Let’s start with a foundational question - What is Privacy Governance? At its most basic, Privacy Governance is the implementation, management, and measurement of privacy compliance within an organization. It takes various shapes and sizes, can be managed through the lens of a governance framework, (e.g., NIST), and can be as broad or narrowly tailored as the organization needs. Factors that go into determining the type and level of privacy governance needed are the industry an organization operates within, any regulatory obligations or scrutiny, the risk profile of the organization, and the organization’s geographic footprint.
A successful privacy governance program is testable, scalable, and repeatable. This article will focus on a specific area of privacy governance, the role of privacy controls and audits, and provide a few high-level insights on developing these.
Current privacy regulations, such as GDPR, CCPA, or LGPD, do not expressly require developing controls or undergoing regular audits to ensure compliance with the respective regulation. However, as more and more jurisdictions around the world develop their own version of privacy regulations, a strong controls and audit program will be a critical component of, and likely the only way to ensure and maintain, compliance with the applicable laws and regulations around the world.
Every privacy regulation around the world is slightly different, but there are some standard concepts that permeate throughout all of them. As a result, having an overarching privacy controls and audit program will help scale your privacy program as more and more jurisdictions develop their own standards.
The good news is that organizations do not need to start from scratch when it comes to developing privacy controls and an internal audit function.
In the United States, the current privacy regulation landscape mirrors where the accounting industry was about 20 years ago, when the Sarbanes-Oxley Act (SOX) came into law. Privacy regulations in the United States have come about an effort to protect consumers’ privacy online, primarily in response to certain online advertising practices related to consumer data. SOX came about in an effort to protect shareholders and the public from fraudulent financial activity. It was a direct response to a period of corporate financial scandals by public companies such as Enron and Worldcom.
“The act had a profound effect on corporate governance in the [United States]. The Sarbanes-Oxley Act requires public companies to strengthen audit committees, perform internal controls tests, make directors and officers personally liable for the accuracy of financial statements, and strengthen disclosure.”
Specifically, SOX requires all financial reports to include an Internal Controls Report. This shows that adequate controls are in place to safeguard financial data. An independent external SOX auditor is required to review controls, policies, and procedures during an audit. An audit will also look at personnel and may interview staff to confirm that their duties match their job description, and that they have the required training to safely access financial information.
While current privacy regulations do not impose these express requirements, organizations can leverage some of the practices required under SOX to formulate their privacy controls and audit procedures. Further, if an organization has an internal financial governance team (e.g., a SOX team in the US), that team can be leveraged to help build out these disciplines within privacy.
When starting privacy controls drafting, one place to start is to look at high-risk areas of the business and any associated policies that may be in place for those areas. An alternative is to start with an area of the business where you know policies are already in place and are being followed. The high-risk approach may be more complex and could take longer to complete, but will likely provide a more meaningful and impactful result for the risk profile of the business. The alternative approach is typically low hanging fruit and can be a less overwhelming place to begin for a company that is new to governance generally. The risk profile and needs of the business can factor into where the business chooses to begin.
Using the following hypothetical scenario, we will look at the process of developing privacy controls and leveraging an audit function to test those controls.
Hypothetical Scenario: An organization develops new consumer-facing products and is required to perform a privacy impact assessment (PIA) for each product launch. The organization has an internal policy which states a PIA must be completed prior to launch of any consumer-facing product. The policy outlines what must be included in the PIA, or has a PIA template attached, and defines roles and responsibilities for completing and reviewing the PIA. The relevant stakeholders know that the PIA policy is not uniformly followed, but don’t have a mechanism to measure or enforce compliance with the PIA policy. This is causing high risk for the organization because of regulatory scrutiny of the organization’s industry around this requirement, and the organization is not able to show consistent compliance with this legal obligation.
The privacy governance team can work with the internal audit team to develop a set of controls that can be tested on a regular basis to ensure consistent compliance with the PIA policy, and resulting legal obligations.
A sample set of hypothetical controls:
1. The organization has a policy in place related to PIA requirements for consumer-facing product development (the PIA policy).
2. The PIA policy defines when a PIA is required.
3. The PIA policy sets forth the applicable roles and responsibilities for completing the PIA.
4. The PIA policy sets forth the applicable roles and responsibilities for reviewing the PIA once complete.
5. Training is performed on a regular basis for those who are responsible for completing the PIA.
6. Training is performed on a regular basis for those who are responsible for reviewing the PIA once complete.
The purpose of these controls is to provide the company with a mechanism to determine compliance with its PIA policy. When drafting controls, they should be narrowly tailored so that each control is a finite, testable action.
Once these controls are drafted, the audit team should be engaged to review the controls and begin testing them. This will involve review of the applicable policies and processes, interviews with the relevant stakeholders, and in the case of our hypothetical, review of a sample set of consumer-facing product launches to determine whether the PIA policy was followed for each launch.
Once the internal auditors test these controls, they will identify gaps or areas that need to be tightened up in the policy or in the resulting processes, and provide the privacy governance lead with an audit report of their observations and findings. The audit report will typically provide detailed findings and recommended improvements, along with a rating of the findings to help the business prioritize the areas to address first. The internal auditor may also provide draft management action plans (MAPs), which are finalized with the input of the privacy governance lead and relevant stakeholders within the business. The MAPs act as a form of project planning to identify the tasks and roles and responsibilities required to address the findings and implement the recommendations.
This testing process is then repeated for this area of the business on a specified cadence, which can be quarterly, annually, or somewhere in between, depending on the gaps identified, the time it will take to work through the MAP, and the business’ needs. This established testing cadence helps ensure the policies and processes are appropriately maintained in an ongoing and measurable way.
After the business has worked through one area for implementing controls and performing the audit function, the privacy governance team should identify 3-4 areas of the business to be addressed within a specified timeframe, such as 12-18 months, and work with the audit team to schedule out the controls review and testing. The privacy governance and audit teams can work in parallel on separate tasks to make the process more efficient. For example, while the audit team is testing area “A” of the business, the privacy governance team can work on drafting controls for area “B” of the business, and so on.
One practice note on controls drafting: When first developing controls in high risk areas of the business, recommend developing these under attorney/client privilege. Going through the controls drafting process will often require digging into the business in a way that may not have been done before. The purpose of digging into an area that has the potential to be high risk from a privacy perspective is to discover it, bring it into compliance, and maintain that compliant state moving forward. Generally speaking, from a US perspective, the documentation produced during this process is discoverable if not performed under attorney/client privilege.