With data privacy and protection regulations gaining momentum across geographies, a robust and mature data privacy governance program has become an imperative for organizations. Data privacy governance is not just about compliance: it brings in the true benefits of an ongoing data privacy program.
The demands of a burgeoning data economy in the backdrop of the pandemic have shifted the focus to an online world, whether its finance, healthcare or retail. Companies face extinction without an online presence to continue delivering services, products and value to end users and customers.
A significant change is the shift in user behavior patterns towards ecommerce, digital payment, online banking, eHealthcare, and many other online avatars. An immediate outcome is the tremendous growth in the volume of personal and sensitive data being stored, processed and transmitted across the data economy. Organizations are also adopting cloud in a significant way, to be nimble footed against competition. This has resulted in personal data moving into an environment managed by the cloud provider.
Given this scenario, organizations have to be conscious of the impact on personal data and how strongly it needs to be safeguarded through their existing privacy programs.
Post the implementation of the General Data Protection Regulation (GDPR), organizations have become increasingly aware of the various controls, and they have initiated privacy programs. However, while these programs exist, and as organizations mature in adopting best practices, technologies and processes for robust data privacy and protection measures, they must also implement sound privacy governance.
The privacy programs driven in organizations already have an element of governance included. However, these are often diluted in every day transactions, movement and change of stakeholders, newer regulations and so on.
Even as organizations implement various aspects of privacy, from cookie consent to data subject rights, it is critical to ensure that data privacy governance is aligned to the data privacy machinery.
Here is a distilled list of ten considerations for data privacy governance in a digital world to help organizations stay on top of privacy programs:
Sharpen data classification: Privacy programs already include data classification and mapping of data flows as the first step towards building privacy controls. This needs to be sharpened further to include newer personally identifiable information (PII) definitions, expand geographies, and increase in business application footprint.
Ensure governance policies are well defined and available: The data privacy governance policy framework must be available across knowledge management sites.
Assign data ownership across the stakeholder ecosystem: Identify stakeholders and owners to drive, monitor, and govern the data privacy program with a defined privacy organization to meet the multi-skilled people across functions such as legal, information security, privacy, business, and IT.
Assess privacy frequently: Conduct periodic privacy assessments to evaluate As-Is status and risk based analysis with measures to address gaps if any.
Start at the beginning: Include privacy in the overall blueprint of the organization as a part of governance. Also, ensure that it is followed through with checks and balances for new and upcoming business requirements.
Measure your progress: Dashboards and reports with an overarching view of various aspects of the privacy program with measurable progress supported by well-defined KPIs and metrics are critical.
Meet the stakeholders: Ensure regular steering committee meetings with stakeholders and sponsors to track privacy vitals and sound off any alarm bells.
Know the rules: A continuous process should be initiated to identify the new and upcoming data privacy regulations and compliance requirements.
Create awareness: Privacy awareness programs across the organization can bring everyone up to speed on privacy, its impact, protecting personal data, and so on. Programs can be woven into the academic curriculum for new members.
Listen to the change: Do continuous impact analysis and monitoring of changing regulations, business footprint for new services and products, expansion into newer geographies, on the organizations’ privacy posture.
The endgame is not just about meeting compliance requirements driven by regulations but also ensuring that personal data is protected and privacy requirements are addressed through sound governance.
If you are interested in learning how Wipro is helping our clients achieve their vision of a sound Data privacy governance program, connect with us.
About the author
Rupa Parekh is Practice Director with Wipro Limited, and has around 18 years of experience in various consulting, business and delivery roles in the information security domain. She is an accomplished risk and compliance leader with extensive experience in data privacy and protection. She is passionate about creating and delivering effective and efficient solutions to clients in their information security journey in the fast-paced digital world.