Articles

16 Elements of a Data Privacy Program

Written by Matt Davis, CIPM (IAPP) | July 7, 2023

Once you know what a data privacy program is on a basic level, the next question is clear: “What actual activities do I need to carry out in a data privacy program?” 

We’ve identified 16 key elements of a privacy program—if your program doesn’t address these elements in some way, then you’ll know what to target next as your program grows more mature. 

Odds are, you’ll have more robust practices around certain elements relative to others; that’s totally okay. Data privacy is different for every organization, and even an organization with mature data privacy practices will need to prioritize these different activities and deliverables. Regardless, if you feel like your data privacy program is in need of some direction, then this article is for you. 

1. Notices  

It’s both compliant with data privacy regulation and a nice thing to do: Providing notice to your consumers about what data you collect, why you collect it, and what you do with it is essential. To meet this need, privacy programs manage privacy policies, cookie policies, and other types of notice and disclosures. These notices need to be accurate, maintained over time, and kept in compliance with new and changing data privacy laws, making their management a key function of a data privacy program.  

2. Data Inventories and/or Records of Processing Activities   

In order to achieve good data governance and compliance with data protection and privacy regulations, it is essential to understand the following: 

  • What personal data your organization collects.  
  • Why it’s being collected. 
  • Where it’s stored.  
  • Where and how it’s transferred.  
  • With whom data is shared. 
  • And similar information.  

Under the GDPR, this practice is a formalized requirement known as a record of processing activity, or RoPA. While many data privacy laws do not require a RoPA or do not refer to this document in the same way, establishing a catalog of data processing activities across your organization is crucial for a well-functioning data privacy program.  

3. Privacy Impact Assessments   

Data privacy impact assessments (DPIAs) and other privacy risk assessments enable you to identify sources of privacy risk. With a healthy assessment process, you can determine when these risks can be mitigated, when they are unacceptably high, and when they are tolerable.  

4. Privacy Incident and Breach Response

Data breaches are growing more common and more expensive, and they aren’t limited to just the big players. Consider the fact that: 

Privacy professionals must develop a plan to prepare for, respond to, and mitigate the impact of privacy incidents and breaches. Doing so effectively requires a clear understanding of whose data you have, where that data lives in your organization, where it is processed, who it has been shared with, and the controls behind which that data is protected. 

5. Resourcing

Without adequate resources, there is little a privacy program or privacy professional can accomplish. It can be challenging to build a data privacy business case for adequate budget, tooling, and staffing; privacy is so often seen as a cost center, and stakeholders who are unfamiliar with the demands of privacy may be inclined to reduce cost as much as possible. Despite the challenges, building a business case is essential for a well-functioning data privacy program. 

6. Privacy Awareness and Training

Because personal data is processed across an organization, an effective privacy program encourages collaboration with various other departments.  

There may be data store owners with intricate knowledge of their associated processes and systems, but little understanding of the need to protect the personal data they process. 

Privacy professionals need to spread awareness and conduct training in order to educate stakeholders about:  

  • The importance of privacy. 
  • How to handle personal data in accordance with legal and regulatory requirements. 
  • What specific actions to take to streamline privacy risk management. 

7. Privacy Culture

Because data privacy activities are often interdisciplinary and interdepartmental in nature, other stakeholders’ understanding of and attitudes toward privacy will have a major impact on privacy professionals’ ability to do their jobs.  

While there is an overlap between privacy awareness and training and a culture of privacy, they are not exactly identical concepts. For one, a robust training and education process contributes to a culture of privacy but does not guarantee it. 

8. Consent Management

Consent management—that is, obtaining, managing, and documenting the consent of individuals for the collection, use, and sharing of their personal information—is a key component of both privacy ethics and regulatory compliance.  

Organizations need to consider the nature of consent management requirements as per their governing law, such as whether consent must be opt-in, opt-out, include specific language or consent controls, and so on. You’ll also need to consider how to operationalize data subject consent preferences, how to prove and record consent preferences without violating privacy, and additional factors. 

