Companies need to have a comprehensive privacy program in order to comply with legal requirements and satisfy the concerns of their customers and business partners. Several distinct, yet highly related, activities must be undertaken in order to effectively implement and manage a privacy program:
- Management must engage in strategic and business planning relating to operational activities that are impacted by requirements imposed by privacy-related laws, regulations and industry standards.
- An assessment must be made of the current level of company compliance with privacy-related requirements and the risks confronting the company from non-compliance must be identified and quantified.
- Solutions to deficiencies in the current level of company compliance should be created and introduced into the operational activities of the company.
- Appropriate criteria and procedures for monitoring the effectiveness of the privacy program should be developed and implemented.
- The privacy program should be regularly and continuously evaluated by both internal and external auditors.
The relationship between the privacy program and the company’s overall business strategy is particularly interesting. Obviously, each company should have its own unique and overriding vision for the long-term direction of its business and the goals and objectives that it wishes to achieve. One important element of this vision is the type of organizational culture that it wishes to establish and nurture including the norms and values with respect to collection, use and protection of personal information. The organizational culture should also include an understanding of how the company interacts with its external environment, including customers, and the approach that management expects its employees to take with respect to legal, social and ethical issues that are part of the company’s business environment. Realization of the management’s vision for the company occurs through the creation and implementation of a strategic plan. While a strategic plan is necessary comprehensive and covers all areas of the company’s business it should identify privacy compliance issues and establish strategies and tactics for dealing with those issues. For example, the strategic plan should address acquisition and allocation of the resources necessary to establish and manage a privacy program including a budget for security systems, employee training, administration, advertising, auditing and other related services.
Also, since the privacy program is part of the company’s broader compliance efforts consideration must be given to auditing the efficacy of the program. Regular monitoring of the effectiveness of the privacy program should include formal internal and external audits that provide management with independent and objective assessments of how well the program is operating and how effective it has been in achieving its stated goals and objectives. Audit procedures can focus on specific aspects of the compliance program. For example, auditors can review the manner in which the company has handled requests for personal information, the processes used to collect such information, and the safeguards that are used when such information is disclosed (e.g., what steps are taken to verify that the recipients of the information are entitled to receive it and will take the necessary steps to protect such information). Internal auditors can assist management in creating efficient internal processes for privacy compliance and their effectiveness is enhanced by their greater familiarity with the operational activities of the company. External auditors, on the other hand, can provide independent assurance services that provide greater comfort to outside parties such as customers, regulators, business partners and visitors to the company’s website. The goal of the internal and external audit process is to generate reports and data for management that can be used to modify and improve the strategic and business plan underlying the privacy program.
The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West. Copyright 2008 Thomson/West. For more information or to order call 1-800-762-5272.