Other parts of this series:
- The Challenge and the opportunity of the California Consumer Privacy Act
- Designing a comprehensive data privacy and security program
- Meeting California Consumer Privacy Act requirements with existing capabilities
- Capabilities and controls for a robust data privacy program
- Privacy Regulations: What approaches are emerging from financial services?
- Addressing privacy regulation within a broader “consumer rights” program
In the previous blog in this series, we looked at how companies can leverage the programs and policies already in place to address new concerns raised by the California Consumer Privacy Act (CCPA). In this blog, we will look at some of the capabilities and controls needed for a robust, enterprise-wide data privacy program.
The responsibility for establishing a culture of embedded privacy throughout the organization starts at the top, with the chief executive officer (CEO) and board of directors. Execution is in the hands of senior managers, with the overall objective of establishing a control framework that can holistically address the dimensions of privacy risk.
Supporting the CEO and board of directors, the chief data officer (CDO), general counsel (GC), chief compliance officer (CCO) and chief privacy officer (CPO) are key stakeholders in establishing the appetite for privacy risk while engaging key partners within the organization, such as the chief information officer (CIO) and chief information security officer (CISO).
Each function has a role to play, but all functions should be aligned in terms of business strategy and execution. From a three lines of defense perspective, areas of focus can be summarized by three key questions senior stakeholders and their teams are looking to address during the data privacy transformation journey:
- First line of defense – How can business and operational management integrate a revised set of responsibilities for managing data subject requests and potentially broader privacy concerns within a sustainable, profitable business model?
- Second line of defense – How do those directly responsible for risk management coordinate privacy policies and associated controls, while providing a suitably high-touch advisory model for privacy risk with the business going forward?
- Third line of defense – How does the audit function broaden its focus on privacy to effectively address the expanded scope of programs and controls going forward and prioritize items for management attention?
As teams drill deeper, each function within the organization should come to grips with issues affecting its own activities. For example, marketing should determine how new regulations impact its ability to meet business objectives and marketing goals, and how the firm can differentiate its brand while responding to regulations. Similarly, operations should prepare for the additional volumes of inquiries it is likely to handle, and to determine how to manage early customer inquiries in line with regulations.
In the next blog in this series, we will examine some of the key foundational tools that should be in place for privacy programs at different levels of maturity.
To find out more about the CCPA please contact me.