1. Make governance the foundation of your program.
At the governance stage, the goal is to understand the changing regulatory landscape your organization faces, and dig deep into the complexities specific to your organization. You’ll flesh out the links between DPP and business initiatives, such as digital transformation and analytics. By uncovering the gaps between current and desired state, you’ll start to shape your approach to DPP regulation compliance, while checking important themes like current data processing roles, responsibilities, data leakage procedures, data flows, and data usage.
Bridging from that fact-finding to a ‘privacy by design’ approach where you draw a practical roadmap comes next. This includes clearly stating goals and purposes to foster organizational acceptance. It’s important to factor in data flow mapping, data breach notification and incident management processes, privacy impact assessments, and a privacy management and accountability program at this stage of the game.
2. Assess your use of data from all angles.
You can make great use of the data your organization collects, while simultaneously enabling privacy compliance. Having the full picture of the ways your organization is currently using data is the first step to understanding where hidden opportunities lie. Will it be necessary to make data anonymous in your future state, or should you apply pseudonyms to data tags? Does your identity and access management program meet both DPP compliance requirements and respond to broader organizational needs? Does cross-border data management require specific policies? Do you have the right data retention and records management structure in place? On the flip side, do you have a deep enough understanding of the organization’s data flow to effectively mitigate for leakage and respond to incidents? Asking these critical questions now plays a big part in fleshing out your program approach, and ensuring it’s ultimately fit for purpose at your organization.
3. Validate, validate, validate.
Every organization is unique. True, too, for its DPP needs. Organizational set-up, maturity and resourcing will all play a part in ultimately determining how your program comes together, and how you’ll support it over the long term. You may decide to outsource repeatable tasks by using services such as a managed privacy impact assessment. Or you may find you need guidance to support monitoring activities through managed data privacy analytics. At the validation stage, testing the design can help you determine where you might need to invest differentially, and plan accordingly.