Privacy and Access: operations are an increasingly important functional area in organizations and businesses that process personal data governed by privacy laws, such as GDPR, HIPAA, PIPEDA, and DPA.
PrivacyOps is a new organizational model that automates and unifies privacy and access operations across functional areas, such as marketing, sales, service, finance, and HR. PrivacyOps utilizes the Privacy by Design framework in order to align an organization’s resources and processes, and to deliver privacy compliance while freeing up resources to focus on their key business objectives and increasing customer trust.
When applied effectively, PrivacyOps can lead to dramatically improved critical business metrics, including conversion rates, referrals, customer retention, and revenues.
Table of Contents
Note: this framework is not intended to construe legal advice or offer comprehensive guidance.
The information presented in this framework is for information purposes only and should not construed as a legal, or other advice for any particular issue, topic, or subject, including compliance with relevant regulations or laws. You must consult a professional and licensed advisor with expert knowledge with your particular situation for any such advice
What is Privacy Ops?
What does PrivacyOps Success Look Like?
PrivacyOps leaders provide key stakeholders (customers, employees, and partners) the means—through an automated, user-centric, and always up-to-date experience—to intuitively, easily and respectfully exercise their privacy and data access rights.
Privacy and access controls systems detect, predict, and report non-compliant events; they operate across all departmental and intra-organizational boundaries; and they are always prepared to demonstrate proof of privacy and access compliance.
About PrivacyOps Framework
Feroot interviewed data privacy, governance, access rights, cybersecurity, IT operations, enterprise planning, marketing, sales, and customer success experts across a wide variety of industries.
We used this data to create the definitive Privacy Operations framework — PrivacyOps.
PrivacyOps is a new department that manages the full cycle of data operations across customer, employee, and back-office lifecycles.
Today’s privacy operating model was conceived during the era of fax machines and was continually updated with new requirements from the onset of transformation into the digital economy.
The data-driven economy is forcing companies to rapidly innovate the way that they operate and do business. New technologies have never seen faster needs for adaptation. Customer expectations have never changed as rapidly as they are now. Buying and selling processes, customer service, and supply lines have never been as data-driven as they are today.
Customer data comes with responsibility. There are numerous regulations governing privacy in the world, including GDPR, PIPEDA, DPA, HIPAA, PIPA, CCPA. While compliance with these laws is clearly one of the drivers of Privacy Management Programs, it is only the baseline for our approach to privacy.
Protecting the privacy of the personal information entrusted by customers to organizations is mainly driven as a risk avoidance process in order to prevent enforcement, penalties, and lawsuits. However by leveraging customer-first commitments, you can build trust with your stakeholders so that they can know how to use data in a way that generates value, promotes respect and protection.
Although most large companies have spent hundreds of thousands, if not millions, of dollars preparing for GDPR and other privacy regulations, many organizations are still struggling with the day-to-day complexities of consent management & privacy compliance operations. For instance, updating your privacy policies are just the first step. There's still a lot to do to manage subject right obligations and subject access requests. Our study found that most organizations are not yet ready to manage their processes effectively or efficiently and, as such, they leave themselves at risk of non-compliance.
Ongoing management of privacy obligations is complicated. Many stakeholder touchpoints must be routinely coordinated in order to process requests effectively and be documented for compliance and legal purposes.
Spreadsheets and traditional point-to-point privacy software can’t scale and perform ongoing management of the new data relationship model in which data flows from the subjects (people) to data controllers (service providers), and data processors (third-party vendors).
We found that most organizations aren’t prepared, nor do they have any embedded controls for managing data privacy across their third-party vendors, for on-premise applications, and for AI systems.
PrivacyOps’ holistic approach has four key benefits:
HARMONIZATION AND ALIGNMENT
PrivacyOps aligns departments and their stakeholders. This ensures privacy initiatives have a measurable business impact. When an organization is aligned, it generates more revenue at a reduced cost, and brings new data-driven products to the market.
