The topic of privacy has become a priority for boards of directors, the executive leadership team, and privacy and security leaders alike. Regulations including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and sector-specific regulations including the Health Insurance Portability and Accountability Act (HIPAA) all require important treatment of personal data, personal information, personally identifiable information and protected health information. Security and privacy are intertwined. As the saying goes, you can have security without privacy, but you cannot have privacy without security. Privacy, like security, is a multi-disciplinary domain that requires insight and collaboration across a host of corporate functions including sales and marketing, legal, IT, HR, security, among others. Similar to security, privacy has ascended as a C-level function and consequences of poor privacy practices include damaged reputation, regulatory intervention (e.g., a consent order), fines and other financial impacts and clearly data breaches when sensitive information is not adequately secured throughout its lifecycle.

The order of the essays within each chapter follows the arc of the authors’ differing backgrounds and perspectives. David Goodman’s essays lead off most chapters and provide a high-level view reflecting his background as a consultant and analyst in the areas of identity, cybersecurity, and privacy. For those who want to understand why we’re covering a particular topic and how it might affect your firm, David’s essays provide the perfect grounding. Justine Phillip’s essays usually come next, and her perspective from her privacy practice at DLA Piper provides context that only someone guiding clients through the legal aspects of data breach preparedness and response can bring. Her review of regulations from a lawyer’s perspective and her practical advice based on case law are invaluable. Finally, Matt Stamper’s essays finish most chapters. His experience as a cybersecurity and privacy leader, analyst, and practitioner provides the deep technical context to help privacy professionals deep dive as needed. Taken together, the three perspectives provide unmatched insights for assessing or building your data privacy program.

Table of Contents

Data Privacy Program Guide

How to Build a Privacy Program that Inspires Trust

Section 1 – In Pursuit of Privacy (Chapters 1 and 2)

In the first section, “The Pursuit of Privacy,” we examine why we value privacy as individuals and the value of a privacy program to your company. Although this book primarily focuses on building and managing privacy programs, we believe it is essential to make the case that a privacy program has value for companies because privacy has value to us as individuals.

Section 2 – Preparing the Program (Chapter 3-8)

In Section Two, “Preparing the Program,” we’re going to unpack six essential considerations for you to keep in mind as you construct or evaluate your privacy program. In Chapter 3, “The Role of the CPO/DPO,” we start with the role of the privacy leader in your organization, often referred to as the Chief Privacy Officer or Data Protection Officer. Then each author outlines what constitutes the critical elements of a privacy program to them in Chapter 4, “Elements of a Privacy Program.” In Chapter 5, “Privacy Technology,” we dive into the role technology plays, both in creating the data we need to protect and then offering that very protection. The last three chapters in this section cover the data privacy lifecycle (Chapter 6), global privacy regulations (Chapter 7), and the key concepts of Privacy by Design (PbD) (Chapter 8).

Section 3 – Risk Assessments (Chapters 9-11)

Chapter 9, “Data Classification and Discovery,” will look at identifying the data elements that privacy leaders are most concerned with and how to manage and reduce the associated risk. In Chapter 10, “Vendor Risk Management,” we continue the assessment and risk reduction theme by first identifying the types of third-party relationships that bring elevated risk and then reviewing processes and tools that can be helpful in reducing risk. Finally, in Chapter 11, “Reasonable Security,” we provide guidance you can use to get the most out of your partnership with the security team.

Section 4 – Making it Happen (Chapters 12 and 13)

Employees are often not trained in every task their job requires until they encounter the need to perform it. However, given that turning a consumer’s request to exercise their privacy rights into a data breach is the privacy equivalate to an own goal. While there is more to data breach response and handling data subject access requests than training, as we discuss in Chapters 12 and 13, we must have the business processes in place to activate the appropriate response when triggered. Though these are new disciplines, they build upon processes we have years of experience with.



Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.