Build a Data Privacy Program

Take out data privacy’s grey areas with a quantitative approach to your program.

Executive Brief

Analyst Perspective

Privacy can no longer be subjective. Quantify and measure to drive a more effective privacy program.

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business.

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area.

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business.

Cassandra Cooper Senior Research Analyst, Security, Risk & Compliance Info-Tech Research Group

Executive Summary

Your Challenge

• Data privacy is increasingly on the tip of our tongues, regardless of company size or industry.
• With impending regulatory frameworks looming, business and IT leaders find themselves scrambling to ensure that all bases are covered when it comes to data privacy.

Common Obstacles

• Privacy, traditionally, has existed in a separate realm, resulting in an unintentional and problematic barrier drawn between the privacy team and the rest of the organization.
• With many regulatory frameworks to consider and a number of boxes to tick off, building an all-encompassing data privacy program becomes increasingly challenging.

Info-Tech's Approach

• Sell privacy to the business by speaking a language they understand. IT and InfoSec leaders need to see privacy as more than just compliance, as a driver of business efficiency.
• Integrate and build by developing a program that promotes:
  • Privacy standards that are established with respect to how information is accessed.
  • Accessibility to this information through a defined understanding of personal data’s processing standards in the organization.

Info-Tech Insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.

Your challenge

This research is designed to help organizations who need to:

• Understand how to adapt and quantify privacy beyond compliance.
• Change the pre-existing perspective on how to assess privacy competency.
• Shift the organization’s view of privacy as the enemy of efficiency and innovation.
• Build an environment that places privacy ownership in the hands of the business.
• Extend the privacy program beyond the privacy team or organizational function.
• Take the ambiguity out of privacy program management.

Data Privacy Program

1. Understand – Collect Privacy Requirements
2. Assess – Conduct a Privacy Gap Analysis
3. Bridge – Build the Privacy Roadmap
4. Implement – Implement and Operationalize

Life after the GDPR

May 2018 saw the introduction of the General Data Protection Regulation across the EU, which has since become somewhat of a global standard when it comes to data protection best practices. However, many organizations still fall short of what is considered “compliant” by GDPR standards.

• 43% of organizations for whom GDPR compliance is of primary concern, consider themselves “moderately compliant.”
• 38% of organizations under GDPR compliancy still reported experiencing a data breach occurring during 2019.
• 94% of organizations that leverage third-party data processors rely on contractual assurances for data safety and protection.
(Source: IAPP, 2019)

Info-Tech Insight

An effective privacy program ensures compliance, but simply being compliant does not mean you have an effective privacy program.

Instead of reactively checking the compliance boxes based on a set of governing laws, develop a privacy framework that proactively anticipates while staying in scope of the needs of your organization.

Understanding privacy vs. security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.

But that is not equivalent to privacy …

Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

Privacy is all about personal data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.

See examples of personal data in the below charts:

True cost of a data breach

An industry outlook

Even with a robust privacy program in place, organizations are still susceptible to a data breach. The benefit comes from reducing your risk of regulatory compliance and resulting fines and minimizing overall exposure.

86% of data breach costs are associated with REGULATORY FINES

2019 Breach Breakdown

Average data breach costs per compromised record hit an all-time high of $150 in 2019. (Source: IBM Security)

The Data Breach Aftermath

% of abnormal customer turnover per size of data breach

• ›1% Lost $2.8 million
• 1-2% Lost $3.4 million
• 2-3% Lost $4.2 million
• 4% Lost $5.7 million

Data breach resolution times

• Time to Identify 206 days
• Time to Contain 73 days

% of data breach recovery costs over time

• 14% 3 Months
• 41% ‹6 Months
• 67% ‹1 Year
• 11% ›2 Years

Info-Tech’s approach

Scale and quantify privacy in the organization by taking a layered approach to building out a data privacy program in the organization.

• Industry and operating environment of the organization
• Involvement of personal data in business processes
• Acceptable risk
• Data privacy metrics

The Info-Tech Framework

Our approach is modeled on a framework that extends beyond compliance to create a scalable and quantifiable privacy framework.

