Skip to main content

How to build a data protection compliance program from scratch

Phil Lee
It’s a daunting task. You’re the newly appointed data privacy person in your organisation - either because you applied for the role or because someone “volunteered” you for it - and now you have to build out a data protection compliance program. Worldwide. From scratch. What do you do?

It’s a daunting task. You’re the newly appointed data privacy person in your organisation - either because you applied for the role or because someone “volunteered” you for it - and now you have to build out a data protection compliance program. Worldwide. From scratch. What do you do?

Well, first off, take comfort in knowing that you’re not alone.  Thanks to a flurry of recent data privacy activity in the EU (Right to be Forgotten, Safe Harbor, GDPR) and beyond (the emergence of Asia-Pac privacy regimes, the Canadian Anti-Spam law, high profile US data breaches), the need for data protection compliance has hit the C-suite agenda like never before.  Execs everywhere are turning to folk like you to solve the problem. And some more good news: there’s very little you can do wrong.  If you’re being tasked with building out a global data protection compliance program, odds are your organisation doesn’t have much of a program currently.  So every step you take, no matter how small, is a step in the right direction.  Though with a little bit of forethought, not only will you NOT go wrong, you will deliver SIGNIFICANT benefits in terms of compliance, risk reduction, and brand enhancement.

Here’s how you go about it:

1.  Decide what kind of organisation you want to be.

It sound so simple, but this step is key.  What is your data protection strategy?  Is it legally-driven (goal = legal compliance), risk-driven (goal = risk reduction) or ethics-driven (goal = do the right thing)? This crucial decision will be dependent on many factors, including the nature of your organisation (a mature, regulated business may have very different goals from your Silicon Valley start-up), your values as an organisation (what does your Code of Conduct say?), how much top-level support you have, what your competitors do, available budget, privacy ‘crises’ the business has experienced in recent history, and your personal beliefs as the organisation's data privacy evangelist - to name just a few. These aren’t exclusive strategies, either - often the “right” approach will be some combination of the three, but perhaps with a particular leaning towards one goal in particular.  In any event, the decision taken at this point will inform every subsequent action you take, so consider wisely. In addition to this, you need to identify your baseline privacy standards - i.e. the privacy framework against which you will benchmark your compliance.  Will you use the EU Data Privacy Directive, the US Fair Information Privacy Practices, or perhaps something with more of an international flavour - like BCR, CBPR or the OECD Principles? Remember, this is about deciding your baseline - depending on where you operate geographically, you may need to raise yourself above this baseline in some countries, but you at least need a baseline in the first place to bring some kind of global consistency to the way your organisation protects data.

2.  Find out what kind of organisation you are today.

Before you can embark on putting in place compliance controls, you need to do a little fact-finding.  Among the things you need to find out are:

  • what data you process today, how, why and where;
  • who are your internal data privacy ‘champions’ (you’ll need them) and your data privacy ‘trolls’ (you’ll need to win them over);
  • what policies, procedures, guidance and training, if any, you already have - and what kind of state they’re in; and
  • the level of awareness that exists within the organisation to date about the importance of data protection compliance.

Depending on the size of your organisation, this can be a challenging task, so identify others who can support you in this process - the data privacy ‘champions’ mentioned above, whether business unit leaders, country managers, or just internal privacy enthusiasts.  Only once you are armed with this information will you be ready to determine what you need to do next. Which leads nicely onto the next point...

3.  Work out how to become the kind of organisation you want to be.

The next stage is a gap analysis.  You know what you are today, you know what you want to become, so work out the gaps.  Once you’ve identified the gaps, then you’ll be ready to start putting in place the measures necessary to fill them. When performing this gap analysis, be careful to prioritise though.  Not all gaps carry equal importance - some will pose significant risks, either to individuals directly or in terms of organisational risk, and these should be addressed first (for example, you may discover that sensitive personal information is being shared internally, or even worse, externally, in an uncontrolled fashion). Those that are less significant (say, not having sorted out your website privacy policy in a while) should be pushed lower down the priority list. When you’ve identified your gaps, then the real fun begins - you need to figure out how to plug those gaps!  That will entail a combination of many activities, typically including things like creating a compliance team, adopting new policies, instituting training, building out Privacy by Design processes, creating supplier due diligence standards, designing new contract templates, and more.  If needs be, look to peers in similar organisations or call upon external experts for guidance.

4.  Become the organisation you want to be.

You know what I’m going to say next: you've figured out how to plug the gaps, so plug them already! Transform your organisation from where you are today to where you want to be.

5.  Rinse, wash and repeat.

A privacy professional’s work is never done.  It’s important to remember a compliance program is just that: a program, not a project.  That means it must undergo review to ensure that it remains valid, up-to-date, and works well in practice - and, if not, it needs changing.  You must institute regular audits to ensure this is the case. Metrics can help here.  You can assess the success of the compliance program you have instituted through a number of potential metrics - for example, privacy awareness among staff, number of privacy complaints reported, data breaches suffered, and so on. These metrics will not only help you assess the ongoing success of your program, but also help you demonstrate ROI to your sponsors and executives.  And, once you’ve done that, you get to begin all over again!

Sign up to our email digest

Click to subscribe or manage your email preferences.