• Privacy

Implementing Privacy Assurance


Establishing a Second Line of Defense to Sustain Compliance

Lindsay Hohler, Principal Privacy and Data Protection at Grant Thornton LLP, and her colleague Eric Paulson a Manager in the Privacy and Data protection group presented the session Privacy Assurance: Establishing a Second Line of Defense to Sustain Compliance at the December 2021 Spokes Technology Privacy Conference.

There has been much discussion about the need for “frameworks” when operationalizing privacy. The session, sponsored Grant Thornton LLP, presents a detailed look at how organizations may effectively and practicably establish such frameworks that support scalable and sustainable privacy compliance and ultimately effectuate privacy by design.

What is the role of privacy assurance?

To sustain compliance and manage risks, practices really can look to a “three lines of defense:” 1) Privacy Operations; 2) Privacy Assurance; 3) Internal/External audit. Here we focus on that second line of defense, privacy assurance.

The role of privacy assurance in this is to monitor regulations, privacy risks, and establish policy guidelines to help the first line – the operations team (the business, Privacy, IT, Marketing, et al.) – follow those guidelines. It also provides the third line of defense – internal or external audit – with a framework necessary to independently assess privacy compliance and risks.

Privacy assurance is the 2nd line of defense after privacy operations and before internal/external audits.

For example, a privacy assurance function would be needed to inform the business that they have to respond to EU data subject requests (DSARs) within the one-month time period prescribed by regulation. The business would then be responsible for designing that process in order to respond in a timely manner. Internal audit would then run an independent audit, making sure that the business was responding appropriately. Another example might be managing the requirement for the consumers opt-out of the sale of personal information mechanism.

As we look to the second line of defense you can readily see that collaboration is extremely important as it helps establish roles and responsibilities through a privacy framework and the accountability for each process.

As an additional benefit the privacy assurance component ostensibly functions as a training and communication platform that really builds and promotes privacy by design throughout privacy operations.

—Eric Paulson

The pillars of privacy assurance

Crucial to the establishment of the control framework are well-defined roles and responsibilities; a compliance monitoring function; and established key risk indicators to monitor and measure those privacy risks and obligations.

The three pillars of privacy assurance are privacy control framework, compliance monitoring, and establishing key risk indicators (KRIs).

While a privacy control framework can leverage industry frameworks such as NIST or ISO, we’ve also seen organizations create their own custom frameworks. There is a lot of flexibility and irrespective of approach, a framework will help an organization, not only understand their compliance requirements but also rationalize those requirements by defining objectives and thinking about control matrixes that align with an organization’s obligations and risk appetite.

Importantly, providing a control framework while allowing the business owners to define the processes that work best for them enables business units to take responsibility and understand how to meet privacy compliance objectives and be accountable to the privacy controls.

—Eric Paulson

The second pillar, compliance monitoring, concerns the steps a company needs to take to comply with privacy and continuously evaluate its effectiveness to ensure that the control objective is being met. This can be done through compliance self-assessments. Continuous evaluation is particularly important given that the regulatory landscape is constantly changing with emerging regulation and changing interpretations.

Key risk indicators (KRIs) are the metrics that provide the privacy team the opportunity to continually monitor compliance, assess risk, and evaluate opportunities for improvement.

Example KRIs we typically see include:

  • number of data subject requests;
  • number of days outstanding;
  • data inventory validation; and
  • the number of systems in the data inventory.

KRIs help the assurance teams verify that privacy activities are being completed timely and understand trends (e.g., DSARs trending up). This supports assessing root causes and implementing improvements before there are significant negative impacts.

Establishing KRIs is an effective way to communicate program requirements to leadership such as approvals for budgets, the need for additional resources, or technology investments.

—Eric Paulson

The steps to establishing a privacy framework

Establishing a framework is the foundation of a privacy assurance program. It provides a baseline to manage and mitigate risks and helps to make sure that individuals throughout the organization understand their roles and responsibilities in doing so. The key question, then is how do you determine the right framework?

Establishing a privacy framework: determine approach, map controls, ID roles/responsibilities, ID risks, & mitigate risks.

Step 1: Determine your approach

As noted above, we’ve seen companies leverage one of the leading frameworks and customize it to fit their business. Whichever framework you choose, it is important to define the domains across the privacy area, as well as subdomains and control activities.

