• United States




Top 5 privacy initiatives for your team in 2017

Jan 04, 20176 mins

What should a privacy team do to get ready for 2017? U.S. privacy law changes, EU-U.S. Privacy Shield and The General Data Protection Regulation (GPDR) are some of the things that may impact your organization. Here are the top five things you should be doing.

5 checklist
Credit: Thinkstock

A privacy office always seems to be one of those departments that has a full, if not overflowing, plate. Whether staffed by one person or 30, there is always something else that needs to be done. With continuous changes to external requirements, be they from regulators or lawmakers or public opinion, and evolving business projects, privacy teams must anticipate and prepare for the future.

2016 was a year of realignment for privacy. To name just a few of the events, data breaches continued (both large and small scale), U.S. privacy breach notification laws were modified, EU-U.S. Privacy Shield was established to replace Safe Harbor, and The General Data Protection Regulation (GPDR) was established. Given the global political climate, I am sure 2017 will be as tumultuous as 2016.

What should a privacy team do to get ready for 2017? Here are the top 5 things you should be doing to lay the foundation for your organization to meet ever-changing privacy requirements.

Gauge the understanding of privacy in your organization

My team and I recently completed a data inventory for a client. During this process, we met with various operational areas of the organization to understand their collection and processing of personal information. A question we asked early on was, “Does your department use the corporate definition of personal information?” Of course, the answer was always “yes.”

As we continued our research, we found that the definition of personal information was not well understood. For example, some departments excluded employee information while others only included electronically stored, structured data. These were departures from the corporate definition, flagging a risk that needed to be addressed.

My team also asked, albeit indirectly, if the operational areas understood their responsibilities in the protection of personal information. As we looked at the varying responses for how permission was granted for individuals to access information, how vendor oversight was performed, how personal information was protected at rest and in transit, and how data was destroyed, the impact of the varying interpretations of the personal information definition became apparent and concerning.

Generally, the privacy team is accountable for the proper use and protection of personal information, but the team must rely on other operational areas of the organization to fulfill their assigned privacy responsibilities for a program to be successful. If individuals in the organization do not understand something as basic as the definition of personal information, the risk that responsibilities will not be met is high.

Review your external requirements

Laws, regulations and public expectations are constantly in flux. When changes occur in external requirements there may be a significant impact on your organization. Take, for example, the change in scope between the EU Data Protection Directive and the GDPR.

Under the directive, organizations must comply when they have an office in the EU or when they have equipment in the EU to process data. Under the GDPR, the scope expands to also include organizations that target the sale of goods and services to EU citizens regardless of where the organization is established or where information processing occurs.

For many organizations, this change in scope is yet to be recognized and may have a material impact on their operations.

Portfolio your personal information holdings

Understanding what personal information is collected, how it is used, how it is shared, and how it is protected is a foundational component of a privacy program. An approach often used is to do a detailed data inventory to gain this understanding.

Creating a data inventory is a time and resource consuming effort. It would not be unusual for a data inventory to take 9 to 18 months to yield results. A similar understanding, yet less comprehensive, would be to create a data portfolio. A data portfolio focuses on the business view of the capture and processing of personal information as opposed to the detailed information which an inventory may capture.

For each operational area in an organization the portfolio would contain what personal information is used in the area, by what IT systems or business processes, how the information flows among the systems and processes, and what protections are provided for that information. Both internal and external systems and processes are included.  

It may be necessary to get IT involved in some of the discussions, but, unlike an inventory, the portfolio does not include the technical details of the IT systems such as specific data element names, file/database table names, or the technical details of the protections afforded the data.

A privacy team can review the data portfolio to ensure compliance with corporate policies and external requirements. Areas of concern can then be identified where a deeper dive may be needed.

Measure the success of your privacy program

How do you know your privacy program is effective? One way is to have a compliance review program in place. This approach usually requires the investment of time and resources to assess or audit individual operational areas.

A less resource intensive and less invasive alternative is to establish a set of metrics. I am not suggesting just counting the number of privacy incidents, privacy impact assessments, or queries and complaints handled by the privacy team. I am suggesting creating a metrics package that gives meaningful, actionable information to the privacy team and operational areas within an organization to use to make decisions.

For example, while understanding the number of privacy incidents per period is important, knowing the number of incidents by classification and by operational area, for example, will allow stakeholders to understand where improvements may be made. Better yet, it will provide proof that the program is working and nothing needs to change… for now.

Creating an effective, meaningful and actionable set of metrics has several considerations. I’ll leave this to a future posting

Ramp up you training and awareness programs

What personal information a person wants kept private has both cultural and generational aspects. For example, there is some personal information my niece puts on Facebook that my sister (when she was younger) would put in her diary and my mother won’t even talk about. Within an organization, we are asking our staff to deprecate their privacy perspectives to those defined by policies and procedures. To do this, both training and awareness programs are needed.

Training includes formal sessions either face-to-face, through webinars or through computer-based training, for example, in which staff members are required to participate. Training should occur when someone first joins the staff and annually thereafter. Training should also be extended to include anyone doing business on behalf of the organization.

Awareness is less formal. An awareness program provides reminders to keep privacy top-of-mind between training events. Creativity is the key to success for an awareness program. You can find some cost-effective, yet impactful, ideas for awareness activities in some of my other postings in this blog.

Privacy teams need to get buy-in for their program across the organization. Gauging your organization’s understanding of your privacy requirements, both internally and externally driven, and measuring operational fulfillment of responsibilities will allow you to tailor your training and awareness efforts to increase the maturity and success of your privacy program.


Bob Siegel has extensive professional experience in the development of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He has extensive experience with PCI DSS and Safe Harbor and has deep subject matter knowledge surrounding key laws and regulations regarding consumer privacy and information security.

Throughout his career Bob has worked with computer applications and business practices that guard personal information. In addition to developing these systems, he trained employees to use them properly and efficiently. As the collection of personal information has increased, he has developed new approaches to help his organizations protect their sensitive data (both electronic and paper-based).

Bob is a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in US Law (CIPP/US), European Law (CIPP/E), and Canadian Law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Technologist (CIPT). He is a member of the IAPP faculty and has served on the Certification Advisory Board for its Certified Information Privacy Manager (CIPM) program as well as the Publications Advisory Board. He was also recently awarded as a “Fellow of Information Privacy” by the IAPP.

Most recently, Bob served as senior manager of Worldwide Privacy and Compliance for Staples, Inc., where his responsibilities included development, awareness, and compliance of global privacy-related policies and procedures for more than 60 business units in 26 countries.

A seasoned program management expert, Bob has a long record of accomplishments in business planning, information privacy, sales support, customer support, application development, and product management. He has helped executive teams convert strategic plans into programs with well defined, measurable outcomes. He also has created realistic program schedules and budgets, resolved critical path issues, managed risks and delivered results consistently on time and within budget.

Bob can be reached at

The opinions expressed in this blog are those of Bob Siegel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.