close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

A 10-Step Checklist for In-House Legal Teams

10 Steps To Bring You Closer to Compliance & Minimize Risk

Privacy is a growing part of the day-to-day operations of corporate legal teams. This checklist walks you through the key elements for you and your team to consider when building your privacy program.

Step one: Assess Your Current State

Every successful privacy program must start with a stable foundation. Outline all of the ways in which privacy is being managed today. At a baseline, you should have a privacy policy, and work your way out from there. Can you identify where data and sensitive information live? If you received a Data Subject Request today, would you have knowledge of the sensitive data within your organization? Better yet, could you respond within the required timeline. Finally, if your program is already up and running, how easy is it for Data Subjects to submit a DSR request? Use this critical information to determine opportunities for improvement for your organization.

Step two: Identify Your Partners & Contributors

Create an internal privacy team with representation from IT, legal, engineering, and other business functions who have access to systems that hold customer PII, for instance, marketing or customer success. Depending on the size of your business, you may want to consider adding a team of external advisors with expertise in creating privacy programs. Once assembled, align on your goals, assign dates and who will be responsible.

Step three: Determine What Data Needs to be Protected - And Where it Lives

According to Okta, the typical organization uses more than 190 different software applications daily, across its operations. Can you say with confidence that you know every software that is being used by every employee in your organization? If the answer is no, then your next step is to begin to identify all of the systems in which PII lives – this includes employee data. According to an IAPP Research report, 15% of DSR requests were made by current or former employees, 70% were made by customers and 15% fell into the “Other” category. IT will usually be your best partner for this – or if you have a Privacy Program Manager, this is the type of initiative they could run, which would require interfacing with every team in the organization to figure out which systems exist, as well as what PII is included. This is vitally important in order to comply with Article 30 of GDPR which requires you to create a map of all systems. Similar provisions are also found in the CPRA and other privacy laws as well.

Step four: Determine Your Baseline

While GDPR and CCPA are the two most wellknown regulations, each is materially different. What’s more, there are regional regulations that are already in effect that have different areas of emphasis as well. Best practice is to select the most stringent regulation that you’ll need to comply with, making compliance with the other regulations a done deal. Commonly considered the “gold standard,” GDPR is very often the first stepping stone for a complete privacy program.

Key Privacy Regulations

  • CCPA — California Consumer Privacy Act
  • CPA — Colorado Privacy Act
  • CPRA — California Privacy Rights Act
  • GDPR — General Data Protection Regulation
  • LGPD — Lei Geral de Proteção de Dados Pessoais
  • PIPEDA — Personal Information Protection and Electronic Documents Act
  • PIPL — Personal Information Protection Law
  • VCDPA — Virginia Consumer Data Protection Act

Step five: Update or Create Your Privacy Policy

Your privacy policy should accurately outline how you gather, use, disclose, and manage a customer, client or employee’s data. Now that you have mapped your systems, you can with confidence create or update your policy. Ensure it is user friendly, maybe get someone without a legal background to review it to ensure it’s easy to understand for the average user. Also make sure that the info is readily available – for instance in a cookie banner or at the bottom of every page of your website The bottom line is to make it accessible for your users.

Step six: Outline a process to Verify Your Data Subjects’ Identity & Requests’ Legitimacy

Verification of your “data subjects”—a more encompassing term than consumers— must be done in an airtight manner or you may find yourself paying steep fines and incurring significant brand damage due to negative press attention. So, what are a few safeguards for your organization? The best practice is to verify the identity of a requester within seven (7) days of the privacy request submission. If the requestor cannot verify within that duration, industry analyses indicate a higher likelihood of illegitimacy.

icon

Important: Avoid collecting additional personal information in the process of verifying a requester. Privacy regulations encourage the principle of data minimization, so it’s best to leverage existing data already on file to verify a requester.

Other ways to verify:

  • Ask verification questions such as what is the last interaction the subject had with a representative of your business or what is the last item the subject purchased?
  • Use a technology tool, such as DataGrail Smart Verification, that leverages various levels of verification and geolocation-specific legal frameworks to ensure data subjects are verified at all times and according to applicable privacy regulations

Step seven: Notify Consumers of Your Privacy Policy & Make it Easy for them to Exercise Their Privacy Rights

Once you’ve defined and updated your privacy policy and processes, you will need to communicate it to your external stakeholders, including customers and partners. This is often called the “notification” step.

Other ways to verify:

  • Adding a link to your privacy policy page on your organization’s home page
  • Clearly indicating how a consumer can submit a privacy request to your organization
  • Displaying a link for consumers who chose to opt out of sale of data on your company’s homepage
  • Avoiding using a generic support channel for privacy requests. If you choose to provide an email address, make sure it’s an account dedicated to the intake of privacy requests (e.g., [email protected])
  • Giving data subjects different methods to submit their privacy requests
icon

Important: Write a clear, comprehensive, and easy to understand privacy policy that covers best practices as well as your individual requirements. Prominently post your privacy policy for consumers and customers.

Step eight: Regularly Audit Your Data & Set Data Retention Policies

To ensure sustainable compliance you must regularly audit your data and set data retention policies. This step protects your company against data significantly accumulating and ensures you have a set process for how long to hold on to specific types of data. This entails things like creating data categories that separate consumer, business, and third-party data. Outlining categories for personal data that is sold, or if your organization doesn’t sell data, a legal statement spelling that out. If you do sell data, you are required to create and link to a “Do Not Sell” information page and provide the ability for the consumer to opt out. Auditing data to find any consumer information that is owned by the groups targeted in specific regulations (e.g., EU citizens, California citizens) and mapping consumer personal data for repository so it is easily discovered in the event of a deletion request.

Step nine: Train The Company

Getting everyone in the business to care deeply about privacy can be challenging – and let’s face it, you and your legal team are extremely busy. Make it a team effort – bring marketing in to see how you can make it more engaging, split the load with IT and leadership to emphasise the importance of the new processes and tracking PII across the organization.

Educating your employees on the policies early and often means they can be part of the solution, rather than inadvertently introducing risks due to a lack of awareness.

icon

Tip: Work with HR to include training in your company onboarding.

Step ten: Improve, Iterate, Evolve

As you can see, the current regulatory environment is not static. New regulations surface often — and the speed at which the area evolves is only expected to increase. That means it’s critically important to ensure your privacy program is flexible and future-proof, enabling you to painlessly bring your company into compliance with the new regulation or regulations. You should review and adjust your privacy program when internal or external events such as the following occur:

  • New privacy regulations applicable to your company or data subject
  • A merger or acquisition affecting your company
  • An important change in your databases structure and storage of PII
  • Onboarding of new vendors for PII collection or ‘sale’ of PII

Conclusion

How can DataGrail help?
icon

DataGrail is the data privacy company for this era. We help brands minimize risk, stay a step ahead of consumer and employee expectations, and safeguard their reputation. Our complete, enterprise-grade data privacy platform is powered by patented Risk Intelligence technology that detects shadow IT and makes vulnerable data visible so brands can proactively manage risk. Leveraging responsible automation at scale and the largest integration network in data privacy, DataGrail automates privacy workflows across systems to perform risk assessments, accelerate data subject request (DSR) fulfillment, and optimize resources.

icon

Headquartered in San Francisco, the world’s most trusted brands partner with DataGrail on their data privacy journey, including Salesforce, Dexcom, Databricks, Instacart, amongst others. It has 4.8/5 stars on G2 and is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures.

icon

To learn more about DataGrail, please visit www.datagrail.io or follow DataGrail on Twitter and LinkedIn.