Tip #2/10 – Eat the Elephant – the new EU Data Protection Regulation

Latest I heard is that some form of final version is coming out on 20 December. Does it mean that it is final? No, not yet. However this does not stop you thinking, and planning next steps in privacy compliance, to get ahead of the crowd, based on what we do know! Why should you start now? Well I’ve written on that already, but to summarize. Because the party hasn’t started yet. When it does, you will know, as the legal guys will be having a party at your expense!

When the party starts, you will know, as the legal guys will be having a party at your expense!

Where should a Privacy Program belong in your organization? And this the fundamental question you need to ask yourself, who owns privacy, is it legal, is it IT operations, or security operations? If you were to look around at global organizations that have privacy programs, you will find that they are sitting under the legal arm, and hence populated with legal guys and girls. (As a side-note, that’s one of the cool things about privacy, there is balanced gender diversity. I even have to queue to the rest-rooms at privacy conferences, which is not the case in information security ;))

So you have an interesting mental activity to occupy yourself over the Christmas and New Year break. Visualize how it’s going to work in your business, as a ‘thought experiment’.  Clearly I have my opinions which I’m going to share with you now…

To give you an appreciation of what lies ahead of you, and why I think as I do. One of the first projects that you will need to task yourself with is documenting every personal data collection point in your organization. For example, a web-page where your customers share their name and address, your sales & marketing engines. Depending on the size and nature of your business, this can be daunting. If you get this wrong, and hand the privacy program to your legal team, you risk creating a chasm in your business between a legal team focused on being ‘legally’ compliant with IT/ security operations, and the executive team. And why? Because nobody in your business understands legal jargon except the legal guys, who basically speak from a ‘legal’ standpoint, and basically no sane individual wants to read and interpret legal text except for a legal guy! The question and challenge is how to map this to your business?

Create a ‘Privacy Architect’ role to be the ‘spider’ in your privacy ‘web’, i.e. Privacy Program

What I see as one of the largest initial risks is that your privacy project risks becoming an enormous elephant that will basically give you indigestion if you try to execute. This is where I say do not bring in the legal guys yet. Get some of your senior information security team that are great architects and PM guys (Project Managers), involved. You need to train them though, but it’s much easier to train these guys in privacy than it is to train legal expertise in your business operations. What’s more if you pull together the right guys, they will thank you, as privacy is such a cool career move! Your privacy team will be motivated and bring loads of energy, a recipe for success in your privacy program.  In fact I would advise you create a ‘Privacy Architect’ role, give them a ‘carrot’ to get certified in privacy and data protection principles (Certified Information Privacy Professional, CIPP). This individual should be tasked to map all data collection points in your business, packaged them into individual projects, and pass them onto project managers, who are trained in privacy -who you could call your ‘privacy champions‘. Your ‘Privacy Architect’ will be the ‘spider’ in your privacy ‘web’. Clearly you need to bring in the legal guys, but do this as, and when necessary.

What is smart by doing it this way you map your privacy program into neat  projects aligned to privacy ‘purpose’ that has in fact been around since 1973!

  • A privacy principle mentioned in Fair Information Privacy Practices (FIPPs) in the US in 1973;
  • ‘Purpose Specification’ privacy principle is 1 of 8, defined in 1980 by OECD  Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data. These guidelines have become the framework of privacy practices and regulations worldwide;
  • As 1 of the 11 Privacy Frame Principles (ISO 29100) in 2011, of where it is described as ‘Purpose legitimacy & specification’.

So you have a awful lot to be starting with, and maybe even enough to go beyond the ‘thought experience’ mentioned at the beginning of this article.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.