CUSTOMER-FOCUSED PRODUCT AND SERVICE CHANGES
GDPR and other privacy regulations require changes to policies, operations, and products, not just for compliance reasons but also to foster user trust. The PrivacyOps framework enables organizations to operationalize privacy effectively, achieve proper consent management, maintain accurate data inventorization, and augment user transparency, and privacy controls.
REMOVING OVERHEAD HELPS FOCUS OPERATIONS ON THE KEY OBJECTIVES
PrivacyOps assumes operational and technical privacy overheads that allow marketing, sales, customer service, HR, and other departments to focus on their core goals, objectives, and KPIs.
PLANNING AND OPERATIONS
PrivacyOps helps to identify and remove roadblocks. It works with the concept of accountability, careful planning, and the implementation of privacy operational controls across the full data lifecycle flow and across departmental, organizational, franchise and other enterprise boundaries.
These benefits transform privacy from a risk avoidance function into a business that increases, revenue and market share.
Steps to Embedding Privacy into Daily Operations
STEP 1 – ALIGN YOUR TEAM AROUND DOCUMENTED PRIVACY GOALS
No stakeholder alignment = no results.
Why is alignment so important? In many organisations, business, operations, legal, and IT tend to work in isolation. This is especially true of transformation, privacy, and IT-based projects, wherein the business quickly defines requirements, then throws them “over the wall” to operations or cross-functional teams. These teams implement the requirement, only to be find out unanticipated roadblocks. This is one of the most common examples of lack of alignment. For successful programs, the path to ROI is secured with a real partnership across all of the stakeholders from business to legal, privacy, marketing, sales, HR, and IT departments working together towards a common goal. This goal and vision should be discussed, agreed and clearly documented.
The first step is to engage and include all the relevant stakeholders and have full participation and alignment across all stakeholder groups.
This vision should be articulated within commonly accepted business terms that are already part of your established culture and business practice. The vision should include clear business goals, objectives, and outcomes that the program will achieve. The document should also have a clear set of measurements for the project metrics to ensure expected outcomes are achieved. Project KPI’s should have a direct link to executive stakeholder KPI’s and KPI’s of departments involved in the project. The draft should be agreed to by stakeholders to secure their feedback, and to ensure ongoing buy-in, you should update the document to incorporate their feedback.
3 STEPS TO GETTING YOUR STAKEHOLDERS ALIGNED
Alignment is about getting stakeholders to participate, support, and execute the project. They should feel invested and committed. Proper communication is critical to ensure all stakeholders are involved in an engaged and supportive way. Everyone needs to be aware of your project objectives and updated on project progress. Some stakeholders will be more involved than others, but don’t underestimate the value and importance of stakeholders with less participation.
Nurture communication and understanding between stakeholders to avoid surprise roadblocks later. Keep in mind that needs are likely changing as the project progresses. The more you know about stakeholders’ concerns, the better you can address them. Regularly pause, re-assess, and align.
Data Mapping: What Do We Have?
STEP 2 - DATA MAPPING
Data mapping is the first critical element in an organization’s privacy compliance process.
Organizations (data controller) face questions from data subjects (people) and have obligations to disclose third-party and third-country locations where their personal data is being processed and how and why it is being used. A successful data mapping exercise will help an organization answer these questions with confidence and will provide customers with the information that they expect concerning their personal data and its usage. Proper, up-to-date data mapping also greatly reduces risks associated with unauthorized personal information handling.
NOTES ABOUT LEGAL BASIS FOR PROCESSING DATA UNDER THE GDPR
ADDITIONAL DATA MAPPING BENEFITS
Although data mapping often requires significant effort from organizations, there are other additional important benefits. Data mapping helps organizations maintain detailed data processing records for compliance and legal purposes and ensures audit readiness at any time. In addition, data mapping provides evidence that an organization is adhering to data protection guidelines.
Other benefits include:
Data mapping is the essential first step in an organization’s privacy compliance program and assists in supporting customer and employee loyalty. On top of this, there are additional benefits of GDPR compliance, such as operational efficiencies, reduced incident impact, increased customer loyalty and competitive differentiation.