You also want to strike the right balance. The framework should be manageable but also detailed enough to map to the underlying regulatory requirements and demonstrate accountability.

—Lindsey Hohler

Step 2: Mapping controls

Once the framework and baseline have been determined, the work of mapping the controls begins. It is here where a lot of the customization happens to achieve alignment with regulatory requirements; controls language; testing procedures; the data types and data subjects; and defining risk and the opportunity to mitigate those risks, for example.

Importantly, by using a one-to-many approach you can have a simplified set of activities to manage. The goal is to have a clearly defined set of controls that can address all of the organization’s privacy obligations.

Step 3: Identifying Roles & Responsibilities

Once all the controls have been identified and mapped, the next step is to map ownership. Some of the controls may sit with the privacy team, but many of the activities will actually be performed by the business.

Identifying roles and responsibilities help promote privacy-by-design and ensure that individuals understand their responsibility as they relate to privacy. Here, it is important to highlight the criticality of strong executive – and middle management – sponsorship.

—Lindsey Hohler

This, as many know, is one of those activities that’s much easier said than done and takes quite a bit of work to actually embed these activities within the underlying organizations.

Step 4: Identify risks

The next step is to identify what is in place today and think toward the future: to work towards mitigating risk going forward. The high-risk functions need to be identified and communicated to the business.

Also, risk levels should be assigned with each underlying control to feed reporting, escalations, and determine the remediation efforts that are needed. This also provides insights into privacy operations to help understand issues that may be impacting risks. This should map to regulator expectations as well.

Properly documented controls and roles and responsibilities will allow you to shift priorities very quickly.

Step 5: Supporting risk mitigation

The last step in developing a robust controls framework is to support risk mitigation – a key outcome. This involves monitoring control implementation, performing ongoing assessments and reviews, as well as using KRIs to help monitor and measure privacy operations.

Having defined the controls and identified the control owners, the privacy team is more ready to collaborate with, and support, the business and risk mitigation activities.

Once a risk is identified the control owner can speak to the cause and from there, the privacy team can work to understand that risk, develop a plan, and help leadership understand the issues and needed remediations (or to determine that the business is comfortable accepting the risk).

Ultimately,  a privacy compliance framework will help build a stronger understanding of the organization’s overall privacy obligations and define the accountability needed to operationalize these activities.

—Lindsey Hohler

Privacy control frameworks in practice: a case study

The Challenge: A financial company had many privacy operations owned and managed outside the privacy team by business units across the organization. Adding to the complexity, multiple regulations were industry-specific and geo-specific.

The Goal: Assess compliance across a wide range of data privacy regulations (15+) and identify and remediate gaps in compliance across services, businesses, and operations.

One of the challenges Grant Thornton faced was identifying control owners. Early on it became clear that individuals identified as control owners were not operationally responsible. This required identifying both who were performing these activities and who owned those controls.

With control activities and owners identified it was possible to then implement a recurring process so that the control owners could regularly validate the activities, note any changes to the process, and leverage the framework to support audit committee and board reporting.

Identify the framework to leverage, the domains/subdomains to align with requirements, and map controls to each requirement.

This resulted in improved privacy operations with an enhanced ability to monitor compliance:

  • the ability to guide control owners where risk is identified;
  • greater visibility to the DPO through KRI evaluation;
  • the ability to define short-, mid-, and long-term goals to improve compliance;
  • the ability to identify high-risk data processing and need for data inventory revalidation;
  • the ability to more quickly map new regulations and incorporate those into privacy operations and controls; and
  • the ability to establish guidance at the business unit level.

Privacy assurance outcomes: reinforced roles, compliance monitoring, strong privacy operations, less legal/compliance risks.

Given the complexity of managing privacy for regulatory compliance, let alone attaining privacy-by-design, it is not a matter of dispute that robust operational capabilities are required. This is as true for smaller brands and publishers as it is for the largest.

Effective operations are simply not feasible without establishment of privacy principles, carefully considered frameworks to implement them, and investment in the technologies and processes to support them. Privacy cannot simply be bolted on.

To learn more about operationalizing privacy from some of the world’s leading practitioners, we suggest: