Build a Corporate Privacy Program

Build a Corporate Privacy Program

In this age of rapidly evolving technology, a corporate privacy program is indispensable to a large organization. Regulations that govern personal data collection and storage are becoming more stringent worldwide. An organization needs a dedicated team to keep everyone up to date on the latest rulings and risks. A formal privacy program establishes leadership and sets down guidelines for data management and compliance. These steps will help you set up an effective program for your organization.

Step 1: Internal Privacy Assessment

An internal assessment looks at how your organization collects, manages, and controls personal data. This step requires strong leadership and the willingness to take a hard look at strengths and weaknesses.

Identify Leadership

An effective corporate privacy program needs a management team led by a privacy officer. The team should include any data owners and organizations that collect, maintain, and use personal data. The privacy officer should be a leader and influencer from IT, IT security, legal, or similar fields. The management team and privacy officer form the privacy office, which is responsible for policy analysis, risk management, decision-making, employee training, and similar matters.

Evaluate Security Goals and Compliance Capabilities

The privacy office should review expectations and outcomes, including compliance, for the organization’s privacy program. This stage allows the privacy office to look at what’s working and what needs improvement. Does your organization have the resources or skills necessary for all of its security responsibilities? Now is the time to address any gaps and to decide whether to outsource certain tasks.

Step 2: External Privacy Assessment

Once you’ve established your program leadership and management team, you can turn your attention outward. An external assessment reviews matters such as regulatory compliance and data retention.

Identify Privacy Regulations

The next order of business is to identify regulations that affect your organization. If you do business in multiple geographical areas, you should develop policies that comply with the strictest regulations. For example, the EU’s General Data Protection Regulation (GDPR) has a broad impact on companies that sell products in the EU.

Create Data Inventory and Retention Policy

A time-consuming but crucial component, the data inventory identifies and tells you the location of every piece of personal data that you have. Assess the risk versus benefit of each piece of data to determine whether the data is worth keeping. A data retention policy outlines how long you will retain each type of data, and it helps reduce risk and cost.

Step 3: Develop a Breach Response Plan

A breach or incident response plan is indispensable for a corporate privacy program. The plan should include guidelines on matters such as setting up a response team, conducting investigations, and coordinating with law enforcement once a breach has occurred. Training, drills, and updates will ensure the successful response to a data breach.

Step 4: Manage and Regularly Update Privacy Policy

An effective privacy program requires constant evaluation and fine-tuning. It’s best to make small updates as they are needed, rather than a sweeping, costly overhaul after a data breach has occurred.

As privacy regulations evolve, you will need to update your compliance procedures. Stay informed about new rulings and regulations in each location in which you do business. For example, more and more localities require subject consent before personal data collection. Record any updates you make to your policies and procedures in case you need a record for an audit.

Ongoing: Stay Informed and Up to Date

Today’s ever-changing world of information technology requires constant monitoring. A formal corporate privacy program ensures that guidelines are up to date and employees receive the training they need. The result is secure and cost-effective data storage for your organization and customers.


Shawn Corrigan

Shawn Corrigan is the President and Founder of Interactive Security Holdings Inc. Interactive Security has grown into a global company offering IT Compliance Auditing services for small to large companies - focused on making it obtainable, simple and affordable. With over 20 years in the BPO and Financial industry working at the executive level, Corrigan has experienced the pitfalls, trials and tribulations of bringing an enterprise organization into IT compliance. Corrigan has designed a methodology geared at guiding clients of any size to successfully achieve compliance and ultimately obtain compliance certification. Corrigan is certified as a FISMA – NIST Implementor, PCI-DSS QSA, HiTRUST Certified Practitioner and HiTRUST Certified Quality Professional, ISO 27001 Lead Auditor and Implementor