Privacy Impact Assessments
STEP 3 - PRIVACY IMPACT ASSESSMENTS
What is a Privacy Impact Assessment (PIA)?
Simply put, a PIA identifies and helps reduce privacy risks of any undertaking or process within an organization. PIA is a key part of the GDPR path to “privacy by design.”
With a PIA you can:
GDPR Article 35 requires data controllers to undertake PIAs. Further, GDPR Article 35 states that PIAs should be undertaken prior to data processing where such processing is likely to result in a high risk for individuals’ rights and freedoms. As there is no current definition of “high risk,” the issue of PIA’s is a top priority for Article 29, the Working Group, which provides guidance on a number of key elements of the GDPR. This is a topic that should be monitored by your organization.
A systematic approach should be applied throughout the organization in all departments.
Ideas to consider:
Data Subject Rights Framework
Step 4 – What do Consent and Information Notices,Disclosures, and Controls mean in the context of GDPR?
For example, GDPR states that consent can be withdrawn at any time; can’t be assumed from inaction, and forced consent will be “invalid.” Consent must be freely given, specific, informed and unambiguous. Again, you should always get advice from your legal counsel.
Recommended action: Collect consent and maintain proof of collected consent unless you are relying on processing data being done under other lawful purposes.
The GDPR Subject Access Request (“SAR”) Key Summary:
What impact SARs have on data controllers?
GDPR-regulated organizations should consider: 1) implementing SAR policies and the embedding of SARs into customer and employee-facing services, systems, and mobile apps (both internal and external facing) in order to ensure that your organization can fully administer SARs across third-party vendors (processors); 2) developing a response process to streamline SAR fulfillment; 3) training employees on new GDPR requirements and SAR processes; 4) implementing self-serve approach for SAR fulfillment.
How can third-party vendors (processors) support data controllers in responding to SARs?
In many cases, the initial contact from subject comes directly to the controller or the data processor. However, the data processor is not responsible for responding to the SAR by default.
Data controllers and data processors need to prepare to handle SARs in a coordinated and prepared manner.
At the start of the data collection, data processors should provide clear information notices that will inform the subject of their rights under GDPR.
Product and Service Changes
Step 5 – GDPR Requires Changes to how your Products and Services functions
Give customers the choice and the ability to obtain consent and revoke consent as easily as they gave it
Respect your customer’s choice and manage data restrictions downstream to third parties
Tell users the intent of data collection and what data you will collect
Process Data in a way that is consistent with user privacy expectations
Plain language notices
Step 6 – Third-Party Sub-Processor Vendor Management
Data controllers are required to ensure that their vendors (processors) properly handle all personal data shared with them. As with data mapping, modern systems and processes create data processing chains where data travels from one application to another and changes hands across SaaS and cloud service providers. Almost every data controller should review how it handles data and its relationship with its providers, and how data processors manage their own vendors/processors, and how GDPR subject rights will be enforced across the entire data processing chain.
Summary: taking control and implementing programmatic approaches to vendor management for data controller and data processor are key. A comprehensive approach to managing vendors and the data processing chain can reduce processing and regulatory enforcement risks.
Liabilities under GDPR Regime
Step 7 – Subject Access Rights violations, Data Breaches, and Liabilities
GDPR Article 33 requires that data controllers notify the supervisory authority in case of a personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
GDPR Article 34 requires data controllers to notify the data subjects of a personal data breach when the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The controller shall communicate the personal data breach to the data subject without undue delay unless the controller has implemented and applied appropriate technical and organizational protection measures to the personal data affected by the personal data that render the personal data unintelligible, because of encryption.
GDPR Article 82 provides the Right to compensation and liability to any person who has suffered material or non-material damage as a result of an infringement of GDPR provisions from the controller or processor. In addition, it states that any controller involved in processing shall be liable for the damage caused by processing that infringes GDPR; and the processor shall be liable for the damage caused by processing only where it has not complied with obligations of this regulation specifically directed to processors; or where it has acted outside or contrary to lawful instructions of the controller. Additionally, controllers or processors shall be exempt from liability under paragraph 2, if it proves that it is not in any way responsible for the event giving rise to the damage.
