How to Kickstart a Privacy Program. In 1890, Supreme Court Justice Louis Brandeis said people have “the right to be let alone.” In short, privacy is a human right; however, the journey to enshrine that right in the law has been a long one.
Early examples of privacy laws include HIPAA, which covers patients’ protected healthcare information, and FERPA, which protects student educational records. It was not until the proliferation of technologies that digitally processed and collected voluminous sets of data that lawmakers began to consider making comprehensive privacy laws to protect everyone’s personal data.
The European Union was the first to respond to the need for comprehensive privacy protection, creating the EU Data Directive in 1995. This directive enshrined privacy as a civil right and established a framework for organizations to follow to protect those rights. However, as technology evolved, this directive needed modifications. In 2016, the EU drafted the General Data Protection Regulation (GDPR), which established financial penalties for violators. Over 160 countries have since adopted laws similar to the GDPR.
Following suit, U.S. states began passing comprehensive privacy acts, with California implementing the California Consumer Privacy Act in 2018 and Congress proposing several additional privacy bills. These privacy laws aim to balance the need to process people’s personal data and protecting their civil rights from misuse while also informing organizations about the repercussions of not doing so.
Risks to Organizations Without a Functional Privacy Program
Failure to protect and process personal data without violating privacy rights may have various consequences, including reputational harm, monetary loss and legal entanglement. Consider the 2023 case in which the EU fined Meta over $1.2 billion for failing to protect personal data according to the requirements under the GDPR. The fine was the largest of its kind, but the damage was more than just monetary. In addition to the fine, Meta spent considerable time and money working on complex litigation, and the result of the high-profile case damaged its reputation among customers and employees alike.
While these risks may seem daunting, many resources are available to manage risk and protect people’s privacy rights. The National Institute of Standards and Technology, a part of the Department of Commerce, maintains a comprehensive privacy framework for U.S.-based companies. The framework is not legally required, but it serves as a guide to help organizations tailor a privacy program to meet their specific needs. The following steps can guide organizations that want to establish or strengthen their privacy program:
- Establish a Privacy CommitteeEstablishing a privacy committee will help guide high-level direction for the program, starting with identifying stakeholders. Figure out who within your organization is responsible for ensuring data privacy. Usually, it will be individuals from management, HR, IT, legal and data management. Next, determine to whom your organization owes obligations to, including direct customers, employees, third-party organizations and individuals whose data your organization collects either intentionally or unintentionally. Organizations should be stewards of the personal data of any natural person, regardless of whether they have a direct business relationship. Finally, determine the obligations third-party organizations have to your organization and whether they have implemented a robust privacy program.
- Determine Your Organization’s ObligationsThe privacy committee should first lay out the legal landscape of privacy laws to determine which ones apply to your organization and to which department within your organization. For example, due to the Civil Rights Act of 1964, human resources professionals must take caution to ensure their employment decisions do not improperly disclose or process sensitive information related to protected characteristics that might contribute to discriminatory practices.Once they become familiar with the landscape, organizations must determine which obligations apply to them. For instance, large organizations that collect and process voluminous sets of personal data may need to maintain an ongoing data map of the type of data they use and who has access to it. Many of these organizations need to take a step further and conduct a data privacy impact assessment, a comprehensive deep dive into their data practices. Determining these obligations will help set the stage for implementation.
- Implement Policies, PETs and Employee Training
Once an organization is ready to implement a privacy program, it should review existing guidance like the NIST privacy framework. These guidelines will help determine which policies the organization needs to implement.In addition to administrative safeguards like privacy policies, there are technological safeguards like privacy-enhancing technologies (PETs). Depending on your data privacy needs, PETs can help establish secure data transmission through end-to-end encryption or help your data minimization protocol by reducing data required to perform a digital task without losing functionality.
Finally, policies and procedures are only helpful if organizations follow them. Frequent employee training is a great way to ensure that everyone within the organization recognizes their responsibilities for being good stewards of personal data.
Data privacy laws are evolving rapidly, but the amount of data organizations collect and how they process it evolves more quickly. Organizations must continually review and revise their privacy program and ensure their employees are current on the latest training, as not being armed with the latest privacy requirements can have detrimental impacts for an organization. Data privacy laws will only continue to expand and the best position an organization can take is a comprehensive approach to understanding the full global landscape.