Privacy and Security Compliance Governance Defined

Privacy and security compliance governance necessary to meet the EU’s GDPR and California’s CCPA is a multi-step process involving both the IT function and enterprise’s operations movement

The focus of the security and privacy compliance governance is on the two prongs of GDPR and CCPA compliance mandates. It is a five (5) step process.

Step 1 – Define where the enterprise is and the issues it faces

Define privacy requirements

  • Review existing privacy policies and statements and document how they compare with GDPR and CCPR requirements
  • Assess data subject rights to consent, use, access, correct, delete and transfer personal data
  • Discover and classify personal data assets and affected systems
  • Identify potential access risks

Define security requirements

  • Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance road maps
  • Identify potential vulnerabilities, supporting security and privacy by design
  • Discover and classify personal data assets and affected systems in preparation for designing security controls

Step 2 – Define what must be done

Document privacy requirements

  • Create a work plan that details your GDPR and CCPR remediation and implementation activities
  • Design the policies, business processes and supporting technologies you’ll need to implement your plans
  • Create a GDPR and CCPR reference architecture
  • Evaluate compliance governance processes

Document security requirements

  • Develop a security remediation and implementation plan
  • Define a security reference architecture
  • Define technical and Key Performance Indicators (KPIs) to reduce risk, including encryption, pseudonymization, access control and monitoring.

Step 3 – Implement changes

Implement privacy requirements

  • Implement and execute policies, processes and technologies
  • Automate data subject access requests

Implement security requirements

  • Implement privacy-enhancing controls, including encryption, tokenization and dynamic masking
  • Boost protection by implementing security controls; mitigate access risks and security vulnerabilities

Step 4 – Operate and maintain the new GDPR and CCPA environment

Manage privacy

  • Manage GDPR and CCPA data governance practices, including information life-cycle governance
  • Manage GDPR and CCPA enterprise conformance programs, including those for data use, consent activities and data subject requests
  • Monitor personal data access
  • Maintain compliance governance process and manage GDPR and CCPA roles and identities
  • Develop GDPR and CCPA KPI metrics and reporting schemas

Manage Security

  • Manage and implement security program practices, including those for risk assessment, roles and responsibilities, and program effectiveness
  • Manage and monitor security operations and intelligence to help detect, respond to and mitigate threats
  • Manage incident response and forensics practices

Step 5 – Govern, audit and report on compliance

Govern privacy compliance requirements

  • Record personal data access audit trails, including individuals’ rights to access, modify, delete and transfer data
  • Perform data processor and controller governance, including providing processor guidance, tracking data processing activities, providing audit trails and preparing for data subject access requests
  • Document and manage your compliance program, including ongoing monitoring, assessment, evaluation and reporting of GDPR and CCPA activities
  • Respond to and manage breaches

Govern security compliance requirements

  • Coordinate technical and organizational measures to ensure security appropriate to processing risk
  • Document your security program, including ongoing monitoring, assessment, evaluation and reporting of security controls and activities
  • Respond to and manage breaches

Order Compliance Management Kit  Download Selected Pages Compliance Kit