Introduction
Study participants indicated they “experienced at least $1 million in benefit from investing in privacy over the past year. Twenty-eight percent experienced over $10 million in benefit.”
Additionally:
- 75% said Privacy helps them avoid brand damage
- 58% said Privacy helps them build trust with customers
- 42% said Privacy helps them win deals
- 39% said Privacy helps them attract investors
- 42% said Privacy helps them attract talent
In short, the tangible benefits of investing in a privacy program extend far beyond checking compliance boxes.
- CIPL, Cisco
What Is a Privacy Management Program?
A privacy management program is a set of organizational measures put in place to govern an organization’s collection and use of personal data. It involves assessing and mitigating potential privacy risks, implementing policies and procedures to ensure compliance with relevant laws and regulations, and regularly training and educating employees to maintain a privacy-sensitive culture. The goal of such a program is to ensure personal data is handled responsibly and securely throughout its entire lifecycle, thus protecting the privacy rights and freedoms of individuals.
There are many ways to design a PMP. Several international groups have developed voluntary guidelines and principles for protecting personal data and managing privacy risks.
- NIST Privacy Framework: A set of voluntary guidelines for managing privacy risks and protecting personal data.
- ISO 27701 Privacy Information Management: An international standard for managing systems processing personal data, with specific requirements and guidance for implementing privacy controls within the ISO’s overarching information security management system.
- CIPL Accountability Framework: A framework that provides a set of principles and controls for organizations to demonstrate accountability for personal data protection.
- Generally Accepted Privacy Principles: A set of principles and guidelines for organizations to manage and protect personal data.
The European Union’s General Data Protection Regulation (GDPR) is a comprehensive privacy program management framework in its own right. The GDPR is grounded in eight core principles and requires organizations to protect personal data and manage an array of risks. It provides specific requirements for technical and organizational measures, data protection officer appointment, privacy impact assessments and balancing tests, and obligations related to individuals’ data rights.
Foundational Privacy Principles
Modern privacy laws share a common set of principles that form the bedrock of any privacy management program. As you consider your organization’s business model, geographic footprint, and maturity, it helps to ground yourself in the OECD’s principles for the protection of privacy and personal data:
- Collection Limitation Principle: Collect only as much as you really need.
- Data Quality Principle: Inaccurate and irrelevant data benefits no one.
- Purpose Specification Principle: Be informative and timely about your actual data uses.
- Use Limitation Principle: Be fair and proportionate with your data use.
- Security Safeguards Principle: Practice good security hygiene every time.
- Openness Principle: Be transparent and clear about your data practices.
- Individual Participation Principle: Honor privacy rights, from requests to complaints.
- Accountability Principle: Hold yourself and your partners in demonstrable compliance, with applicable rules and policies.
GDPR Principles
Building on the OECD’s founding principles and guidelines, Europe’s data protection regime codifies:
- Lawfulness, fairness, and transparency: Organizations must process personal data in a lawful, fair, and transparent manner.
- Purpose limitation: Organizations must only collect and process personal data for specific, explicit, and legitimate purposes.
- Data minimization: Organizations must only collect and process the minimum amount of personal data necessary to achieve the specific purpose.
- Accuracy: Organizations must take steps to ensure that personal data is accurate and up-to-date.
- Storage limitation: Organizations must store personal data for no longer than necessary to achieve the specific purpose.
- Integrity and confidentiality: Organizations must take steps to ensure the security of personal data and protect it from unauthorized access, alteration, or destruction.
- Accountability: Organizations are responsible for complying with the GDPR and must be able to demonstrate compliance.
- Data subject rights: Organizations must respect individuals’ rights to access, rectify, or delete their personal data, and to object to or restrict its processing.
- Data protection by design and by default: Organizations must implement appropriate technical and organizational measures to protect personal data and consider data protection at the earliest stage of any project or process that involves personal data.
Compare these to the principles enshrined in the CCPA 2.0 as amended by CPRA and other modern frameworks, and you’ll see a clear reflection of what a privacy program should keep top of mind.