Privacy pros have been saying it for years: Privacy is not set-it-and-forget-it. We have been seeing regularly how changes in laws and regulations impact organizations’ privacy obligations. Yet, often compliance is treated as a series of one-off projects: write a privacy notice, implement a policy, create a data inventory. As organizations evolve it’s important to remember that legal privacy obligations evolve with them. New products or services, new collection or processing of personal information, a change in vendors, or growth into a new jurisdiction can have a significant impact on privacy obligations.

To maintain compliance and reduce regulatory risk, it’s important that privacy teams continuously monitor operational changes and regularly update privacy programs to align with these changes.

Table of Contents

Operational Changes that May Mean New Privacy Obligations

New products, services or features

It’s important to understand whether and how new offerings or features interact with personal information. For example, if your customer support team decides to use an AI-powered feature that summarizes inquiries and then uses that information to improve its support services, it may require you to conduct a privacy impact assessment, update your notice and terms of service, and potentially provide new opt-outs. You may even need to get the consent of existing customers for this new use.

A process for evaluating new products, services, and features is essential to ensure continued privacy compliance.

New data collection, uses, or sources

As organizations mature, so does their use of personal information. What an organization once collected only for the purpose of account management it may now want to use in a more sophisticated marketing initiative. A company with a website that previously only used necessary cookies may now want to employ analytics cookies to learn more about how people use its site. You may start purchasing lists and combining that information with information you already hold.

These are all instances that mean updating privacy notices, data inventories, perhaps consent obligations, opt-outs and more. It’s important that privacy teams know about these processing changes to ensure documentation accurately reflects data handling practices.

Growth into new jurisdictions

When an organization begins offering its products or services in a new geography area, additional privacy laws may apply. For example, if a US company wants to grow its business into Europe, that would trigger the EU General Data Protection Regulation (GDPR), meaning new disclosure obligations, privacy rights, cross-border transfer obligations and more.

Privacy teams need a window into sales and business development teams’ initiatives to prepare in advance for new compliance hurdles.

New vendors or tools

As organizations grow, they tend to rely more on third-party vendors and tools to create efficiencies, gain insights, and lower overhead. Things like cloud storage, data analytics, customer support bots, marketing automation, and AI tools enable businesses, they also often involve processing personal information.

Privacy and data protection laws require specific contractual provisions to protect personal information being shared between data controllers and data processors (vendors). If personal information is crossing international borders there may be additional obligations like Standard Contractual Clauses or certifying to the EU-US Data Privacy Framework.

Privacy teams need to know when new tools or vendors are coming onboard prior to procurement to ensure contractual obligations are being abided, data minimization practices are in place, and appropriate risk-based monitoring is established.

The Importance of Ongoing Monitoring

Many privacy programs are small and often not embedded in teams like product development, marketing or procurement. Organizations see a need to move quickly to take advantage of new technologies and may see privacy as slowing their progress. Teams that haven’t been effectively trained may not recognize the risks involved with processing personal information, so may not call in the privacy pros when needed.

For these reasons and more organizations often launch initiatives without proper privacy reviews bringing unnecessary regulatory risk.

@media screen and (max-width: 1023px){section[data-id=”block_c14e165577e91b5ad0a5bf876b08b695″]{ margin-top: 0px; }}@media screen and (min-width: 1024px) and (max-width: 1365px){section[data-id=”block_c14e165577e91b5ad0a5bf876b08b695″]{ margin-top: -50px; }}@media screen and (min-width: 1366px){section[data-id=”block_c14e165577e91b5ad0a5bf876b08b695″]{ margin-top: -50px; }}

Downloadable Resource

Privacy Program Maturity
Self-Assessment

Privacy Program Maturity Self-Assessment

 

 

Take the Privacy Program Maturity Self-Assessment today to uncover gaps, benchmark progress and strengthen your organization’s privacy strategy.

Learn More

Setting Up a Monitoring Program that Works for You

To maintain compliance and keep privacy programs aligned with data handling practices, organizations need an approach to monitoring that is effective and integrated into existing workflows. Working across business units can help to ensure adoption and reduce disruption.

Establish Cross-Functional Privacy Governance

Privacy does not exist in a vacuum. Privacy compliance requires a holistic approach involving training for all employees and cross-team collaboration. Establishing a privacy governance committee or working group that meets regularly can help to ensure consistent attention is being given to privacy concerns across the business.

Consider including representatives from privacy, legal, product, marketing, engineering, procurement and cybersecurity to get a comprehensive view of the organization’s data ecosystem.

Formalize Privacy Review Process

Create a formal privacy risk assessment (or privacy impact assessment, data privacy assessment) and embed it in development, procurement, engineering, and marketing processes. Work with these teams to help them understand the importance and to find the least disruptive way to implement this into their process. The privacy risk assessment should identify elements such:

  • What types of personal information will be impacted
  • How the personal information will be used
  • Will it be shared and with what entities
  • Who will have access to the personal information
  • Where will it be stored and for how long

Depending on the complexity of your organization, a privacy risk assessment could take the form of a spreadsheet or purpose-specific technology. And should be conducted any time personal information is being collected, used or shared in a new way, when new tools or vendors are being considered, or when developing new products or services that may impact personal information.

Create an Internal Audit Process

Privacy teams should put in place an internal audit program to track key indicators that may point to changes in data handling practices. Leverage existing tools and systems like vendor management, system scans, security and engineering logs to get insight into the addition of new website tracking technology, vendors, or increases in volume of data collected.

This monitoring will help privacy teams discover new processing activities that may have fallen through the cracks and not gone through appropriate internal processes.

Compliance Monitoring that Fits Your Organization

A monitoring program needs to consider the organization’s ability to maintain it and consistently apply it. When creating a program to help you ensure ongoing privacy compliance, ensure you:

  • Start with a clear goal. Organizations have different risk profiles—where one may seek full compliance, another may have a higher level of acceptable risk. Identify your organization’s risk profile and match your ongoing monitoring efforts to organizational goals.
  • Define privacy triggers. Create a list of business activities that always require privacy risk assessment. Things like launching a new product, service or feature; onboarding new technologies and vendors; expanding into new geographic regions.
  • Establish a realistic auditing program. Consider the resource levels and bandwidth of your privacy team and the teams involved in privacy audits to ensure you are balancing the overall business needs with the privacy risks.
  • Train stakeholders. Training helps people outside the privacy team understand the “why” of privacy. Privacy is not just a check-the-box compliance exercise, stakeholders should understand that it’s about trust, ethics, and consumer safety too.

Maintaining Compliance in an Ever-Changing World

The privacy laws are changing all the time, and privacy teams have a significant challenge keeping up with those. Add in internal organizational changes, and the job can feel overwhelming.

Establishing repeatable privacy risk assessment process embedded into business unit workflows can help to distribute the workload. Leveraging existing system monitoring can efficiently identify changes in data handling practices.

Operational awareness is essential to continued privacy compliance. The job of privacy extends past writing policies and notices, it is ongoing and active and always evolving with the business and the privacy landscape.

If your business is evolving, Red Clover Advisors can help ensure your privacy program evolves with it. Contact us today to get started.

The post A Changing Business Means Changing Privacy Obligations appeared first on Red Clover Advisors.