Privacy and Security Compliance Governance Defined
Privacy and security compliance governance necessary to meet the EU’s GDPR and California’s CCPA is a multi-step process involving both the IT function and enterprise’s operations movement
The focus of the security and privacy compliance governance is on the two prongs of GDPR and CCPA compliance mandates. It is a five (5) step process.
Step 1 – Define where the enterprise is and the issues it faces
Define privacy requirements
- Review existing privacy policies and statements and document how they compare with GDPR and CCPR requirements
- Assess data subject rights to consent, use, access, correct, delete and transfer personal data
- Discover and classify personal data assets and affected systems
- Identify potential access risks
Define security requirements
- Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance road maps
- Identify potential vulnerabilities, supporting security and privacy by design
- Discover and classify personal data assets and affected systems in preparation for designing security controls
Step 2 – Define what must be done
Document privacy requirements
- Create a work plan that details your GDPR and CCPR remediation and implementation activities
- Design the policies, business processes and supporting technologies you’ll need to implement your plans
- Create a GDPR and CCPR reference architecture
- Evaluate compliance governance processes
Document security requirements
- Develop a security remediation and implementation plan
- Define a security reference architecture
- Define technical and Key Performance Indicators (KPIs) to reduce risk, including encryption, pseudonymization, access control and monitoring.
Step 3 – Implement changes
Implement privacy requirements
- Implement and execute policies, processes and technologies
- Automate data subject access requests
Implement security requirements
- Implement privacy-enhancing controls, including encryption, tokenization and dynamic masking
- Boost protection by implementing security controls; mitigate access risks and security vulnerabilities
Step 4 – Operate and maintain the new GDPR and CCPA environment
Manage privacy
- Manage GDPR and CCPA data governance practices, including information life-cycle governance
- Manage GDPR and CCPA enterprise conformance programs, including those for data use, consent activities and data subject requests
- Monitor personal data access
- Maintain compliance governance process and manage GDPR and CCPA roles and identities
- Develop GDPR and CCPA KPI metrics and reporting schemas
Manage Security
- Manage and implement security program practices, including those for risk assessment, roles and responsibilities, and program effectiveness
- Manage and monitor security operations and intelligence to help detect, respond to and mitigate threats
- Manage incident response and forensics practices
Step 5 – Govern, audit and report on compliance
Govern privacy compliance requirements
- Record personal data access audit trails, including individuals’ rights to access, modify, delete and transfer data
- Perform data processor and controller governance, including providing processor guidance, tracking data processing activities, providing audit trails and preparing for data subject access requests
- Document and manage your compliance program, including ongoing monitoring, assessment, evaluation and reporting of GDPR and CCPA activities
- Respond to and manage breaches
Govern security compliance requirements
- Coordinate technical and organizational measures to ensure security appropriate to processing risk
- Document your security program, including ongoing monitoring, assessment, evaluation and reporting of security controls and activities
- Respond to and manage breaches
Order Compliance Management Kit Download Selected Pages Compliance Kit