US Private Sector Privacy PDF 2024

Summary

This document is a chapter from a higher-education textbook focusing on information management and privacy risk management within the US private sector. It discusses key material in the study of privacy, including US legal systems, technological aspects, and principles for businesses.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP CHAPTER 4 Information Management and Privacy Risk Management The first three chapters in this book have introduced key material in the study of privacy. Chapter 1 explored fundamental concepts for modern protection of privacy. Chapter 2 explained essential aspects of the U.S. legal system. Chapter 3 introduced the technological aspects of privacy. This chapter focuses on principles that businesses must address as they handle data - information management and privacy risk management. 1 Almost every business, regardless of industry, faces a plethora of decisions in how to handle personal data. These decisions grow more complicated as consumers and regulators demand more from businesses related to the privacy and security of this personal data. Businesses that handle socalled sensitive data, which often includes medical, financial, or children’s data, are expected to meet an even higher bar as they make decisions about how to collect, use, and possibly disseminate this data. Businesses that operate on a global scale, which is far more common with the internet than it once was, face cross-border data issues that include multiple sets of regulation related to privacy and security. Businesses face significant costs to come into compliance with federal and state privacy requirements as well as legal requirements in other countries. With the enactment of the EU’s General Data Protection Regulation (GDPR) in 2018, a joint survey by IAPP and EY found that companies reported spending more than $1 million per year on GDPR compliance. 2 In the absence of a federal comprehensive privacy law in the United States, the Information Technology & Innovation Foundation (ITIF) estimated in 2022 that the yearly out-of-state cost for compliance in a scenario where all 50 states enact privacy laws would be approximately $100 billion per year. 3 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP It is worth pointing out that the cost of mishandling personal data can be significant for a business, both for the short-term impact to the business’ profits and also potentially for its long-term viability as a business. 4 For example, in 2022 IBM found that the global average cost of a data breach is more than 4 million dollars, with costs even higher in healthcare and financial industries. 5 In the longer term, as it relates to the treatment of personal data, numerous studies have indicated that consumer trust (or lack thereof), can have a positive (or negative) impact on a consumer’s decision to engage with a particular business. 6 According to Edelman’s Trust Barometer, trust of a company is linked to purchase decisions, and ethics are more important in creating consumers’ trust of a company than competence. 7 Cisco’s 2022 survey reported that elements of trust are key to consumers’ decisions to be associated with a business. According to the research, consumers expect businesses to be both truthful and transparent about the handling of personal data, and also expect businesses to handle their personal data responsibly. More than 80 percent of participants in the survey reported that the way that a business treats personal data is indicative of the degree to which the business respects its customers. Approximately 75 percent of those surveyed stated they would not buy from a business that they did not trust with their data. 8 When examined through the lens of trust, privacy can be viewed as a core business priority that has the potential to increase consumer loyalty, improve brand perception, drive business outcomes, and lead to higher earnings. 9 This chapter begins by discussing best practices for developing an information management program that addresses privacy and other information management concerns, including security. The chapter then turns to an examination of privacy risk management, focusing on privacy impact assessments, vendor/third party risk assessments, and data breach readiness assessments. The chapter concludes with an overview of key global issues related to data traveling to or from the United States. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP This material should be read in the context of more detailed discussions of legal rules in the other chapters of this book. Numerous chapters in the book look at the legal regulation of privacy, including Chapter 5 (State and Federal Regulators of Privacy), Chapter 8 (Medical Privacy), Chapter 9 (Financial Privacy), Chapter 10 (Education Privacy), Chapter 11 (Telecommunications and Marketing), and Chapter 12 (Workplace Privacy). Two chapters focus on state regulation of privacy – Chapter 6 (State Comprehensive Laws) and Chapter 7 (State Data Breach Notification Laws). Chapter 14 (The GDPR and International Privacy Issues) provides additional insight into the global landscape – with particular emphasis of the EU’s GDPR. This chapter provides a management perspective on how to meet any and all such legal requirements. This chapter draws heavily on the IAPP book, “Privacy Program Management: Tools for Managing Privacy Within Your Organization,” edited by Russell Densmore. 10 We recommend that book (or any update) for those wishing to gain a deeper understanding of these concepts. 