Other parts of this series:
Privacy concerns have evolved considerably over the years, from more industry-focused regulations, layered around information security standards, to a more holistic view encompassing consumer rights, precipitated by the General Data Protection Regulation (GDPR). Management of privacy risk has rapidly increased in stature and has driven an opportunity to be a platform for broader transformation with a renewed focus on consumer rights, trust, conduct and ethics. As the data privacy regulatory landscape continues to evolve, organizations are on a journey beyond baseline compliance towards a more sustainable future state framework for data privacy.
An optimized privacy function goes beyond an understanding of regulatory obligations and impacts. Designing a sustainable operating model that can capture emerging privacy risks and leverage enabling technology is critical. In response to this industry challenge, Accenture developed a Privacy Lifecycle Solution (refer to the illustration below) to help organizations manage their privacy program end-to-end, enabling the cohesion of multiple stakeholder groups to achieve business goals while managing privacy risks. Firms can experience tangible key benefits in data usage transparency, risk mitigation and a control–oriented privacy compliance framework that adapts to evolving and complex regulatory environment.
Our Privacy Lifecycle Solution is comprised of 3 main components that are integrated to facilitate a seamless orchestration of privacy compliance.
Regulatory Change Management
Firms that develop their regulatory change management capabilities are able to track new or changed regulatory requirements on a real-time basis with an enabling horizontal tracking tool. The tool also provides for an automated workflow that engages key stakeholders (e.g., Legal, Compliance, Privacy Office, Control Owner) in assessing the impact of new or amended regulations to existing control environment, and whether change to or creation of new privacy control is needed.
Privacy Controls Framework
The Privacy Controls Framework is the core component of the solution. It is important to keep the Framework responsive to new regulatory requirements, hence the need for Regulatory Change Management as outlined above. It allows for effective compliance privacy compliance oversight. An effective Privacy Controls Framework typically includes the following:
- Library of detailed privacy control activities across key privacy domains
- Mapping against key privacy regulatory requirements and recognized industry standards
- Defined privacy compliance metrics, including expected control evidence, key risk indicators, and key performance indicators
- Control maturity rating definition
Privacy Risk Monitoring
Privacy compliance reporting and monitoring need to be oriented to the key privacy metrics defined as part of the Privacy Controls Framework. A leading practice in Privacy Risk Monitoring leverages a tool that automatically extracts relevant data from various data repositories, including Data Discovery, GRC, CRM, Service Ticketing tools, and then generate the privacy metrics and insights needed for effective privacy program oversight and risk monitoring
A key component to accurately measuring a firm’s data privacy risk, is to transform its regular privacy oversight function into a privacy risk monitoring capability that proactively measures the ever-evolving risks associated with complex and differentiated business and service lines. Firms should be concerned with the impacts that privacy risk management has on customer experience. Privacy functions can minimize customer friction by ensuring their operating models capture roles across lines of defense, placing the onus on the business and front-line functions given their direct interaction with customers.
As firms build the above capability components to sustain their privacy program in response to emerging risks and evolving privacy regulations, it is important to account for the impact to customer experience with the ultimate intent of gaining customer trust in how their data is handled and safeguarded.