9. Subject Rights Request Management

Subject rights request management refers to receiving, processing, and responding to requests from data subjects to exercise their data privacy rights, such as the right to access, rectify, delete, or restrict the processing of their personal data. Data subject rights requests can be one of the most visible aspects of your organization’s data privacy operations. Consumers won’t always be aware of what work you do on a day-to-day basis, but they will notice if your privacy program is unable to meet their request within required timeframes or if your response contains errors.  

10. Data Minimization and Purpose Limitation

Many consumers are comfortable with businesses that want to use their personal data for one specific, disclosed, and limited purpose. The trouble comes when organizations hold onto their data indefinitely and use it for a multitude of purposes that aren’t disclosed. At the same time, premature deletion of data can hinder operations.  

That’s why the concept of purpose limitation is important—your organization should know and declare what consumer data will be used for prior to collection. Once you’ve completed that purpose, you must delete or anonymize the data. 

Going further, data minimization requires you to collect only the data you need to meet that purpose and no more. As you might imagine, operationalizing these two principles is easier said than done. 

11. Contract Management

Modern businesses rely on a small galaxy of vendors, partners, outsourcers, and others to operate. Since they often share personal information with these third parties, it’s important to have a legally sound mechanism that guarantees these third parties treat your customers’ information appropriately. Data privacy regulations typically require data processing addendums for that very reason.  

Contract management refers to the process of ensuring that privacy obligations are incorporated into contracts with third-party service providers and vendors. Privacy professionals need to work closely with legal and procurement teams to identify when contracts need language addressing data privacy, which existing contracts must be updated, and how to negotiate new contracts with privacy-related language. 

12. Vendor Risk Management

Once your customers’ data passes to a third party, there’s little you can do to continue to protect it unless you engage in robust vendor risk management processes. There is a significant overlap between vendor risk management and contract management. However, aspects of vendor risk management are not related to contracts; similarly, not all contract-related privacy issues involve vendors.  

13. Security

Considering all the trouble privacy professionals go through to ensure individuals’ personal data is treated respectfully, it should come as no surprise that taking adequate and reasonable security measures is an essential element of a privacy program. Most privacy regulations do not specify what exactly constitutes “reasonable security,” so it is important that organizations take steps to review their technical, administrative, and organizational security controls. 

14. Privacy by Design

When developing new products, services, or anything that may process personal information, it is tempting to consider factors like privacy at the very end of the process. But this increases the odds that personal information receives little protection or none at all. 

Privacy by design ensures privacy factors are considered early in the development process. While the onus of implementing privacy-by-design principles lies with the developers, strategists, and project managers who work on the various initiatives that may involve personal information, privacy professionals can take certain steps to encourage privacy by design. 

15. Governance and Accountability   

Governance and accountability refer to the policies, procedures, and processes that an organization puts in place to ensure that its data privacy program is effective and compliant with relevant laws and regulations. It also includes the mechanisms for ensuring that individuals and teams within the organization are held accountable for meeting the organization's privacy obligations. Without such a system in place, proving compliance, ensuring follow-through, and identifying compliance gaps are significantly more challenging. 

16. Program Management   

Data privacy program management involves the overall strategy, planning, implementation, and continuous improvement of an organization's data privacy program. Taken together, the individual elements described in this article serve as a good approximation of a data privacy program, but the whole of a privacy program is more than just the sum of its parts.  

This element represents the holistic, end-to-end management of a data privacy program. That includes everything we’ve discussed here as well as any other privacy program elements unique to your organization. 

Putting It All Together 

So, that’s a lot of information overall. How do you put it together? Coordinating 16 different elements of a privacy program seems like an overwhelming task, especially since most privacy functions only have a few experts on payroll. 

One way is to take a step back and simplify your perspective. It’s good to be familiar with these different elements, but it could be more useful to think about your privacy program in terms of overall maturity. That's why Osano developed a privacy program maturity model. It describes five different levels of privacy program maturity.

Combined with these 16 privacy program elements, this maturity model will help you identify where your organization is today, and what it needs to do to get to the next level.