Establish a second line of defense for privacy

How a privacy assurance program can support your organization

Barbed Wire Fence With the increase in privacy regulations worldwide, organizations are looking to formalize privacy as a function. Privacy compliance cannot be sustained as simply a paper exercise; it requires multi-stakeholder support through both informed guidance and business-led execution. Designing a privacy assurance program will allow organizations to create a second line of defense for privacy, with the business operating against controls put into place to sustain compliance.

Most organizations are in reactive mode, rather than proactive mode, when it comes to dealing with privacy issues. To move toward a more proactive model, privacy needs ongoing risk and compliance monitoring. Organizations are looking for ways to sustain privacy operations, reduce risk and validate that processes put into place are effective, while also balancing workloads and competing priorities.

These challenges will only increase as the privacy regulatory environment continues to grow and mature. Building a privacy assurance program is a strategic and achievable approach to sustaining privacy compliance.

Privacy assurance as a second line of defense Privacy assurance is the function within privacy that monitors regulations, evaluates risks and sets policies and guidelines for the company to follow.

Privacy lines of defense

Organizations that wish to implement a privacy assurance function should look to the “Three lines of defense” model. Positioning privacy as the second line of defense supports a business-led and multi-stakeholder accountabilty model, where privacy is responsible for understanding regulatory requirements and setting internal policies and standards for the business. It also supports compliance monitoring efforts through the establishment of a privacy controls framework and associated key risk indicators (KRIs). Controls put into place through the privacy assurance function can then be operationalized by the business and leveraged by the internal audit function to evaluate compliance.

Establishing a privacy assurance program There are three key pillars for a privacy assurance program:

  1. Building a privacy controls framework
  2. Performing compliance monitoring
  3. Establishing KRIs to monitor risk and track privacy trends

This structure provides an organization with insights into the effectiveness of their privacy program and strengthens privacy operations through increased governance and reinforced roles and responsibilities, compliance monitoring, and reduced legal and compliance risk.

Building a privacy controls framework
A privacy controls framework will help build a stronger understanding of your organization’s privacy principles, compliance obligations, and risks, while also clearly defining ownership and accountability. As a result, organizations will be better equipped to manage compliance and address risks in a prioritized and informed way. This includes developing guidelines that will establish a culture of privacy across the organization. Each step of the process outlined below will help build a framework that fits your organization’s business needs, while rationalizing privacy requirements.

Privacy controls framework

When determining your framework approach, adopt a framework that is aligned with your organization’s specific needs and objectives, including any specific regulatory requirements. Consider whether an existing industry framework – such as the NIST privacy framework, ISO standards or ISACA privacy principles – can be leveraged to serve as a foundation. From there, each control can be identified and mapped to applicable data privacy laws and requirements. Ownership of each control should be clearly defined and documented to ensure the objective of the controls is achieved. This will require cross-functional collaboration, and many controls will be owned by business process and IT owners rather than the privacy team.

The controls framework will aid in identifying risk, which can then be documented to inform decision-making and support strategic planning, budgeting, and allocation of resources. It will also feed necessary reporting, escalation, and remediation efforts. Business owners should be able to easily identify privacy red flags and know where to go for guidance and to whom red flags should be reported. Once risk has been identified, the privacy team can support risk mitigation efforts by developing a plan and supporting socialization of the issue to leadership to help remediate, reduce, or accept any risks.

Performing compliance monitoring
Organizations can leverage their controls framework to establish a process for control owners to perform periodic self-assessments of each control. This may include testing whether procedures in place achieve control objectives and providing reporting along with any evidence the privacy team may need. Performing self-assessments will increase visibility and allow the privacy team to engage directly with control owners to provide guidance and address risk. Compliance monitoring efforts may trigger additional privacy activities when necessary, such as data protection impact assessments (DPIAs) if high-risk processing is observed, or even the need for detailed data inventory exercises if new or changing processing activities are identified.

Performing these self-assessments will provide greater visibility into the program, which will allow the privacy team to provide the first-line privacy operations with guidance and recommendations to address any areas for improvement. The privacy team will be better equipped to identify risk, develop a roadmap, and support control owners to modify practices to meet privacy requirements. Additionally, a compliance monitoring function aligns with requirements under numerous data privacy laws to perform these activities, such as performing assessments and appointing specific roles like data protection officers (DPOs).

Establishing key risk indicators (KRIs)
Once a controls framework and compliance monitoring program have been established, organizations that wish to mature their privacy program should look to establish KRIs. Metrics help to identify trends, provide early signs of increasing risk exposure and measure risk across the privacy program. KRIs should be designed to reflect organizational goals and have both quantifiable and actionable metrics.

Leveraging technology can help organizations streamline and support the process of building and operating a privacy assurance program. From data collection to data subject rights, data classification, and data purge, there is a significant return on investment for leveraging technology to support and streamline these activities. A centralized and automated tool is an effective and efficient way to implement operational processes and provide visibility into the organization’s privacy program using clearly established metrics and dashboarding. Technology can also help manage all privacy operations in one central location instead of having each piece stored and managed separately.

Whether manual or automated, KRIs are an excellent tool to track and monitor trends that can be leveraged by leadership in making organization-wide decisions.

Plan your approach Developing a privacy assurance function provides multiple benefits to organizations looking to mature their privacy program and sustain compliance. Privacy assurance encourages cross-functional collaboration and development of clearly defined roles and responsibilities, which in turn strengthen operations and promote risk mitigation activities. Through a defined governance structure, controls framework, and self-assessment program, a privacy assurance function will promote ongoing compliance and reduce the burden on resources when new or changing privacy laws must be implemented.

Organizations that wish to develop a privacy assurance function should start with outlining their regulatory obligations and compliance needs. Once applicable privacy regulations and industry standards have been identified, development of a controls framework will allow organizations to build up and improve existing privacy programs and put processes in place that encourage defined compliance monitoring and risk management. Investing in a privacy assurance function will help organizations bring their privacy program to a managed, mature state that is sustainable across the constantly changing privacy landscape.

Lindsay Hohler
Principal, Privacy and Data Protection
T +1 703 847 7529

Ariana Davis
Senior Manager, Privacy and Data Protection
T +1 646 409 2615

Eric Paulson
Manager, Privacy and Data Protection
T +1 443 841 2570

Jessica Mawrence
Manager, Privacy and Data Protection
T +1 212 624 5442