4 Ways to Implement Privacy as a Service: You Don’t Have to Do It Alone

By: Naheed Bleecker, Director of Cybersecurity and Governance

Did you know you can operationalize your privacy policies without extra training, staff, or headaches?

The onslaught of privacy regulation has been relentless, both internationally and in the United States. Due to the absence of a national privacy law, individual states have been passing laws that will go into effect in 2023: the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act. Currently, four more states have active privacy legislation (Michigan, New Jersey, Ohio, and Pennsylvania). Almost all the remaining states have either proposed legislation or are reviewing these laws in committees. Many US entities had a “dress rehearsal” regarding privacy when the EU passed the GDPR in 2018 and began some preparations. However, any documentation zealously produced in 2018 has generally gone stale and gaps continue to grow. Of course, many organizations deferred GDPR compliance and are now facing the daunting task of meeting the requirements of the States’ privacy laws, with a potential federal law looming in 2023.

Budgets remain tight across many departments, including Legal, Information Security, and IT. While securing an FTE (or two, or three…) to be responsible for the many tasks required to create and maintain a privacy program, a viable alternative is outsourcing those tasks—leveraging Privacy as a Service. Accountability should remain with an employee, such as a Chief Privacy Officer or Data Protection Officer who is the role to make decisions about an organization’s risk tolerance, which impacts key components of the privacy program, Privacy Impact Assessments (PIAs), and Data Protection Impact Assessments (DPIAs). A privacy consultant can help plan and execute all the operational activities needed for the privacy program. And assist with compliance documentation, such as data inventories and Data Subject Access Requests process flows.

The best way to operationalize privacy policies is to work with a partner that provides the flexibility needed to mature your privacy programs. Innovative Driven recognizes this need. Through our expert consulting, we start at the beginning to establish a new program and assist during those busy times when documentation needs to be reviewed and updated. For example, data inventories need to be updated whenever there is an update to a product or service and on an annual basis. An organization may have had the required momentum in 2018 to complete documentation for compliance with the GDPR, but have those data inventories been maintained? Have some business processes moved into the mandatory risk assessment territory because the business or scope has changed? Even if the organization has an assigned privacy team, updating hundreds of data inventories can be daunting and this is a great use case for bringing in privacy experts to help with the effort. Another scenario is when an organization may be searching for a privacy leader or team member but still needs immediate help.

Innovative Driven privacy consultants can step in and complete required activities while a permanent employee is hired. We offer many options to build or improve your privacy program, including training, guidance on best practices, documentation, and other options.

Download our CPRA and Compliance Checklist

Previous Post