. (Source: IAPP, 2019)
Info-Tech Insight
An effective privacy program ensures compliance, but simply being compliant does not mean you have an effective privacy program.
Instead of reactively checking the compliance boxes based on a set of governing laws, develop a privacy framework that proactively anticipates while staying in scope of the needs of your organization.
Understanding privacy vs. security
A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.
But that is not equivalent to privacy …
Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.
Privacy is all about personal data
When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.
See examples of personal data in the below charts:
Traditional PII Personally Identifiable Information |
Personal Data Any information relating to an identified or identifiable person |
Sensitive Personal Data Special categories of personal data (some regulations, like GDPR, expand their scope to include these) |
Full name (if not common) | First, middle (if applicable), last name | Biometrics data: Retina scans, voice signatures, or facial geometry |
Home address | IP address | Health information: Patient identification number or health records |
Date of birth | Email address or other online identifier | Political opinions |
Social security number | Social media post | Trade union membership |
Banking information | Location data | Sexual orientation |
Passport number | Photograph | Religious or philosophical beliefs |
Etc. | Etc. | Ethnic origin |
True cost of a data breach
An industry outlook
Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance and resulting fines and minimizing overall exposure.
86% of data breach costs are associated with REGULATORY FINES
Healthcare (All fine estimates are based on an annual turnover of US$10 million and 1,000 lost records)
Estimated Cost of Exposure: $841.41 |
Government
Estimated Cost of Exposure: $114.75 |
Financial Services
Estimated Cost of Exposure: $188.05 |
Education
Estimated Cost of Exposure: $207.75 |
2019 Breach Breakdown
Average data breach costs per compromised record hit an all-time high of $150 in 2019. (Source: IBM Security)
The Data Breach Aftermath
% of abnormal customer turnover per size of data breach
- ›1% Lost $2.8 million
- 1-2% Lost $3.4 million
- 2-3% Lost $4.2 million
- 4% Lost $5.7 million
Data breach resolution times
- Time to Identify 206 days
- Time to Contain 73 days
% of data breach recovery costs over time
- 14% 3 Months
- 41% ‹6 Months
- 67% ‹1 Year
- 11% ›2 Years
Info-Tech’s approach
Scale and quantify privacy in the organization by taking a layered approach to building out a data privacy program in the organization.
- Industry and operating environment of the organization
- Involvement of personal data in business processes
- Acceptable risk
- Data privacy metrics
The Info-Tech Framework
Our approach is modeled on a framework that extends beyond compliance to create a scalable and quantifiable privacy framework.
- Governing Privacy Laws – Understand which governing privacy laws and frameworks apply to your organization.
- Data Process Mapping Tool for Business Processes – Create a map of all personal data as it flows throughout the organization’s business processes.
- Privacy Initiative Prioritization Schema – Prioritize privacy initiatives and build a privacy program timeline.
- Privacy Metrics – Select your metrics and make them functional for your organization.
- Privacy Program – Continue to refine your Data Privacy Program.
Info-Tech’s methodology for building a privacy program
1. Collect Privacy Requirements |
2. Conduct a Privacy Gap Analysis |
3. Build the Privacy Roadmap |
4. Implement and Operationalize |
|
Phase Action Items |
|
|
|
|
Phase Outcomes |
|
|
|
|
Insight summary
Overarching insight
Take a quantitative approach to data privacy. Use metrics and a risk-based approach to drive a privacy framework that supports compliance and considers the custom needs of your organization.
Fit privacy to the business.
Contextualize privacy for your organization by involving the business units from day 1; collect requirements that promote cross-collaboration.
Privacy is dynamic.
Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization.
Prioritize and plan together.
Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.
Make it operational.
Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.
Privacy doesn’t live in isolation.
By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.
A good privacy program takes time.
Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk and support the rollout through customized metrics.
Blueprint deliverables
Key deliverable:
- Privacy Framework / Business Unit Framework Tools Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST. Build your gap-closing initiative roadmap and work through cost/effort analysis.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
- Privacy Program RACI Chart A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.
- Data Process Mapping Tool Full documentation of all business processes that leverage personal data within the organization.
- Data Protection Impact Assessment When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.
- Data Privacy Program Report A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.
- Privacy Policy Templates
Internal and external policies around:
- Data Protection
- Privacy Notice
- Cookies
- Data Retention
Blueprint benefits
IT Benefits
- Identification of information security-specific privacy controls, mapped against governing privacy frameworks (GDPR, CCPA, HIPAA, PIPEDA, NIST).
- Comprehensive inventory of where personal data exists within IT systems at different points during its lifecycle (at rest, in transit).
- Perspective from a privacy lens on IT controls (system and network access, asset management, etc.).
- Assigned ownership for members of the IT team of privacy-IT integration and individual privacy initiatives.
Business Benefits
- Understanding of the scope of privacy within the context of the organization.
- An active role and participation in the integration of privacy requirements as a part of pre-existing operations, as well as net-new operating procedures.
- Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.
- Thorough perspective on how each of the business units’ processes impact and reference personal data.
Data Privacy
- IT / InfoSec
- Senior Leadership
- Business Units
Measure the value of this blueprint
As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.
Privacy metrics take your program from a static framework to an operational model.
Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.
Info-Tech’s Privacy Control Categories
|
|
Info-Tech Project Value
$72,348 – Average annual salary of a Privacy and Compliance Officer
1,020 hours, $38,250 (initial spend), $7,650 (ongoing spend) – Average total time/cost to completion for the following high-priority privacy-related projects:
- Complete and revise Data Process Mapping Tool (X)
- Develop and document retention policy (X)
- Validate personal data processing procedures (X)
- Develop a privacy framework and roadmap (X)
- Update DSAR request forms
- Review vendor contracts and ensure data transfer agreements are in place ((X) indicates a project or initiative covered by Info-Tech’s Data Privacy Program methodology)
$45,900, 1,020 hours – Estimated cost and time savings from this blueprint
Executive Brief Case Study
DoorDash Data Breach – Fall 2019
INDUSTRY: Food Services
SOURCE: Forbes
Event
- Food delivery service DoorDash announced a data breach impacting 4.9 million users, delivery employees, and merchants in late September 2019.
- PII hacked included name, email, delivery address, phone numbers, passwords, and final four digits of payment cards taken, as well as final four bank account digits for delivery employee and merchants.
Aftermath
- Main backlash highlighted the fact that DoorDash did not detect the breach until more than five months after the date of the breach.
- DoorDash’s press release stated the company would focus on:
- System access security protocols
- Ramping up data security
- Leveraging external expertise to help mitigate future risk
Issue
- Misplaced accountability: there was no ownership when it came to whom within the company had access to PII.
- A lack of stringent third-party vendor management, resulting in contracts that left room for interpretation in terms of who had access to customer PII.
- Ineffective incident response plan, as it took the organization five months to inform customers that the breach had occurred.
Info-Tech’s Resolution
In 2019, data breaches increased globally by over 33%. Within the first quarter alone, 4.1 million records were exposed.
Preventing a data breach is just one outcome of implementing an effective privacy program, amongst an understanding of:
- Where every bit of personal information resides
- Who has access to which personal information
- All security controls necessary to protect personal information
- The retention times for different types of PII
Build a Data Privacy Program leverages a simple four-step process:
- Collect Privacy Requirements
- Conduct a Gap Analysis
- Build the Privacy Roadmap
- Implement and Operationalize
Looking through the global data breach lens
33% increase in the number of data breach incidents from the first half of 2019
Info-Tech Solution
Every case is different, however, across the spectrum of breaches during 2019, we can spot common trends.
In many cases, external parties informed the company of the leaked data, exposing the underlying lack of privacy program monitoring in place within the organization itself.
By developing a structured privacy program, you know:
- Where data is in the organization
- Who is accessing it
- How it’s being leveraged and maintained
Should the event of a breach occur, you can take back control of the resolution process, and minimize reputational damage.
Company Name | Industry | # of Records Exposed | Incident Details | Date of Occurrence |
Marriott-Starwood | Hospitality | 383 million | Hack | Late December/Early January 2019 |
500px | Social Media | 14.8 million | Hack – data leak through website | February 15 |
Social Media | 540 million | Unprotected server | April 3 | |
Chtrbox (Instagram) | Social Media | 49 million | Leaked database | May 20 |
Canva | Design Platform | 139 million | Hack | May 24 |
First American | Financial Services | 885 million | Data leak through website | June |
CapitalOne | Financial Services | 100 million | Hack | July 29 |
Bulgarian National Revenue Agency | Government/Taxation | 5 million | Hack | July 17 |
Suprema | Biometrics | 1 million | Unencrypted database | September |
LifeLabs | Healthcare | 15 million | Ransomware | October (reported November 1) |
Executives are increasingly concerned about data breaches
Hefty fines and reputational damage are two of the primary setbacks incurred following a publicized data breach.
$3.92 million (USD) | Average total cost of data breach
7.9 billion | Number of records exposed in the first 9 months of 2019
279 days | Time between occurrence and containment of data breach
Hacking | Top breach type for number of incidents incurred
Senior management and executives now acknowledge privacy and security as some of the biggest risks to the business. Previously, the entire scope of privacy would fall upon IT professionals to manage and control.
High-profile cyberattacks and data breaches, such as Capitol One in 2019, have brought the issue of privacy to the forefront of executives’ minds. Regulatory obligations to notify the public of breaches and pay significant fines for noncompliance have also pushed executives to be more concerned than ever before.
Info-Tech Insight
Data breaches shouldn’t just concern senior leadership and management; involving and educating your organization at all levels encourages a tightly woven, privacy-centric operating model. (Source: IBM Security)
Info-Tech offers various levels of support to best suit your needs
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options
Guided Implementation
What does a typical GI on this topic look like?
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
- Call #1: Scope requirements, drivers, objectives, and challenges.
- Call #2: Build out privacy ownership using the RACI chart.
- Call #3: Review results of data process mapping business unit interviews.
- Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps.
- Call #5: Determine cost and effort ratio of gap initiatives.
- Call #6: Build out additional privacy collateral (notice, policy, etc.).
- Call #7: Review standard privacy metrics and customize for your organization.
- Call #8: Establish and document performance monitoring schedule.