1. Governing Privacy Laws – Understand which governing privacy laws and frameworks apply to your organization.
2. Data Process Mapping Tool for Business Processes – Create a map of all personal data as it flows throughout the organization’s business processes.
3. Privacy Initiative Prioritization Schema – Prioritize privacy initiatives and build a privacy program timeline.
4. Privacy Metrics – Select your metrics and make them functional for your organization.
5. Privacy Program – Continue to refine your Data Privacy Program.

Info-Tech’s methodology for building a privacy program

Insight summary

Overarching insight

Take a quantitative approach to data privacy. Use metrics and a risk-based approach to drive a privacy framework that supports compliance and considers the custom needs of your organization.

Fit privacy to the business.

Contextualize privacy for your organization by involving the business units from day 1; collect requirements that promote cross-collaboration.

Privacy is dynamic.

Structure drives success: take a process vs. system-based approach to assessing personal data as it flows throughout the organization.

Prioritize and plan together.

Review, revise, reprioritize; come back to the initial risk map created. Draw on areas of alignment between high-value/high-risk processes and their supporting initiatives to properly prioritize.

Make it operational.

Be selective with your metrics: choose to implement only metrics that are relevant to your environment. Base your selection on the highlighted areas of focus from the maturity assessment.

Privacy doesn’t live in isolation.

By assigning ownership and flexibility to your business units in how they weave privacy into their day-to-day, privacy becomes part of operational design and structure.

A good privacy program takes time.

Leverage the iterative process embedded in each phase to prioritize privacy initiatives based on value and risk and support the rollout through customized metrics.

Blueprint deliverables

Key deliverable:

• Privacy Framework / Business Unit Framework Tools Leverage best-practice privacy tactics to assess your current organizational privacy maturity while comparing against current privacy frameworks, including GDPR, CCPA, HIPAA, and NIST. Build your gap-closing initiative roadmap and work through cost/effort analysis.

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

• Privacy Program RACI Chart A high-level list of privacy program initiatives, with assigned ownership to privacy champions from both the business and IT.
• Data Process Mapping Tool Full documentation of all business processes that leverage personal data within the organization.
• Data Protection Impact Assessment When highly sensitive data is involved, leverage this tool to assess whether appropriate mitigating measures are in place.
• Data Privacy Program Report A template that highlights the key privacy metrics identified in Phase 4 for the senior leadership team.
• Privacy Policy Templates Internal and external policies around:
  • Data Protection
  • Privacy Notice
  • Cookies
  • Data Retention

Blueprint benefits

IT Benefits

• Identification of information security-specific privacy controls, mapped against governing privacy frameworks (GDPR, CCPA, HIPAA, PIPEDA, NIST).
• Comprehensive inventory of where personal data exists within IT systems at different points during its lifecycle (at rest, in transit).
• Perspective from a privacy lens on IT controls (system and network access, asset management, etc.).
• Assigned ownership for members of the IT team of privacy-IT integration and individual privacy initiatives.

Business Benefits

• Understanding of the scope of privacy within the context of the organization.
• An active role and participation in the integration of privacy requirements as a part of pre-existing operations, as well as net-new operating procedures.
• Ability to leverage privacy as a competitive advantage in streamlining how customer data flows through the organization.
• Thorough perspective on how each of the business units’ processes impact and reference personal data.

Data Privacy

• IT / InfoSec
• Senior Leadership
• Business Units

Measure the value of this blueprint

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.

Privacy metrics take your program from a static framework to an operational model.

Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.

