Essential Guide

Browse Sections
This content is part of the Essential Guide: Protect information like a pro: A guide for enterprise CIOs
Manage Learn to apply best practices and optimize your operations.

Privacy and data protection governance in five steps

From data privacy scope to mapping laws to business requirements, Forrester Research outlines five steps to privacy and data protection governance.

It’s the lifeblood of your business but, as data volumes explode, it's becoming a herculean task to protect sensitive...

data and prevent privacy infringements.

Companies must understand the laws, regulations and standards for privacy and data protection, as well as ensure compliance with those rules. But where do you go to understand this vast landscape, especially when laws vary drastically from country to country, and even state by state? Where do you start? And is it even your job?

This legal and regulatory landscape is not going away -- as much as doomsayers would like it to. In Forrester's Data Security and Privacy Playbook, we developed a five-step privacy governance framework that enables you to deal with privacy head on, instead of waiting helplessly for harmonization and remaining paralyzed by fear.

Step 1: Define data privacy scope

Understanding the extent of your geography is the first step in knowing your compliance requirements. For example, if your firm does business in all US states, Canada, and Mexico, you must consider all individual state laws plus two country laws and federal laws. That’s at least 50 data privacy laws in total.”

Without understanding whether the data types that you deal with, and their classification, are personally identifiable information or not, it's impossible to protect it appropriately.

Forrester Research

In addition, definitions of personal data vary greatly. In California, for example, authorities now see a ZIP code as personal data in and of itself, but other states consider it personal data only if it is in context with other data elements. Without understanding whether the data types that you deal with, and their classification, are personally identifiable information or not, it's impossible to protect it appropriately.

Step 2: Determine organizational roles and responsibilities

Misinformed companies often dump privacy and data protection on the shoulders of security professionals. Since they are managing and securing data for the organization, it's assumed that these professionals also should be responsible for keeping track of the privacy landscape and corresponding legal implications. In fact, according to Forrester Forrsight's 2012 Security survey of 2,383 IT executives and technology decision-makers, 49 percent of security organizations today believe that they are fully responsible for managing privacy and regulations, and 77 percent believe that they are at least half responsible.

Without a legal background, security professionals must distribute the accountability and involve multiple departments across the organization to ensure compliance -- but be careful not to make security your next silo. One senior partner for a major consultancy illustrated the dilemma this way: "People hear the words personal data, and they assume it is IT. IT says it is security. In fact, a major part of this issue does not involve data protection, IT or security."

To remedy this situation, consider hiring a dedicated privacy professional or chief privacy officer to ensure that compliance activities are carried out across the organization.

Step 3: Map laws and regulations into business requirements

One of the most common challenges that we hear from clients is translating this rainbow of standards into real-life requirements, controls and business practices. Because lack of harmonization is such a complex issue for most organizations, Forrester recommends creating internal control mapping tools.

A chief privacy officer from one of the world's largest organizations told us that their organization recently implemented an online privacy tool and process map. By bringing together lawyers from around the world, they examined relevant legal requirements and instituted the tool directly into business processes. While reliance on humans may still be necessary at times, the tool allows projects to self-determine their requirements and only seek expensive legal help and organizational engagement in special circumstances.

Step 4: Embed privacy compliance in organizational culture

As with any compliance program, privacy must be deeply woven into the culture of the organization. This includes identifying corporate-wide compliance gaps, creating a plan to close those gaps, and implementing policies and procedures to do so. Persistence will be key. As one security manager told us, "You have to keep your eyes out and remain persistent in your conversations with people until you understand what's happening and communicate to them what they need to do."

Step 5: Continuously monitor requirements

It may seem that once you've steered through the murky waters of privacy compliance and have finally found some clarity in determining a framework, you run into sudden or unexpected changes in laws and regulations. But don't allow this to slow your momentum. Remember that compliance with privacy and data protection laws are continuously evolving, and that security is just one piece of the privacy puzzle.

Jinan Budgeis global council manager for Forrester Research's Security & Risk Council, and Heidi Shey is a Forrester analyst, serving security and risk professionals.

Dig Deeper on Enterprise data privacy management