4.1 Information Management Information management focuses on establishing, implementing, and monitoring the organization’s privacy program under the direction of a senior person in the organization, such as the Chief Privacy Officer (CPO). Information management requires a combination of skills: legal, marketing, sales, human resources, public and government relations, and information technology. In large organizations, privacy professionals may be part of a team that draws on a mix of these skill sets. Although the details of information management vary by organization, information management generally involves numerous levels of management, where each contributes particular types of expertise and resources. Executive leaders emphasize the needs of the organization as a whole and have the authority to ensure that the organization’s vision is carried out. Frontline 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP managers are more familiar with procedural and technical requirements, and typically better understand the problems of the organization’s systems as well as its customers. 11 This section focuses on a variety of topics relevant to information management: the role of the privacy professional; data sharing and data transfers; the privacy program; the privacy policy and the privacy notice; and managing user preferences and user requests. 4.1.1 The Role of the Privacy Professional Privacy professionals need to appreciate both the benefits and the risks of using personal information. PI is essential to most businesses—every organization with employees or even volunteers manages PI. Organizations may collect consumer PI for many purposes, both directly from prospective and existing customers and indirectly through data available from public and private sources. Organizations may disclose information to service providers, affiliates, business partners and government agencies for a wide range of purposes. At the same time, as discussed in this book, many risks can arise from the collection, use and disclosure of PI. Perceptions of acceptable privacy practices vary, creating challenges for privacy professionals. Decades of opinion surveys show that people can be categorized in three groups: the “privacy fundamentalists” (people with a strong desire to protect privacy), the “privacy unconcerned” (people with low worries about privacy), and the “privacy pragmatists” (people whose concern about privacy varies with context and who are willing to give up some privacy in exchange for benefits). 12 Perceptions about privacy risks not only vary within the population, but they also shift over time. Sometimes the shift is toward greater privacy protection. For example, Social Security numbers used to be visible through the envelope window of millions of Social Security and Supplemental Security Income checks mailed by the U.S. Treasury. With rising fears of identity theft, that practice was abolished in 2000. 13 Sometimes the shift is toward less privacy protection. For example, the modern 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP world is filled with people who post intimate details of their lives on widely adopted social networks. 14 Sometimes the target of privacy concerns shifts— Edward Snowden’s 2013 revelations about National Security Agency (NSA) surveillance practices raised concerns about privacy from government surveillance. 15 Recent news stories have been filled with concerns about company practices in relation to privacy – from how companies store and protect data to how companies use the consumer data that they hold. With regard to data breaches, the American public typically reacts strongly in the months following such occurrences but has generally been forgiving of these lapses in security over time – particularly when the companies are perceived to have adequately addressed the breach after it was discovered. 16 For example, after the data breach involving approximately 150 million consumers, the credit bureau Equifax was dubbed the “most hated” company in the United States. 17 A year later, Equifax had nearly regained the level of public trust that it had before the breach. This turnaround is believed to be helped by public apologies and online portals to address issues that consumers encountered due to the incident. 18 Members of the public have been less willing to forgive when business models are based on data collection practices that are deemed to be inappropriate and in contrast with consumers’ expectations. The Cambridge Analytica scandal, which involved data from a major platform being utilized by a third party in an attempt to influence both the user and the user’s friends and family, 19 sparked a backlash against numerous major tech companies. 20 Concerns such as these led to worldwide concerns about ‘surveillance capitalism,’ the term coined by Professor Shoshana Zuboff to describe business practices by tech companies to collect data about individuals and to use this knowledge to influence the behaviors of these individuals. 21 At the writing of this book, this widespread angst against the tech community has led officials to pursue numerous antitrust and privacy enforcement measures against these companies in both in the U.S. and beyond, along with consideration of potential legislation. 22 Certain proposals for a federal comprehensive privacy law in the United States 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP have included a duty of loyalty, where businesses would be required to act in the best interests of those whose personal data is processed. 23 Although established techniques exist for information security, such as installing firewalls or using industry-standard encryption for communications, 24 there is less consensus about good practice for many privacy issues. Laws vary across jurisdictions and industry sectors, and views about good practice often differ, both within an organization and as defined by external norms. 