7 Proven Tactics for a More Successful Privacy Management Program

As the old saying goes, "Practice is the best of all instructors".

With that in mind, we looked to identify common traits in companies running effective privacy management programs, and here are our top 7 practical insights to help improve yours.

1. Establish Priorities

Unless you have unlimited time and budget, there is no such thing as perfect privacy compliance.

What you can aim for is adequate, or sufficient levels of privacy compliance, at the intersection of regulatory pressures and the risk appetite of your organisation.

To prioritize compliance initiatives, you need to take a strategic, risk-based approach that considers the specific needs and circumstances of your organization. This will allow you to determine the most important areas to address first.

After evaluating the current status of your privacy management program and identifying the most pressing issues, establish a timeline to address them one by one and enlist executive buy-in where needed.

2. Build Internal Support

Compliance is not solely the responsibility of the compliance team. Every person who handles personal data should know at least basic privacy management concepts and be ready to play their part.

Identify and designate privacy management champions — key stakeholders from every department of the organisation — that will help provide information and disseminate information to the rest of their team.

Also make sure that top management understands the amount of support and resources required to ensure the effectiveness and continuity of your organisation’s privacy management program.

3. Build & Maintain a ROPA You Can Count On

Building and maintaining a proper register (ROPA) is essential for any privacy management program, as the ROPA forms the foundation for any and all compliance efforts, offering a clear picture of how personal data is being collected, stored, accessed, and used throughout the organisation.

A properly maintained and monitored ROPA allows you to:

• Update privacy notices when relevant changes are detected in any activity
• Identify data-supporting assets and document technical and organisational security measures
• Tag risk factors in any activity and identify high-risk activities that require a DPIA — Data Processing Impact Assessment
• Keep an inventory of all the organisations involved in personal-data processing, to make sure that relationships are properly assessed and documented
• Manage data-subject requests by showing how personal data flows inside and outside your organisation
• Conduct better security-incident and data-breach analyses.

If your organisation still uses spreadsheets to keep the ROPA, you might want to look into this article we’ve published a while back: Feeling lost in GDPR spreadsheets? Hopefully, it will help you get out of the spreadsheet labyrinth.

4. Establish a Shared Repository of Information with Legal and Information Security

Since managing privacy involves both legal and security considerations, and there is significant overlap in the information needed, it makes sense to save time and increase efficiency by fostering collaboration between departments and creating a common repository of information to avoid redundant work.

This will help your teams save time and work by reusing commonly available information, and will also assist in identifying potential gaps in compliance arising from the different perspectives of privacy management and information security.

As an added benefit, this will help avoid annoying your colleagues by asking for the same information multiple times.

For more in-depth information on this topic, have a look ar this article: Privacy Management & Information Security - Two Sides of the Data Protection Coin

5. Be Ready to Answer Data-Subjects Access Requests

People are becoming more aware of their rights, and the number of people testing organisations to see if they are prepared to respond to requests is increasing (sometimes out of curiosity, sometimes out of necessity, but also sometimes as a way to express their dissatisfaction).

Failing to answer to DSARs in a timely manner is a sure way to get complaints to your local Data Protection Authority (DPA), potentially leading to an investigation and a fine.

Test your procedures and establish checks to ensure that you’re prepared to respond to the most common data-subject request scenarios faced by your organisation on time and in an accurate manner.

6. Watch Out for Blindspots and Gaps

A fair number of fines are issued not for external IT breaches, but for inadequate handling of data supporting assets such as printed documents, storage media, or electronic communication channels. A

s most of the data and information found within an organisation is digital, the InfoSec team generally uses various technical tools to find and classify it, but might find it hard to keep track of this kind of assets.

As the privacy team has a more people-focused approach — frequently discussing with colleagues in each department — make it a point to ask questions about this kind of assets and bring them into the analysis flow.

7. Establish a System to Detect Change

“The only constant is change.” That’s why it’s very important to put a system in place that can help you find out when change occurs.

As a minimum, you should schedule regular reviews of your ROPA and keep an inventory of all privacy related documents and their next planned revision dates.

We hope these 7 practical suggestions will help you build a more effective privacy management program. If you have any suggestions or comments we would love to know your thoughts.

Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our Newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.