Year-End Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
D H M S

Privacy Management Program

With privacy becoming an integral part of every organization today, a much more robust approach is needed to handle it. This has resulted in the creation of the ‘Privacy management program,’ which is a much more holistic and unified approach for handling privacy that can be adopted by all organizations, companies, and agencies.

Why is a Privacy Management Program needed?

With the introduction of GDPR in 2018 and other privacy laws such as COPPA and PIPEDA (Canada), privacy management programs have been a necessity for different organizations for a variety of reasons. The following list shows the reasons why this is needed:

  1. Copious amount of data is flowing all around today, and this has to be well guarded
  2. ‘Privacy’ is now considered a serious aspect for the organization
  3. It infuses a privacy culture within the organization for both the management and employees of the organization
  4. It also embeds privacy compliance within the organization
  5. It increases efficiency and accuracy by automating privacy management activities
  6. ‘Privacy Management program’ reduces the possibility of privacy breaches and risks

Components of a Privacy Management Program:

There are three important components of a PMP. They are

  1. Organizational commitment
  2. Program controls
  3. Continuing assessment and revision

1. Organizational commitment:

As with all things, organizational commitment is the foremost thing that is needed to implement privacy in an enterprise. Organizational commitment involves:

I. Senior management support 

Senior management should endorse a privacy management program fully and wholeheartedly. They should support and endorse the privacy officer and give them complete resources to operate the program effectively and successfully within the organization.

II. Appointing and empowering a  ‘Data protection officer’(DPO) or a privacy officer

A ‘privacy officer’ or ‘Data protection officer’ must be appointed for the organization. Once a ‘privacy officer’ or DPO is appointed, their role must be communicated to all within the organization. It is the duty of the privacy officer to establish program controls, design employee training, and conduct regular privacy assessments.

III. Reporting mechanisms must be established

Any good privacy management program needs good reporting mechanisms. Reporting mechanisms ensure that the privacy program is functioning as expected, and the reports can be viewed by the management and the employees of the organization.

Internal review or audit process is one type of reporting mechanism.

2.Program controls

Program controls enable the organization to comply with privacy management practices.

Here are a few program controls that can be adopted:

  1. The first step in implementing program controls is to keep a record of all personal information. The organization must maintain an inventory of personal and personal identifying information that is collected. The inventory should contain information such as the type of personal information, the sensitivity of the information, the location where it is stored, the reason for collecting the information, and the data retention schedule.
  1. Policies are the backbone of security landscape and it is an integral part of establishing controls in the privacy management program as well.

Policies, procedures and guidelines have to be laid out regarding collecting information. These policies enable the employees to understand more about collecting personal information from users, notifying users when collecting the information, obtaining consent when collecting information and more.

  1. Training the employees on the policies, procedures related to the PMP, breach management response, conducting risk assessment are other program controls that can be implemented in a privacy management program.

3. Continuing assessment and revision

Every program needs constant monitoring and revision and the PMP is no exception. This continuous monitoring and assessment ensures accountability and compliance.

Continuous assessment and revision involves two steps:

  1. Develop an oversight plan
  2. Assess and revise the program controls

Develop an oversight plan:

This plan would lay the schedule of when the policies and guidelines will be reviewed. In addition if there is a privacy breach at any point of time, policies and guidelines have to be reviewed and revised immediately.

Assess and review the controls:

All controls should be regularly monitored, audited and revised accordingly. The monitoring should answer the following questions such as:

  1. What are the latest privacy threats?
  2. Are the controls managing the latest privacy threats?
  3. Is training being given to the employees?

According to the answers to the above questions, the replies should be documented and addressed accordingly.

These are the highlights of a privacy management program. Each PMP can be modified according to the needs of the organization. For more of InfoSec Train’s courses and webinars, do visit us at this link.

AUTHOR
Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.
Your Guide to ISO IEC 42001
TOP
whatsapp