25 The role of the privacy professional may include: researching laws, guidelines, common practices and tools; educating and communicating to the organization; designing and recommending policies; and monitoring and managing organizational risk. Privacy professionals engage in numerous tasks, such as alerting their organizations to these often-divergent perspectives. Privacy professionals also help their organizations manage a range of risks that can arise from processing personal information and do so in a manner consistent with meeting the organization’s growth, profitability and other goals. Privacy professionals can assist the organization in identifying areas where compliance is difficult in practice, and in designing policies to close gaps between stated policies and actual operations. Setting up the privacy team includes a number of important tasks. One early task for the privacy team is establishing responsibilities and a reporting structure that is appropriate to the size of the organization. It is important to note that the reporting structure can vary considerably from organization to organization. 26 The privacy team should designate a point of contact for privacy issues. Also, the privacy team should determine how to evaluate the work of the team. Another critical task that the privacy team can undertake is to operationalize privacy across the organization. 27 This involves: ensuring that an ethical code of conduct is in place for the organization, with privacy as a core value; developing practical approaches to addressing privacy challenges and to designing to engender trust; and using privacy best practices throughout the privacy program’s lifecycle. 28 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Depending on the size of the organization, numerous individuals with various job titles may be part of the privacy team. The team may include: The Chief Privacy Officer (CPO) is charged with developing and implementing policies related to the data processing and properly handling of personal information. The CPO is typically in a leadership position in the organization. 29 The Data Protection Officer (DPO), a term more widely used in Europe than the United States, is tasked with ensuring that the organization’s processing and properly handling personal information is in compliance with legal privacy requirements. The DPO cannot be directly involved with decision making regarding data processing activities and cannot have other responsibilities within the organization that are in conflict with the DPO role. 30 The Chief Legal Officer is responsible for the legal affairs of the entire organization. Privacy would be one area of concern among many. This function can also be performed by an attorney within the legal department; in a large organization, such an attorney might be dedicated to privacy matters. The Privacy Engineer works to ensure that compliance with legal requirements has occurred through the technical processes of the organization. Although concerned generally with compliance, the focus of a privacy engineer is also to ensure that the strategic direction of the organization better supports customers and those affected by the practices of the organization. 31 For many organizations, this job title can be relatively new, but typically is given a significant amount of responsibility. The Privacy Manager is responsible for development, maintenance and enforcement of privacy policies and procedures within an organization. 32 A privacy manager is typically a mid-level manager within the organization, and may work within a particular business unit. 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP The Privacy Analyst manages legal and operational risks related to personal information held by the organization. The Privacy Analyst assesses business unit operations. In addition, the Privacy Analyst develops policies, procedures, and trainings. The position of privacy analyst can be an entry-level position in many organizations. 33 Within an organization, there can also be individuals who play more informal parts related to privacy: privacy champions and ‘first responders.’ Privacy champions can be in an area of the organization. These are individuals within the organization who are passionate about privacy and/or who focus on the details of the legal requirements related to privacy. These individuals do their best to understand and implement privacy requirements. ‘First responders’ are those individuals within an organization who are “on the front lines” so they respond when the organization deals with a specific difficulty. 34 4.1.2 Data Sharing and Transfers This section examines practices and controls for managing PI in the often-complex flows among U.S. business enterprises, both within the United States and across geographic boundaries. For a company seeking to develop a privacy program, it is critical to identify the types, sources, and uses of personal information (PI) within an organization. For a company that already has a privacy program, it is important to remember that this is a process that requires constant updates as business practices evolve and technology changes. In addition, the regulatory landscape is not static. Before examining the practices and controls related to data sharing and transfers, it is likely helpful to remember that data should be managed through its lifecycle, and that approaches which are privacy protecting in one stage may not be as appropriate to accomplish these goals in another stage. The stages of the data lifecycle are: data creation; data storage; data sharing and usage; data archival; and data deletion. 35 It is also worth noting that legal requirements may arise at different stages of the 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP lifecycle. For example, numerous states have data destruction laws (discussed in Chapter 7) which mandate requirements in the last stage of the data lifecycle. 