Under GDPR Article 82 specifies that infringements of the following provisions Articles 8, 11, 25 to 39, 41, 42 and 43 shall be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
GDPR Article 83 specifies that infringements of the following Articles 5, 6, 7 and 9, and the data subjects’ rights pursuant to Articles 12 to 22, and 44 to 49, will lead to suspension of data flows by the supervisory authority pursuant to Article 58(2). At the same time, failure to provide access in violation of Article 58(1) shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In addition, data subjects may initiate private claims directly against data processors for breach.
Under GDPR, the data controller is ultimately accountable and, in cases when the data controller does not exercise sufficient control over the data processor, the data controller still must be able monitor the data processor; otherwise, it could still find itself subject to fines.
Data controllers and processors need to collaborate in order to ensure data subject rights and other GDPR obligations are respected and fulfilled. It’s essential to start by ensuring that privacy is at the core of all services, processes, and procedures.
Getting Started with PrivacyOps
PrivacyOps can start in two ways: distributed capabilities throughout your team, or specialized roles in a department. The right way to start depends upon your business model and company size.
PrivacyOps starts out as a shared function with multiple departments and people performing aspects of privacy compliance. For example:
Privacy operations maturity path helps these responsibilities become dedicated roles and can be brought under the PrivacyOps umbrella. Consolidation usually happens when data map management becomes sufficiently complex, typically around 50 internal and third-party applications.
If your organization has more than 100 applications, you are likely facing siloed privacy management in your operations already. Bringing PrivacyOps roles together consolidates accountability. Reporting is also highly recommended at this time.
Symptoms and Signs you need PrivacyOps
Here are some common signs that you don’t have a properly functioning PrivacyOps system. If the examples below resonate or sounds familiar, it likely means that you’ve waited too long to implement PrivacyOps. The benefits of PrivacyOps could very well have a significant positive impact on your organization.
Many non-EU businesses, including US and Canadian companies, incorrectly assume European laws don’t apply to them.
Here we highlight five common GDPR myths:
“GDPR is for European companies”
An organization doesn’t even have to accept payment from an EU-based customer to be subject to GDPR. The GDPR applies to any business that targets its activities to an EU market. Even if your U.S.-based business doesn’t target an EU market, GDPR may apply if your company monitors EU-base individuals or is processing their data as a sub-processor.
“We don’t use any personal data, so GDPR doesn’t apply.”
GDPR defines “personal data” to include an identifier that could help identify a natural person. For example, it could include a person’s IP address and cookie. Storing data in a CRM can also trigger GDPR compliance. GDPR also provides enhanced protections to “special categories of personal data”, such as data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union memberships, among others.
When you do business with a customer over the Internet, you often collect information that can potentially be useful outside of the transaction. If you use any of that information in a way which can be linked back to the customer and without the customer's knowledge or consent, you are violating their privacy rights. It is up to you to properly destroy a customer’s information or to ensure it’s secure.
“We only collect minimal information on our clients for services and products ”
If you collect, use or disclose any personal information about individuals, (such as email, address, names etc) you need to understand your privacy obligations.
“We have too many tools!”
PrivacyOps consolidates the procurement, implementation, and management of privacy management processes and tools under one owner. This gives you full visibility across the organization, saves costs, and increases adoption of privacy.
Who owns and leads PrivacyOps?
The Chief Privacy Officer’s (CPO) group, within the Chief Risk Officer’s (CRO) organization, have an emerging operational role. It has been traditionally tasked with governance and policy-setting responsibilities, but, in the age of GDPR, is increasing its mandate around day-to-day privacy operations, and the operationalization of privacy-related tasks. CPOs are natural owners of data processing governance across Marketing, Sales, and Customer Support, HR and other departments, across the business units and lines of business.
In the case that your organization doesn’t have a CPO, PrivacyOps can live under a Chief Data Officer, CIO IT Operations, application owners, Risk Management, the CTO, and in some case, even under the marketing department. The ultimate organizational responsibility is driven by the needs of your business, talent and the skill-set of your teams.
