Privacy Governance: ROPAs are the New Normal
A key component of privacy governance is assessments. While Records of Processing Activity (ROPAs) do not assess risk per se, they do assess the who, what, why, where, and how of information processing. Analyzing the results against internal policy, processes, and regulatory requirements to determine potential areas of risk is critical.
We recently met with Tara’s colleague, Yahoo AGC, Katie Pimentel. Katie spoke compellingly about the benefits of adopting the NIST Privacy Framework as an effective vehicle for implementing data privacy governance and the value of ROPAs as an internal risk assessment tool.
But the framework is only part of the story. Successful implementation requires socialization, training, and teaming across the organization to enable the accurate collection of ROPA data that serve as critical inputs to privacy governance.
Tara Jones, Senior Manager Global Data Privacy Compliance & Governance, Yahoo, joined WireWheel CEO Justin Antonipillai, Director of Privacy, Lisa Barksdale, and her colleague Yahoo AGC, Katie Pimentel at the breakout session “Rise of the Privacy Operations Leader” at the IAPP Privacy. Security. Risk. 2021 Conference.
Ms. Jones was kind enough to speak with us to offer a small preview of their planned presentation and the “new normal” of ROPAs.
I think that we’re pretty lucky because, for the most part, the majority of our product owners really do want to comply with the regulations. It has been a relatively smooth process in terms of the communication with the product owners filling out the ROPAs.
Of course, we had to chase down a few to try to get them to respond, but for the most part, a couple of emails back and forth would suffice.
Some challenges, notes Tara, are logistical. For example, “when product owners leave the company or change departments, tracking down who will have responsibility going forward.” Yahoo’s separation from Verizon created some challenges, as well as some product owners, went to Verizon and others came with Yahoo. To solve for this, notes Ms. Jones, “we developed a process for identifying product owners within the WireWheel system.”
All this is all to be expected of course. While everyone gets the importance of completing ROPA questionnaires it represents just one of a long list of priorities. “For the most part,” says Tara, “the product owners would go into WireWheel and update their ROPAs. They want to be compliant. And they definitely don’t want to be on that report that goes to their second or third level manager that says that they’re not.”
Communication and Continuous Improvement
Having escalation and communication protocols in place was key to Yahoo’s success in driving compliance as they implemented their NIST framework privacy program. When Tara communicates with the business unit owners, they know what is expected including an acceptable turnaround time. If expectations aren’t met, an escalation process kicks off that includes executive reporting on meeting the ROPA process metrics. Codifying the ROPA process and metrics, and clearly communicating expectations, benefits both the program and those responsible for the inputs.
The more than 700 people that engaged on the initial project will continue to engage going forward to recertify the ROPAs and support iterative compliance testing – including improvements to the ROPA questionnaires. “This is ongoing,” explains Tara, “and what we refer to as their ‘new normal,’ as the component owners will now have to certify them every year.”
Importantly, this thoughtful approach, inclusive of the communication routines, creates a closed-loop-control process that enables continuous improvements to data inputs. This in turn improves internal risk assessments improving overall privacy governance.
Right now, we’re going back and we’re analyzing all of the ROPAs that we have compiled over the last year. We send a general email to everyone involved. They receive an update request from us via email with a link to an FAQ that communicates what we’re doing; that we have analyzed the ROPAs; and now have follow-up questions that we need you to answer.
This follow-up includes feedback from Privacy indicating possible corrections to questionnaire responses (e.g., opinions on appropriate data retention schedules) and asks for those updates. Notably, however, Privacy also asks for feedback from owners to continually improve and refine the process.
“The responses that we’re getting are really, really good and insightful. Even if they’re unable to complete the ROPA for some reason, they’ll come back to us and say, ‘I tried to complete it but some of the options that you had available don’t fit my product.’ This lets us know that we need to go back and look at the ROPA and offer more options for people who have different types of products.”
Privacy at Scale
Unless your organization is extremely small, using a tool such as WireWheel to manage these assessments is a critical component to the success of your governance program. This is one of those items that may seem like an unnecessary expense as you are starting down the privacy governance path but will prove to be a huge asset as you move into years two and three and move more into the maintenance, testing, and certification phases of the program.
When hearing from experts at large companies, privacy professionals at smaller companies may assume that absent the expansive resources of a Yahoo – audit teams, robust cybersecurity infrastructure, et al. – the programmatic approach advocated is out of reach. Not so.
There are a plethora of available technologies and consulting services that are scale-appropriate for your organization. And keep in mind, the cost to your organization of ad hoc approaches (read burden, dollars, and risk) will likely far exceed the cost of implementing a sound privacy governance framework.
Suggested Blog Posts
Today… and into the futureWritten by Rick Buck, Chief Privacy Officer, WireWheelAfter new privacy laws passed in...
Written by Jeremy S. Berkowitz, Senior Principal, Global PrivacyPromontory Financial Group, an IBM CompanyAs a Senior...
Marketing and privacy are on a collision course – and it’s a trajectory that has been plotted for some time now, says...
When it comes to data privacy, the business aphorism “it’s better to ask forgiveness than ask permission” does not...
The writing is on the wall. Increasingly people will take control and will worry about their personal information....