36 The section examines practices and controls for managing personal information in the oftencomplex flows among U.S. business enterprises, both withing the United States and across geographic boundaries: data inventory, data classification, data flow mapping, and data accountability. 4.1.2.1 Data Inventory It is important for an organization to undertake an inventory of the PI it collects, stores, uses or discloses—whether within the organization or to outside entities. This inventory should include both customer and employee data records. It should document data location and flow as well as evaluate how, when and with whom the organization shares such information—and the means for data transfer used. One benefit of the inventory can be that it identifies risks that could affect reputation or legal compliance. If a problem subsequently occurs, current enforcement practices indicate penalties are likely to be less severe if the company has an established system of recording and organizing this inventory. The organization’s inventory should be reviewed and updated on a regular basis. This sort of inventory is legally required for some institutions, such as those covered by the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule discussed in Chapter 9 (Financial Privacy). 4.1.2.2 Data Classification After completing an inventory, the next step is to classify data according to its level of sensitivity. The data classification level defines the clearance of individuals who can access or handle that data, as well as the baseline level of protection appropriate for that data. 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Most organizations handle different types of PI, such as personnel and customer records, as well as other information the organizations treats as sensitive, such as trade secrets and business plans. Data that is more sensitive generally requires greater protection than other information held by the organization. It may be segregated from less sensitive data, for instance, through access controls that enable only authorized individuals to retrieve the data, or even kept in an entirely separate system. If all data is held in the same system, temporary or lower-level employees might gain access to sensitive data. Holding all data in one system can increase the consequences of a single breach. In the United States, classification is often important for compliance purposes because of sectorspecific privacy and security laws. As discussed throughout this book, different rules apply to financial services information, medical information, and numerous other categories. An effective data classification system helps an organization address compliance audits for a particular type of data, respond to legal discovery requests without producing more information than necessary, and use storage resources in a cost-effective manner. 4.1.2.3 Data Flow Mapping Once data has been inventoried and classified, data flows should be examined and documented. Questions to be answered in data mapping include: What data does the organization process? Where does the organization process data? Why does the organization process data? An organization chart can be useful to help map and document the systems, applications and processes for handling data. Documenting data flows helps identify areas for compliance attention. 37 There can be different approaches to data mapping. Two common examples are top-down and bottom-up. When undertaken primarily for regulatory purposes, the top-down approach is typically employed. This top-down approach often starts with the Record of Processing Activities (RoPA) which is required under the EU’s GDPR (discussed generally in Chapter 14). The RoPA 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP process involves documenting the purpose for processing the PI; the parties to whom any PI was disclosed; the retention period for PI; and details about the safeguards in place for PI. Because this process can be difficult to validate and keep up to date, many organizations have chosen to automate the RoPA process by utilizing technological solutions. 38 For privacy professionals, the bottom-up approach can be insightful and can also incorporate RoPA in one of the steps. This approach includes the following steps: understanding the data assets; data inventory and classification; delineating data processes; and documenting data lineage. With data assets, there are several important questions to ask: Is the environment for hosting data onpremises or cloud-based? Is the data in a structured or unstructured system? Does the organization utilize mainframes or legacy systems? Next, inventory and classification (discussed earlier in this subsection) help to ensure that the data carries with it both identities and risk values. The third step of delineating data processes can be accomplished using Record of Processing Activities (RoPA). Finally, data lineage adds context to the data; metadata is added to the mapping process. Data lineage can be used to identify: “the original source of the data; the most critical data within the inventory; and how data sets are subsequently built and aggregated.” 39 4.1.2.4 Data Accountability Privacy professionals often have significant responsibility within an organization for ensuring compliance with privacy laws and policies. Here are some helpful questions for privacy professionals when doing due diligence and for an organization to consider as it addresses privacy risks: Where, how and for what length of time is the data stored? Data breach laws have focused increasing attention on where and how an organization stores PI. 40 The organization needs policies to address potential risks of data lost from laptops as well as centralized computer centers. An organization should also have retention policies that 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP limit the time PI is stored. A limited retention period reduces the risk from data breach—no breach will occur once the data is removed from the system. Some laws require data to be deleted after a certain period or after the reason for collection has ceased to be relevant. 41 How sensitive is the information? As discussed above, data should be classified according to its level of sensitivity. The data management cycle includes many participants—from the data owner to the privacy professional, the information security professional, the vendor (if applicable), the auditor (if applicable) and the end user. Ultimately, however, the data owner is responsible for assigning the appropriate sensitivity level or classification to the information based on company policy. Common categories include confidential, proprietary (i.e., property of the organization), sensitive, restricted (i.e., available to select few) and public (i.e., generally available). Should the information be encrypted? Under many breach notification laws, no notice is required if the lost PI is sufficiently encrypted or protected by some other effective technical protection. Such laws have encouraged greater use of encryption for stored data, and good security practices have included a wider use of encryption over time. 42 Encryption in transit has become far more widespread, including for emails and communications over the web that use HTTPS (the secure version of the widely used HTTP web protocol). On the other hand, encryption can be difficult to implement correctly and may reduce function in some applications. IT professionals should be consulted about how to take advantage of encryption while achieving other organizational goals. 43 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Will the information be transferred to or from other countries, and if so, how will it be transferred? Because different countries have significantly different privacy laws, an organization should familiarize itself with the privacy requirements of both origination and destination countries for transborder data flows. Who determines the rules that apply to the information? U.S. privacy professionals have increasingly used some terms that are included in the European Union (EU) privacy regime—for example, a controller is an entity who “determines the purposes and means of the processing of personal data” and a processor is an entity that “processes personal data on behalf of the controller.” 44 Similar terms for processor in the U.S. include business associate under the Health Insurance Portability and Accountability Act (HIPAA) or service provider under the Gramm-Leach-Bliley Act (GLBA). Privacy professionals should assess which organization determines the rules that apply to the processing of data. If an organization stores data on behalf of another, the organization should expect to be required to meet the privacy policy guarantees of the other entity (the controller) in the use and storage of such data. Most likely, a storing company (or processor) will be required to sign a contract to this effect. How is the information to be processed, and how will these processes be maintained? The processes through which personal information is processed also must be defined. Steps should be taken to train staff members involved in the processes. Computers on which the information will be processed should be secured appropriately to minimize the risk of data leak or breach. Physical transfer of the data also should be secured. Is the use of such data dependent upon other systems? 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP If the use of personal data depends on the working condition of other systems, such as a cloud provider or specialized computer programs, the condition of those systems must also be evaluated and updated if necessary. A system that is outdated may call for developing a new method or program for using the relevant data. 4.1.3 Privacy Program A privacy program is critical for most organizations to establish accountability and legal compliance with how personal data is handled. At a minimum, the goals of a privacy program are to: demonstrate an effective and auditable framework to enable compliance with applicable privacy laws and regulations; promote trust and confidence in the organization’s handling of personal data; respond effectively to requests by consumers; address privacy and security breaches; and continually monitor and improve the maturity of the privacy program. In designing and administering a privacy program, an organization should consider and balance four types of business risks: legal risks, reputational risks, operational risks, and strategic risks. 1. Legal risks. The organization must comply with applicable state, federal and international laws regarding its use of information or potentially face litigation or regulatory sanctions such as consent decrees, which may last for many years. 45 The company must also comply with its contractual commitments, privacy promises and commitments to follow industry standards, such as the Payment Card Institute Data Security Standard (PCI DSS). 46 2. Reputational risks. The organization can face reputational harm if it announces privacy policies but does not carry them out. 47 It may also face enforcement actions—particularly from the Federal Trade Commission (FTC). 48 An organization should seek to protect its reputation as a trusted institution with respected brands. 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP 3. Operational risks. The organization must ensure that its privacy program is administratively efficient. If a privacy program is too heavy-handed, it may interfere with relationships and inhibit lawful uses of PI that benefit the organization and its customers, such as for personalization or risk management. 49 4. Strategic risks. The organization must be able to receive an appropriate return on its investments in information, information technology and information-processing programs in light of evolving privacy regulations, enforcement and expectations. 50 This section focuses on two main topics: the privacy program framework and the privacy operational life cycle. 4.1.3.1 Privacy Program Framework With a privacy program framework, the organization designs a manageable approach to operationalizing the controls needed to handle and protect personal information. The term framework can refer to numerous processes, templates, tools, and standards that may assist with privacy program management. Using an appropriate privacy framework to build an effective privacy program can: 1) help achieve compliance with the various privacy laws and regulations relevant to the organization; 2) support business commitments and objectives relating to stakeholders, customers, and vendors; and 3) serve as a competitive advantage by reflecting the value that the organization places on the protection of personal data, thereby encouraging trust. Steps in the privacy program framework include: developing the privacy program framework; implementing the privacy program framework; and ensuring appropriate metrics for the privacy program framework. Before undertaking the development of a privacy program, the organization should lay the groundwork for the program by developing the privacy mission statement, and/or the privacy vision. The privacy mission statement can be incorporated into the 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP organization’s overall mission statement or can be a stand-alone statement; however, the privacy mission statement should align with the organization’s overall purposes or objectives. Typically, the privacy mission statement is a concise statement describing the core function of privacy within the organization. For example, Stanford University’s privacy mission statement is to “enable Stanford to navigate a dynamic future in privacy through transparent, ethical, and innovative uses of personal data.” 51 As is mentioned in the Stanford approach, ethics can be one of the guiding principles when designing the organization’s approach to privacy. When ethical considerations are baked into the privacy vision for the organization, the approach to privacy can be motivated by building trustworthy relationships with individuals and be less focused on the desire to avoid fines imposed by multiple regulatory schemes. 52 Developing the privacy program framework involves: 1) creating organizational privacy policies, procedures, standards, and/or guidelines; and 2) defining privacy program activities. The topic of privacy policies is discussed in detail in Section 4.1.4. Privacy program activities can cover a variety of topics including: data inventories, data flows, and data classifications designed to identify what personal information the organization processes; risk assessment (such as Privacy Impact Assessments); education and awareness; monitoring and responding to the regulatory environment; monitoring internal privacy policy compliance; incident response; remediation oversight; audits; and handling of complaints by customers and regulators. Implementing the privacy program framework involves numerous components. The organization must communicate the framework to internal and external stakeholders. The organization must understand applicable laws and regulations, and seek to align with regulatory changes. Ensuring continuous alignment with applicable laws and regulations can be challenging, and is also a multifaceted requirement. The organization needs to: understand territorial laws and regulations; understand sectoral and industry laws and regulations; understand penalties for non- 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP compliance with these laws and regulations; and understand the scope of authority of oversight agencies. The organization must review data sharing agreements, including international data sharing agreements, vendor agreements, and affiliate/subsidiary agreements. Ensuring appropriate metrics for the privacy program framework is also critical. The four main steps for ensuring these metrics are: 1) identifying intended audience for metrics; 2) defining reporting sources; 3) defining privacy metrics for oversight and governance; and 4) identifying systems/application collection points. Notably, although defining privacy metrics can vary by organizations, there are numerous topics to consider. Compliance metrics can include: responses to data subject requests, disclosures to third parties, incidents (such as breaches), employees trained, privacy impact assessment (PIA) metrics, and privacy risk indicators. Additional privacy metrics, beyond those specifically focused on compliance, include privacy program return on investment (ROI), business resilience metrics, privacy program maturity level, trend analysis, and resource utilization. 4.1.3.2 Privacy Operational Life Cycle The privacy operational life cycle should consider measurements, improvements, and the ability to support the program. This approach focuses on refining and improving the privacy processes, with the goal of continuously monitoring and upgrading the privacy program. The privacy operational life cycle has four stages: assess, protect, sustain, and respond. Assessing or measuring an organization’s privacy regime includes: document the baseline of the privacy program; evaluate processors and third parties; identify operational risks; and document the assessment. Protecting information assets, through the implementation of industry-leading privacy and security control and technology, includes: reviewing access controls and technical controls; 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP reviewing incident response plan; and integrating privacy requirements into functional areas of the organization (such as Human Resources). Sustaining or evaluating the privacy program through communication, training, and management actions involves a number of steps. These include: monitoring compliance with privacy policies; monitoring regulatory changes; auditing compliance with privacy policies and standards; and holding employee, management, and contractor trainings. Responding has numerous possible topics ranging from supporting consumer rights to addressing privacy incidents. Organizations are expected to respond to consumer requests for information as well as to ensure privacy rights are respected. Request from consumers can relate to numerous topics, including access, redress, and correction. Consumers may also make requests concerning rights, such as the right to erasure or the right to be informed. Organizations must also address consumer complaints as well as any appeal processes. With regard to privacy incidents, organizations are expected to have measures in place related to: legal compliance, incident response planning, incident detection, incident handling, incident reduction techniques, and incident metrics. 4.1.4 Privacy Policy and Privacy Notice This section focuses on two interrelated topics: the privacy policy and the privacy notice. In this chapter, the term privacy policy is used to refer to the internal document in an organization that is used to implement privacy goals and strategic vision. The privacy policy informs relevant employees and contractors about how PI must be handled. A privacy notice is an external statement that provides transparency concerning the organization’s privacy practices and is directed at customers (and potential customers), users, and employees, in certain instances. Both the privacy policy and the privacy notice describe how personal information will be collected, used, shared, and stored. If an 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP organization violates a promise made in a privacy policy that is also communicated in the privacy notice, then the FTC or state attorney general may bring an enforcement action for a deceptive practice. 53 4.1.4.1 Privacy Policy The privacy policy is a high-level document that helps an organization meet policy goals contained within an organization’s privacy vision or mission statement. One of the main focuses of the privacy policy is to explain how personal information is handled by the organization. This means privacy policies are central to privacy programs. As discussed in the numerous chapters in this book, privacy policies also are important as legal documents. It should be noted that privacy policies are distinct from the standards, guidelines, and handbooks that focus on methodologies for meeting policy goals. 54 4.1.4.1.1 Components of the Privacy Policy Typically, the privacy policy will have the following components: purpose, scope, applicability, roles and responsibilities, compliance, and sanctions for non-compliance. Purpose – The purpose explains why the policy exists and explains the goals of the organization’s privacy program. Scope – The scope defines the resources (such as information) that the privacy policy protects. Applicability – Applicability explains whether the privacy policy applies to customers, employees, contractors, third parties, etc. Roles and responsibilities – The privacy policy assigns responsibilities for privacy to roles throughout the organization. The privacy policy delineates responsibilities of leaders, managers, and employees as well as contractors and vendors. 19 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 4 – as of 01/22/2024 © IAPP Compliance – Compliance is typically one of the main topics in the privacy policy, and generally entails monitoring activities and enforcement through disciplinary actions. Organizations should keep records of actions taken for non-compliance with the privacy policy. Penalties and sanctions for non-compliance –Non-compliance with laws and regulations can subject the organization to significant penalties and sanctions. Privacy practitioners should keep abreast of the changing legal and regulatory requirements to which the organization is subject. 4.1.4.1.2 Decision: One or Multiple Privacy Policies? An organization must determine whether to have one privacy policy that applies globally to all its activities, or multiple policies. One policy will work if an organization has a consistent set of values and practices for all its operations. Multiple policies may make sense for a company that has welldefined divisions or lines of business, especially if each division uses customer data in very different ways, does not typically share PI with other divisions, and is perceived in the marketplace as a different business. Sometimes separate corporations decide to use a common privacy policy. For financial holding companies, the same corporate name may be used by multiple subsidiaries and affiliates, and a single privacy policy can avoid complications in handling PI. For example, mutual funds and their advisors are separate corporations, but may decide to adopt a joint privacy policy and a joint form of notice. 55 All the mutual funds in a corporate “family” may use joint notices. Conversely, using multiple policies can create complications. One division’s privacy policy may be more stringent in a particular way than another division’s, preventing sharing of customer 20 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.