Info-Tech’s Privacy Control Categories

Governance Regulatory Compliance Data Processing and Handling Data Subject Requests Privacy by Design Notices and Consent

Incident Response Privacy Risk Assessments Information Security Third-Party Management Awareness and Training Program Measurement

Info-Tech Project Value

$72,348 – Average annual salary of a Privacy and Compliance Officer

1,020 hours, $38,250 (initial spend), $7,650 (ongoing spend) – Average total time/cost to completion for the following high-priority privacy-related projects:

• Complete and revise Data Process Mapping Tool (X)
• Develop and document retention policy (X)
• Validate personal data processing procedures (X)
• Develop a privacy framework and roadmap (X)
• Update DSAR request forms
• Review vendor contracts and ensure data transfer agreements are in place
((X) indicates a project or initiative covered by Info-Tech’s Data Privacy Program methodology)

$45,900, 1,020 hours – Estimated cost and time savings from this blueprint

Executive Brief Case Study

DoorDash Data Breach – Fall 2019

INDUSTRY: Food Services
SOURCE: Forbes

Event

• Food delivery service DoorDash announced a data breach impacting 4.9 million users, delivery employees, and merchants in late September 2019.
• PII hacked included name, email, delivery address, phone numbers, passwords, and final four digits of payment cards taken, as well as final four bank account digits for delivery employee and merchants.

Aftermath

• Main backlash highlighted the fact that DoorDash did not detect the breach until more than five months after the date of the breach.
• DoorDash’s press release stated the company would focus on:
  • System access security protocols
  • Ramping up data security
  • Leveraging external expertise to help mitigate future risk

Issue

• Misplaced accountability: there was no ownership when it came to whom within the company had access to PII.
• A lack of stringent third-party vendor management, resulting in contracts that left room for interpretation in terms of who had access to customer PII.
• Ineffective incident response plan, as it took the organization five months to inform customers that the breach had occurred.

Info-Tech’s Resolution

In 2019, data breaches increased globally by over 33%. Within the first quarter alone, 4.1 million records were exposed.

Preventing a data breach is just one outcome of implementing an effective privacy program, amongst an understanding of:

• Where every bit of personal information resides
• Who has access to which personal information
• All security controls necessary to protect personal information
• The retention times for different types of PII

Build a Data Privacy Program leverages a simple four-step process:

1. Collect Privacy Requirements
2. Conduct a Gap Analysis
3. Build the Privacy Roadmap
4. Implement and Operationalize

Looking through the global data breach lens

33% increase in the number of data breach incidents from the first half of 2019

Info-Tech Solution

Every case is different, however, across the spectrum of breaches during 2019, we can spot common trends.

In many cases, external parties informed the company of the leaked data, exposing the underlying lack of privacy program monitoring in place within the organization itself.

By developing a structured privacy program, you know:

• Where data is in the organization
• Who is accessing it
• How it’s being leveraged and maintained

Should the event of a breach occur, you can take back control of the resolution process, and minimize reputational damage.

Executives are increasingly concerned about data breaches

Hefty fines and reputational damage are two of the primary setbacks incurred following a publicized data breach.

$3.92 million (USD) | Average total cost of data breach

7.9 billion | Number of records exposed in the first 9 months of 2019

279 days | Time between occurrence and containment of data breach

Hacking | Top breach type for number of incidents incurred

Senior management and executives now acknowledge privacy and security as some of the biggest risks to the business. Previously, the entire scope of privacy would fall upon IT professionals to manage and control.

High-profile cyberattacks and data breaches, such as Capitol One in 2019, have brought the issue of privacy to the forefront of executives’ minds. Regulatory obligations to notify the public of breaches and pay significant fines for noncompliance have also pushed executives to be more concerned than ever before.

Info-Tech Insight

Data breaches shouldn’t just concern senior leadership and management; involving and educating your organization at all levels encourages a tightly woven, privacy-centric operating model. (Source: IBM Security)

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Phase 1

• Call #1: Scope requirements, drivers, objectives, and challenges.
• Call #2: Build out privacy ownership using the RACI chart.

Phase 2

• Call #3: Review results of data process mapping business unit interviews.
• Call #4: Delve into the Privacy Framework Tool to identify and evaluate gaps.

Phase 3

• Call #5: Determine cost and effort ratio of gap initiatives.
• Call #6: Build out additional privacy collateral (notice, policy, etc.).

Phase 4

• Call #7: Review standard privacy metrics and customize for your organization.
• Call #8: Establish and document performance monitoring schedule.