Privacy Risk Management and Compliance
I have been a big fan of the Open Compliance and Ethics Group for many years (since well before they honored me as a Fellow).
OCEG is a not-for-profit organization that focuses on “principled performance”, which they define as “a point of view and approach that helps organizations reliably achieve objectives while addressing uncertainty (both risk and reward) and acting with integrity (honoring both mandatory commitments and voluntary promises)”.
One of the reasons I continually recommend OCEG is that it is a great source of information and guidance, much of it free. In fact, individual membership is also free.
There’s a lot to like in the illustration.
For example, it emphasizes the need to monitor changes in privacy requirements everywhere the organization currently operates – and where it plans to operate. This needs to be communicated to operating management, who needs to limit the collection and storage of potentially private or confidential information to what is necessary to run the business.
It also tells us that we need to understand privacy risks and ensure we have controls in place commensurate with and appropriate to managing those risks.
It’s impossible to capture in a single page diagram everything that is critical to managing privacy risk and remaining in compliance. One point I would make is that the organization needs to assign responsibility for monitoring and communicating compliance requirements (including not only regulatory but societal requirements) to operating management. The diagram assumes a “privacy team”, but sometimes it just takes one expert. It is critical that the assigned individual has the time to serve as the expert and is sufficiently integrated with management operations to be able to provide timely input before management violates a regulation or damages reputation by exceeding what the local community will tolerate.
At one of my former companies, a mid-level attorney was tasked with handling privacy compliance matters. While he understood the laws and regulations, he was busy on other matters and very reluctant to insert himself into situations when my audit team found non-compliance issues. He was neither proactively ensuring management complied with EU regulations, nor assertive when non-compliance was detected.
I learned the lesson that those charged with being the privacy expert (and the same applies to any compliance expert) need to have a level of passion for the topic and the desire to prevent issues as well as defend the company when it fails to comply.
I would also consider the issue of how private and confidential information is held within the organization. It’s not enough to limit employee access; the information needs to be protected from intruders, generally through encryption.
What do you think of the illustration? What would you add?