Did you know?
CPO’s, CDO’s and DPO’s are growing areas – according to LinkedIn job data, there are roughly 1,400 CPOs, 3,828 Chief Data Officers, and 6,000+ DPO’s, while there are 9,500+ CROs (risk officers) and over 34,000 CIOs.
Ownership of the Tech Stack
Today, there are more than 25,000 SaaS tools available on the market. For instance, when we investigated typical global organizations, we found that they are using between 100 and 2,500 third-party, SaaS-based software tools in their tech-stack.
The multi-party tech stack has become impossible to manage. Multiple tools exchange data, and complex integrations can increase the risk of data leakage and breaches. The wild west of self-service tools scatters customer data across jurisdictions and providers, leaving data controllers potentially liable to hundreds of millions of euros in penalties.
The challenge is complex because in modern organizations no group fully owns the tech stack’s privacy. IT used to own the tech stack when all hardware, software, and data was on the premises, but today it's common for sales, marketing, HR, finance, and customer service to manage their own technology budgets and procure tools from third-party SaaS-based vendors. Sales, marketing, and customer services, in many cases, even have their own technology teams, leading to multiple owners for a single CRM, customer marketing, customer service, and communication systems and, thus, creating multiple silos of data.
In the PrivacyOps framework, a single team oversees privacy management of the tech stack across the organization. This helps ensure that all departments and lines of business can comply with GDPR and other regulatory obligations. Accountability and ownership go hand-in-hand. PrivacyOps facilitates close relationship across stakeholders, Privacy department, Digital and Innovation teams and IT, all in order to ensure that the organization meets privacy and data management requirements. Moreover, changes can be made quickly to respond to data and information governance demands and requirements.
PrivacyOps, Growth & Business
"75% [potential customers] will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data "
2018 IBM Cybersecurity and Privacy Research
VC Funding and Investors
Steve Herrod of VC firm General Catalyst told The Privacy Advisor that evaluating a company’s privacy practices is now part of his firm’s due diligence, especially when companies are storing customer data in cloud services.
PrivacyOps creates benefits for the marketing, sales, customer services, HR, finance and other business areas because it aligns a company around customer data and their needs. PrivacyOps also generates more sales by influencing key metrics including: customer trust, competitive differentiation, shorter sales cycles, and increased repeat business.
Finally, PrivacyOps has a compounding effect on every part of your business, from the efficiency of managing sensitive data to lowering risks of breaches, penalties and litigations, and increasing customer loyalty.
PrivacyOps is a new organizational model that increases competitive advantage and regulatory compliance through measurable improvements of operational effectiveness and efficiency across information and data lifecycles. Most importantly, doing new things that make you different, make you stand out, and change the value chain.
PrivacyOps unifies key silos of privacy and access management across the information silos such as customer information, medical records, employee data, back-office operations, and other organizational silos.
PrivacyOps streamlines privacy operations across all functional areas, freeing them up to focus on their immediate key business objectives.
PrivacyOps consolidates privacy and access operations it into a smoothly operating machine.
PrivacyOps provides harmonization, simplification, alignment, and focus that will provide privacy compliance and ultimately a competitive advantage by increasing customer trust; and helps increase core metrics like conversion rates, referrals, customer retention, and revenues.
Feroot is an award-winning PrivacyOps platform that helps you operationalize privacy management across all departments and data silos.
We help organizations instantly and effortlessly transform their static data processing maps into a dynamic, actionable, always up-to-date data registry.
Feroot’s Privacy Platform allows you to quickly and efficiently manage on-premise and third-party vendors across applications, both dynamically and automatically. No more chasing down vendors for their latest privacy agreements. No more updating stale spreadsheets. Enter information once, connect to third-party party vendors, and everything from consent management to data processing activities, to documentation flows appropriately and continually to the key stakeholders. Your organization will save time, resources, and money, and avoid the tedious task of updating documents every time a new vendor is added to your tech stack.
Feroot’s Privacy platform helps you implement a PrivacyOps framework that will: