July 15, 2019

Last Updated on June 13, 2024

Chances are your business is concerned about compliance with privacy legislation like CCPA and GDPR. Perhaps you’ve undertaken a data mapping exercise and are starting to wrap your hands around the “now what?” part of the process.
What are the practical first steps when addressing privacy requirements? What types of documents and procedures are likely to change first and fastest? I’ll give you a quick rundown of that in this post.
Viewed at the highest level, the goal of a privacy initiative is to reduce the number of places where personal information (PI) ends up. But before you start changing processes, logically you need to create the documents that will guide those changes.
So, in the near-term, the three first to-dos after you complete your data mapping exercise are to write or rewrite:

  1. Your internal privacy policy. This will govern how your business deals with PI. How will you collect, store, use, sell, destroy and/or “forget” data? This document or handbook (in the HR sense) needs to specify all of that.
  2. Your externally facing privacy policy and cookie policy. These explain to website visitors, customers and other external stakeholders how you acquire, store and use their personal data. They also explain how you view consent (permission to use PI) from “opt-in” and “opt-out” standpoints. The latter is an extension of the former, and need not be a separate document.
  3. Your client, employee and vendor contracts and nondisclosure agreements. These will need to specify new privacy responsibilities in alignment with your new policies. Your data mapping exercise probably illustrated that vendors have access to more data than you thought! In some cases you may create a Data Privacy Addendum (DPA) to existing agreements. (Google “data privacy addendum” to see many examples that other companies have created.)

Of course, once you create documents to guide the effort, you need to begin thoughtfully changing your processes and gradually operationalizing the changes. This is where the rubber meets the road, and it can take a while to gain traction.

Why?

Because humans tend to resist change and readily fall back on old habits or workarounds. It’s also not easy to think through all the implications of a process change, even when it’s a simple change.
Say you your new internal privacy policy specifies that you will have a Privacy Steering Committee, which will meet twice annually. Then a year goes by and nobody meets. Why? Because you didn’t operationalize via changes to your work environment and processes how to make the meetings occur. Once you do that, the process becomes just “the way we do things.” But until you do, it’s not real.
Now consider a much more complex example like implementing the “right to be forgotten.” Perhaps you’re a law firm and your current process for screening prospective new hires involves eight people. Applicants send in resumes via email and those get distributed via email to everyone. So to “forget” an applicant, everyone must manually find and delete emails, texts and other communications by, for and about that applicant—probably an arduous task.
This illustrates how privacy directives lead to major process changes to reduce proliferation of PI; e.g., relying more on central data repositories like Microsoft Teams, and putting controls in place to prevent people from making “personal copies” of data, verify that no copies were made, etc. These are likely to be broad, complex changes.
And what about vendors that touch PI? Your agreements will need to state that they must have the ability to “forget” data on demand.
It’s not hard to envision how a privacy initiative will lead to new education and training requirements, ongoing support from your help desk, and more. You’ll be changing longstanding business processes and data flows. This is why privacy compliance changes take times to become effective—you need to operationalize them and never forget, “it’s a process.”