close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

A 10-Step Checklist for Security Teams

10 Steps to Minimize Risk & Strengthen Your Privacy and Data Protection Program

Strong privacy programs are built with security at the foundation. This checklist walks you through key elements to consider when partnering with privacy practitioners to build customer trust and outsmart business risk.

Step one: Know Your Processing Environment

Successful privacy programs start with a solid grasp of their processing environment. Why? Personal data isn’t just a confidential business asset, it’s a specially regulated class of data.

Your whole company is responsible for handling personal data lawfully, transparently, proportionally, and securely throughout its entire lifecycle, while also protecting it from unauthorized access, alteration, or destruction. In some cases, this means not having the data in the first place.

To apply the right safeguards to the right data, you need to know where the data lives and understand what it’s used for. According to Okta’s “Businesses at Work 2023” report, large companies (2,000 or more employees) use an average of 211 different software applications across operations. Can you confidently say you know every application any employee in your organization has ever used?

An effective privacy and data protection program can help cover your blind spots with system and data discovery that relates the information through data mapping. This is a foundational activity that benefits privacy and security practitioners.

icon
Bottom Line: Use this critical information to gain actionable visibility into your processing environment. Zero in on assets and vendor relationships that may be particularly enticing (or vulnerable) to threats. A personal data breach is a nightmare scenario for everyone.

Step two: Identify Your Privacy Collaborators & Cooperative Model

Accountability requires a suitably empowered individual or group to be responsible for an organization’s security and privacy efforts. Start by identifying a privacy lead and a model for ongoing information sharing and cooperation.

Possible data governance models can range from a top-down pyramid led by C-level leaders to a flat team of privacy and security champions embedded throughout the business.

A smaller or mid-level organization could benefit from a joint Security & Privacy Risk Steering Committee, a roundtable of representatives from different departments working together to identify and manage privacy- and security-related business risks. This committee would be responsible for cross-functionally developing and maintaining the privacy and data protection program, and reporting their findings and activities to the CEO and/or the Board. This model allows for a more holistic approach but may lead to increased decision-making complexity.

icon
Bottom Line: Security, privacy, and legal professionals form a Venn diagram of overlapping responsibilities. Cooperation through a formalized risk steering committee, or another collaborative model, is essential to mutual success.

Step three: Understand How Privacy Laws Impact Security Management

Aligning your program with The National Institute of Standards and Technology’s Cybersecurity Framework and Privacy Framework is useful and laudable. Many security and privacy teams do. However, nuances in privacy and data protection laws like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) can introduce particular concerns for security teams.

Key Privacy Regulations

  • CCPA — California Consumer Privacy Act
  • CPA — Colorado Privacy Act
  • CPRA — California Privacy Rights Act
  • GDPR — General Data Protection Regulation
  • LGPD — Lei Geral de Proteção de Dados Pessoais
  • PIPEDA — Personal Information Protection and Electronic Documents Act
  • PIPL — Personal Information Protection Law
  • VCDPA — Virginia Consumer Data Protection Act
  • UCPA — Utah Consumer Privacy Act
  • CTDPA — Connecticut Data Privacy Act

The original CCPA allowed Californians to sue an organization for data breaches resulting from preventable security failures via the private right of action. Proposition 24, the California Privacy Rights Act (CPRA), expanded and amended the CCPA, and also expanded what qualifies as a breach within the state. CCPA 2.0 now includes email addresses paired with a password or security question and answer as information that if “subject to an unauthorized access and exfiltration, theft, or disclosure” would subject a company to broader litigation risk.

icon

The CISO’s Guide to CPRA

Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, millions of Californians have exercised their privacy rights under this law.

Read the guide

With potential statutory damages in California ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands — or even millions — of users, these types of claims could be staggering.

icon
Bottom Line: Work closely with your CISO, Legal, and Privacy teams to understand the many nuances informing security baselines, like the need to encrypt stored usernames (ubiquitously, emails), recovery questions, and passwords, and regularly update cipher suites.

Step four: Align Data Retention & Privacy Policies

Today’s data-driven economy incentivizes businesses to collect and hold more data for some future possible value. Yet, these inclinations conflict with the principle of proportionality enshrined in the GDPR, CCPA, and other modern privacy and data protection frameworks.

Practicing data minimization and storage limitation is an essential part of privacy by design. These principles prompt an organization to step back and consider what personal data is essential to collect, store, and disclose, to what degree, and under which circumstances.

Regularly reviewing company data processes against business needs and retention commitments also supports security by default practices. Less data means less data exposure, reduced data storage costs, and quicker disaster recovery timelines.

icon
Bottom Line: Well-calibrated retention practices — from data collection to data destruction — complement organizational security and privacy management goals.

Step five: Advise Reasonable Data Subject Identity Verification

Modern privacy laws like the GDPR, CCPA, and VCDPA codify a rights-based approach to data protection. Today, more individuals than ever can exercise control over their personal data through consumer privacy requests (known as Data Subject Requests or “DSRs” in Europe).

Requesters can ask to access, correct, port, and in some cases, erase their data. They can also knowingly permit, object to, and, in some cases, restrict how a business uses their data — all while being protected by law from unfair treatment and retaliation. Above all else, the interaction should be easy and effective for requesters.

The DSR process must be safe for businesses and individuals. The security adage of “trust but verify” applies.

By law and sound practice, you must validate that the requester is who they say they are, and has rights to the data in question. To thwart the efforts of those who intend to request and obtain valid credentials illegally, it’s best practice to verify the identity of a requester within seven (7) days of the DSR submission date.

