Proven, Nine-Step Process for Developing Data Privacy Programs Assess data privacy drivers. Determine vision & strategy. Obtain buy-in and support from leadership. Conduct data mapping exercises. Assess privacy considerations. Assess “processing” considerations. Remediate gaps & deficiencies. Integrate privacy into the organization. Continuously monitor data privacy programs. (1). Assess Data Privacy Drivers The first – and fundamentally important step – in developing a data privacy program begins with assessing any number of major data privacy drivers. For example, what’s the current ‘pulse’ of your organization in terms of data privacy policies, procedures, and processes? Where is the organization trying to go in terms of data privacy? What legal, regulatory, and client driven mandates are being imposed on the organization? (2). Determine Vision & Strategy Your organization is unique to you, all the more reason for developing a long-term vision and strategy with regards to data privacy that aligns with your specific needs. As such, organizations need to determine what their goals are and have clear agreement with senior leadership on such directions. (3). Obtain Buy-in and Support from Leadership Any undertaking relating to the broader topic of data privacy ultimately requires buy-in and support from senior leadership within an organization. Without it, programs are often dead-on-arrival. Senior leadership is all about results, thus, lay out a data privacy plan that will produce real and measurable, long-term ROI metrics. (4). Conduct Data Mapping Exercises As an organization, it’s now more important than ever before to fundamentally understand how data resident in your information systems is being collected, used, shared & disclosed, stored, protected, retained, and disposed of. This can only happen by performing deep-dive data mapping exercises. Ultimately, this means developing a project roadmap for beginning - and completing - what’s arguably one of the more challenging and time consuming initiatives when it comes to developing a data privacy program. (5). Assess Privacy Considerations Another key measure to be performed when building a data privacy program is assessing privacy considerations. Specifically, what are the risks and impact associated with an individual’s privacy in terms of how their data is collected, used, shared & disclosed, stored, protected, retained, and disposed of. (6). Assess “Processing” Considerations It’s essential to assess how, as an organization, you plan to actually use personal data in terms of “the nature, scope, context and purposes of the processing”. Note, that if your organization is affected by the GDPR, then assessing “processing” considerations will need to be undertaken by performing an actual Data Protection Impact Assessment (DPIA). (7). Remediate Gaps & Deficiencies Following the completion of data mapping exercises, privacy assessments, and other related measures, there will often be control gaps & documentation deficiencies found. Thus, you’ll need to remediate them as necessary. (8). Integrate Privacy into the Organization Changing the corporate culture on anything can be a challenge indeed, and especially with something as significant as data privacy. Out with the old and in with the new can be a formidable task to undertake when initiating change in corporate culture, yet it’s got to be done. (9). Continuously Monitor Data Privacy Program Building a data privacy program is one thing, but undertaking continuous monitoring is a completely different challenge. With that said, you’ll need to build and deploy a customized continuous monitoring program for ensuring your entire data privacy measures are being regularly assessed for meeting the organization’s overall needs.