Six-Step Process of Implementing an Effective Security and Privacy Program

There is no single set of best practices when it comes to managing data protection programs.


Stephen Wu

3 years ago | 4 min read

There is no single set of best practices when it comes to managing data protection programs. I have summarized and consolidated the management guidance in this section from a number of privacy and security management frameworks, including the Generally Accepted Privacy Principles, materials from the International Association of Privacy Professionals, and the Cybersecurity Framework of the National Institute of Standards and Technology.

I suggest reviewing these frameworks overtime to supplement what appears in the six steps described in this section.

Aligning Data Protection Strategy with Overall Strategy

Step 1: A data protection program begins with aligning the business’s overall strategy with its data protection strategy. With the business’s culture in mind, this step involves planning the strategic direction and commitment of the business to data protection. The business will need to understand critical business requirements and imperatives that affect the program.

Also, are there opportunities that dovetail with the business’s strategy, such as positioning in the marketplace as a leader in data protection as part of an overall marketing strategy? Finally, the business will need to allocate sufficient resources for the program. The businesses should craft this strategy with the features, capabilities, and vulnerabilities associated with advanced technologies.

Develop a Series of Controls

Step 2: The business will need to understand its current data protection posture. Most fundamentally, it will need to know what kind of personal data it is collecting and the flow of personal data throughout its systems during the entire data lifecycle from collection or generation to disposal or long-term archiving.

It will need an understanding of all the information assets (its, customers, and vendors’ networks, sets of servers, workstations, mobile devices, and storage systems) within the scope of the program. The business will need to understand the applicable laws creating data protection compliance requirements, contractual requirements, and industry requirements such as the Payment Card Industry Data Security Standard.

Moreover, the business should conduct and update a risk assessment of the universe of potential data protection threats associated with advanced technologies, the likelihood, and frequency of these threats coming to pass, the impact of the harm from these threats, and the controls available to mitigate these threats or their impact.

The business’s risk management process should prioritize a set of controls to mitigate the threats analyzed. Inevitably, the business will identify gaps between its current data protection posture and its target (ideal) profile of its organization. The business will need to prioritize the identified gaps and develop an action plan to address these gaps.

Program Implementation

Step 3: This step consists of the implementation of the program of controls developed in the previous step. For instance, the business should implement its action plan to begin closing gaps in its data protection program as it relates to advanced technologies.

The business may assign people to implement specific programs to improve its data protection posture. In addition, this implementation phase involves ongoing data protection support of day-to-day business line operations.

\ For example, data protection attorneys may be involved in regular negotiations of customer and vendor contracts or mergers and acquisition activities, including the due diligence involved in these transactions.

They may also work with cross-functional teams to support new infrastructure, products, and services relating to advanced technologies. They may be involved in advising clients on data protection issues that come up in operations, such as questions about implementing data protection instructions or advising marketing professionals about data protection in connection with advertising campaigns.

Data protection attorneys may provide advice about specific customer or employee situations that arise. Litigation data protection counsel may be involved in defensive or offensive claims relating to breaches, defects in products or services, or defaults in product or service agreements.

Monitoring and Oversight

Step 4: Businesses should take steps to sustain and manage their data protection programs. They will need to monitor and provide day-to-day oversight over the implementation of the program to detect issues and violations, and report and respond to them. A key part of the oversight function is providing training of personnel to make sure they understand their data protection functions.

Moreover, data protection attorneys should facilitate the process of holding personnel accountable for compliance with the program. For instance, they may promote the use of data protection goals and objectives during employment reviews and advise internal clients concerning disciplinary actions taken following violations.

Auditing Your Program

Step 5: Businesses should have formal programs of assessment and auditing of their data protection practices covering advanced technologies. Data protection attorneys may work together with internal and external auditors to assess and audit privacy and security compliance.

Periodic audits may occur in connection with internal audits and external audits for privacy and security attestations or certifications, such as SOC reports on security or privacy or ISO 27001 security certifications.

Feedback and Adjustments

Step 6: Businesses should periodically evaluate their data protection practices and make adjustments to their data protection programs. They may need to make changes because of information gleaned from data protection assessments, for instance, to upgrade certain aspects of the program, undertake new privacy programs, or acquire new security tools.

Businesses may need to integrate changes to applicable law or industry practice into their compliance programs and data protection controls. Changes in business models, advanced technology capabilities or vulnerabilities, or security threats may call for other changes.

Don’t Go it Alone

Data protection attorneys play a vital role in overseeing these six steps. They can provide advice and counsel to data protection professionals and lines of business. Finally, they can report on the data protection program to upper management and boards.

This article was originally published by Stephen wu on medium.


Created by

Stephen Wu

Stephen Wu is an attorney and shareholder with Silicon Valley Law Group in San Jose, California. Steve advises clients concerning privacy, security, transactions, compliance, liability, and governance of emerging and mature information technologies, such as artificial intelligence, autonomous and connected vehicles, robotics, Big Data, the Internet of Things, and cloud computing. He negotiates technology agreements, resolves disputes for clients, and serves as an outside general counsel for emerging companies. Steve also advises clients on governing and assessing corporate programs to promote compliance and ethics. An author of seven data security legal books and numerous other publications, Steve is the current Chair of the American Bar Association Artificial Intelligence and Robotics National Institute. Also, Steve served as the 2010-11 Chair of the American Bar Association Science & Technology Law Section.







Related Articles