However, collection limitation and data minimization principles also apply. Do you really need a copy of someone’s passport? DataGrail’s knowledge-based Smart Verification tool is a viable, proportional alternative.

icon
Bottom Line: Unauthorized disclosure, alteration, or destruction of personal data is a business-wide risk. However, sound security shouldn’t mean overidentification or other unnecessary friction for requesters. Security, privacy, and legal teams should align on what data they actually need to confidently identify individuals. Proportionality builds trust.

Step six: Contribute to Privacy/Data Protection Impact Assessments

PIAs and DPIAs are indispensable parts of any privacy and data protection program. They’re flexible tools to systematically analyze, identify, and minimize privacy risks and tradeoffs from products, projects, and other activities involving personal data.

A PIA/DPIA helps organizations be more aware of and intentional about the personal data they collect, store, share, sell, or otherwise transfer. Privacy assessments also help determine the contractual, organizational, or technical safeguards to implement for risk mitigation.

No assessment is complete without input from security specialists. Safeguarding personal data using appropriate technical and organizational security measures is crucial. Should access be need-to-know? Will data in transit be sufficiently encrypted? Will existing incident response protocols suffice?

icon
Bottom Line: Privacy is a team sport. Making privacy risk mitigation technically sound and practicable requires Security’s operational and engineering expertise.

Step seven: Validate Security Promises in Privacy Statements

A privacy policy is the central tent pole of any privacy program. It plays an important role in your organization’s public and regulatory relations by making certain privacy and security promises.

Privacy policies commonly have a section explaining the measures taken to protect personal information from unauthorized access, alteration, or destruction. Using language like “commercially reasonable” or even “industry-leading” is permissible.

Organizations have no obligation to disclose trade secrets or other information that may compromise organizational security, but their statements must be truthful. Regulators like the Federal Trade Commission, the California Privacy Protection Agency, and UK Information Commissioner are empowered to fact-check privacy policy statements.

icon
Bottom Line: Work closely with privacy and legal to ensure security representations are being met accurately. What you promise publicly and in contracts matters.
“When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information, or caused substantial consumer injury. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.”
From the FTC’s Privacy and Security Enforcement webpage

Step eight: Holistically Manage Third-Party Risk

Modern organizations rely on third-party vendors and outsourced services for their infrastructure and software supply chain. While these partnerships achieve operational efficiencies (e.g. better tools, reduced hardware costs), they can also introduce potential data protection risk questions:

  • Privacy angle
    • What kinds of personal data will the system or service utilize? How? Why?
    • Are there any possible out-of-context uses?
  • Security angle

    • Does the third party provide a secure and trustworthy environment for personal and other company-confidential information?
  • Legal angle

    • Are data protection and service delivery in line with applicable legal/regulatory requirements and associated contractual commitments?
icon
Bottom Line: TPRM is another team sport. System inventories, Records of Processing Activities (RoPAs), and PIA/DPIAs all play supportive, collaborative roles in assessing vendor security and privacy.
icon

A sound Third Party Risk Management (TPRM) program blends the three angles to provide a comprehensive view of a vendor. TPRM programs ensure:

  • Thorough pre-partnership vendor risk assessments and regular re-evaluations
  • Considerations for privacy and security risks, and any needed regulatory reporting
  • Appropriate contractual controls and restrictions
  • Accurate third-party performance monitoring

Step nine:
Train The Company

Convincing everyone in the business to care deeply about data privacy and security can be challenging, and let’s face it, you and your security team are extremely busy.

Again, make it a team effort:

  • Train during onboarding and recertify at least annually
  • Bring in marketing and enablement pros to help gamify training and increase employee engagement
  • Set the tone at the top — seek buy-in and socialization help from senior leadership
  • Reinforce how employees can be part of the solution, rather than inadvertently introducing risks due to a lack of awareness
icon

Tip: Summarize key acceptable use and protection policies in employee handbooks — early and often shouldn’t mean novel-length.
icon
Bottom Line: Train new and refresh existing employees. Keep your entire organization up to date on security threats, related data-privacy issues, and your company’s acceptable (and best!) practices.

Step ten:
Improve, Iterate, Evolve

It’s important to remember the current regulatory environment isn’t static and neither are threats to the personal data under your care. It’s critically important to ensure your privacy and data protection program is flexible and future-proof.

That flexibility will enable you to painlessly bring your company into compliance with new regulations and always keep sensitive data secure.

You should review and adjust your privacy and data protection program when internal or external events like the following occur:

  • New or updated privacy regulations applicable to your company
  • Entering a new market
  • Merging with or acquiring another company
  • Materially changing your data practices
icon
Bottom Line: Achieve privacy agility and mindfulness. An effective, holistic privacy and data protection program should constantly improve, iterate, evolve, and adapt to meet the increasingly complex needs of your business.

Conclusion

How can DataGrail help?
icon

DataGrail is the data privacy company for this era. We help brands minimize risk, stay a step ahead of consumer and employee expectations, and safeguard their reputation. Our complete, enterprise-grade data privacy platform is powered by patented Risk Intelligence technology that detects shadow IT and makes vulnerable data visible so brands can proactively manage risk. Leveraging responsible automation at scale and the largest integration network in data privacy, DataGrail automates privacy workflows across systems to perform risk assessments, accelerate data subject request (DSR) fulfillment, and optimize resources.

icon

Headquartered in San Francisco, the world’s most trusted brands partner with DataGrail on their data privacy journey, including Salesforce, Dexcom, Databricks, Instacart, amongst others. It has 4.8/5 stars on G2 and is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures.

icon

To learn more about DataGrail, please visit www.datagrail.io or follow DataGrail on Twitter and LinkedIn.