How to Start Building a Secure Data Privacy Program
Article

How to Start Building a Secure Data Privacy Program

by Pippa Akem
June 29, 2021

The recent influx of privacy regulations worldwide has brought data security to the forefront of many companies’ strategies. As organizations create privacy programs that protect customer information, they’re increasingly looking for vendors to display the same values and practices. Here’s how to start building a privacy program that protects your data and reassures your business partners.

You Can Use Microsoft SSPA as a Guide

A recent example of companies’ growing commitment to data security is Microsoft’s Supplier Security and Privacy Assurance (SSPA) program, which is intended as a baseline for data protection efforts for all vendors given access to Microsoft personal or confidential data. As a condition for executing a contract with Microsoft, suppliers or vendors must obtain SSPA “green status” by displaying compliance with data protection requirements (DPRs) relevant to the Microsoft data they will access.

While SSPA is specific to working with Microsoft, it’s based on the European Union’s General Data Protection Regulation (GDPR) legislation. The SSPA framework can be an effective benchmark to use when building any data privacy program.

Evaluate Your Compliance Requirements and Current Practices

The first step to creating a secure control environment is assessing what data protection laws apply to your organization. Whether it’s SSPA, GDPR or the California Consumer Privacy Act (CCPA), your privacy program should comply with the regulations where any of your customers or business partners are located.

Microsoft’s DPR guidelines can function as a blueprint for your organization, as they provide guidance around what questions to ask your workforce when developing internal procedures and what to review with your downstream business partners. If your control program is aligned with Microsoft’s guidelines, you’ll have the right process to evaluate against CCPA and GDPR.

Next, you should assess your current data privacy and security compliance posture and document written policies that define the data practices for your workforce and business partners. Then, gather the internal policies and guidance documents you believe address each DPR control that applies to your business.

Assess Gaps in Your Control Environment

Once you know your current situation, you need to find the gaps in your controls. The most efficient way to compare your data privacy practices against relevant regulations is to have an independent third party conduct a compliance assessment. The assessor will look at your current policies, procedures and controls that secure the personal information flowing through your organization.

A thorough DPR assessment includes these steps

  • Evaluate your privacy and security controls
  • Review your privacy policies and procedures and guidance documents
  • Scrutinize your data classification policy and practices
  • Identify gaps in your policies based on DPR requirements and best practices
  • Issue a letter attesting to your organization’s compliance with DPR controls

Suppose you’re working toward green status to partner with Microsoft. In that case, your assessor should also loop you in on the other areas for improvement , such as how to create accountability mechanisms, track adherence to (or deviations from) policies and put a scorecard into practice, and advise you on the essentials to keep you from compromising your contract.

Note: you may want to combine Microsoft DPR attestation with other privacy or security assessments to lessen the cost and heavy lifting around controls testing.

Leverage Technology

You should create an inventory of your company’s processing activities. The inventory should list all relevant business processes that involve the collection and use of personal data, identify who is given access to the data, and indicate where data is transferred outside of the company and how long the information is stored in each location.

Conducting a data inventory exercise is time consuming and challenging, but technology can make it easier. Once you have your bearings, you can start researching data audit tools, which automate aspects of the inventory process and streamline the management of your program. You’ll want a tool that can scan your various technology solutions and the structured and unstructured data they store.

Especially when dealing with legacy software, your systems may record data from various departments and solutions without an inherent logic. Most organizations have some form of this “unstructured” data, and it can fall through the cracks when you’re tracking your compliance. To prevent this, your data audit tool should scan your systems and flag information that’s stored in an unstructured environment, so you can map that data and make sure it’s compliant with the relevant regulations.

An ideal data audit tool also contains a governance, risk and compliance (GRC) solution, which helps establish accountability by maintaining audit logs, monitoring user access and privileges, and alerting administrators when user activity violates compliance requirements. Most importantly, a GRC tool functions as an archive for your control procedures that your compliance team can use to exhibit adherence to established guidelines, and it provides a way to communicate your policies with the entire workforce.

A practical feature included in many data audit solutions is a dashboard with a user-friendly interface. While not necessary, it can help you quickly access information about your control program’s performance in an easily digestible format.

Finally, robust reporting functionality is key for leadership to manage your data privacy program on an ongoing basis. It should allow you to drill down specific data elements across your various systems, generate reports detailing those attributes, see how they align with your organizational needs and provide insights into your program’s success and areas for improvement.

Note: your data privacy software is there to enhance your control procedures and make your processes more efficient. Before you implement a tool, you should have a clear understanding of how the tool can be used to support your compliance and reporting agenda.

To Avoid Pitfalls, Have a Defined Project Plan

Often, we see companies run into roadblocks that stall or halt their privacy efforts. Common reasons for this include:

  • Not having a strategy
  • Failing to identify the stakeholders and business units to engage from the onset (legal, compliance, customer service, IT, marketing, HR, product management, website development, etc.)
  • Focusing almost immediately on policy development to the exclusion of everything else
  • Leveraging legacy or unworkable processes (where possible) to create efficiency
  • Starting too late (you run the risk of not remediating on time or overwhelming your team)

You can avoid these pitfalls with a defined project plan and milestones . A project plan should define the overall project approach; detail how you plan to gather information about the business and how personal data is collected, used and shared; determine appropriate stakeholders; define in-scope business processes and systems; and pinpoint gaps between the current state and the required state for compliance with applicable laws.

The project plan should also disclose resources required to remediate findings, identify any new technology to help along the way and include a timeline that achieves compliance well ahead of any deadline. For milestones, you should track activities and tasks that reaffirm the project goals. Ask yourself how do you measure success?

Create a Flexible Framework

Privacy legislation is evolving constantly. So, you’ll want to craft a flexible framework that lets you adapt to changing laws or add more controls that provide peace of mind to your customers — displaying your ongoing commitment to the security of their data.

Maintaining an SSPA, GDPR or CCPA compliant privacy program is vital to protecting your internal and customer data from breaches that could negatively affect your operations. Increasingly, it’s also a market differentiator that will help you retain the public’s trust in your brand and elicit new business opportunities for your organization.

To learn more about privacy regulations or building a compliant data privacy program, reach out to our team of experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Author
Resources
Related News and Insights
Power of Vendor Risk Analytics Exchange Webinar
Webinar
Gain insights on risk trends and improve your vetting process through data from over 80,000 supply chain vendors.

July 28, 2021 | 10:00 AM - 11:00 AM PT
Regulatory and Industry News Alerts from Armanino
Article
The European Commission’s latest decision allows personal data to flow freely from the U.K. to the EU.

July 08, 2021
Regulatory and Industry News Alerts from Armanino
Article
 New rules for data transfers from controllers or processors in the EU/EEA to those outside the EU/EEA.

June 22, 2021