Russell Densmore CIPP - Privacy Program Management

Privacy Program Management

Tools for Managing Privacy Within Your Organization
Second Edition

Executive Editor and Contributor

Russell Densmore, CIPP/E, CIPP/US, CIPM, CIPT, FIP

Contributors

Susan Bandi, CIPP/US, CIPM, CIPT, FIP

Joo Torres Barreiro, CIPP/E, CIPP/US

Ron De Jesus, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP

Jonathan Fox, CIPP/US, CIPM

Tracy Kosa

Jon Neiditz, CIPP/E, CIPP/US, CIPM

Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP

Tajma Rahimic

Liisa Thomas

Amanda Witt, CIPP/E, CIPP/US

Edward Yakabovicz, CIPP/G, CIPM, CIPT

An IAPP Publication

2019 by the International Association of Privacy Professionals (IAPP)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher, International Association of Privacy Professionals, Pease International Tradeport,
75 Rochester Ave., Portsmouth, NH 03801, United States of America.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of the International Association of Privacy Professionals, Inc. registered in the U.S. CIPP, CIPP/E, CIPM and CIPT are also registered in the EU as Community Trademarks (CTM).

Copy editor and proofreader: Julia Homer

Indexer: Hyde Park Publishing Services

ISBN: 978-1-948771-24-5

Contents

About the IAPP

The International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data.

The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and improve the privacy profession globally. We are committed to providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals and provide education and guidance on opportunities in the field of information privacy.

The IAPP is responsible for developing and launching the only globally recognized credentialing programs in information privacy: the Certified Information Privacy Professional (CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Technologist (CIPT). The CIPP, CIPM and CIPT are the leading privacy certifications for thousands of professionals around the world who serve the data protection, information auditing, information security, legal compliance and/or risk management needs of their organizations.

In addition, the IAPP offers a full suite of educational and professional development services and holds annual conferences that are recognized internationally as the leading forums for the discussion and debate of issues related to privacy policy and practice.

Preface

I am privileged to have worked with so many great privacy professionals on both the first edition of this textbook in 2013 and now on this second edition in 2019. The privacy landscape has changed remarkably in this five-year period. We have seen the first major, comprehensive privacy regulation implemented in the EU, with the General Data Protection Regulation (GDPR) impacting organizations and individuals around the globe. We have come to understand that individuals expect organizations to get it right when it comes to the protection of personal information. Demands for improved legislation to protect individuals and their rights have grown exponentially, giving regulators the power they need to ensure organizations comply. Organizations fear damage to their brand, loss of consumer confidence, and regulatory fines due to data breaches. There has never been a better time for organizations to demand well-trained, well-informed privacy professionals.

The privacy program manager is a critical component of every privacy program at any organization. We have seen this field develop over the last few years from a budding program management framework to an integrated and fully functioning multidisciplinary effort. Privacy program management is definitely a team sport. Subject matter expertise is needed in multiple areas ranging from regulatory compliance, policy implementation, training and awareness, data mapping and records of processing to third-party vendor management and contracting. It requires a holistic approach, with multiple skill sets to accomplish all the required aspects of privacy program management in every organization.

Over the last few years, I have come to believe that while a privacy program manager is responsible for bringing all the needed components of the privacy program to maturity, rarely does one person have expertise in all the different disciplines required. An individual skilled in the training and awareness domain may not excel at writing policies, and vice versa. A person who excels at managing data breaches may not do well at vendor management or contracting. I hope you see the point I am trying to make. Privacy is a complex topic with diverse skill sets, which are needed by the privacy organization to be successful. The privacy program manager should be able to understand all these areas but will most likely not be an expert in all of them. Who, then, should be the privacy program manager?

In the past, a legal expert (attorney) has often served as the chief privacy officer and the privacy program manager. Currently, I am seeing a division of duties among the chief privacy officer, the privacy program manager, and privacy engineers. The chief privacy officer may handle the legal and regulatory obligations for the organization while the privacy program manager oversees program compliance requirements, organizational functions, and execution of implementation and the privacy engineer manages the technical functions. There may be overlap, and certainly each of the different domains may serve multiple functions, but we are seeing these areas of expertise evolve.

The privacy program manager is responsible for proving to the organization that it has the proper controls in place and for helping demonstrate to regulators that the organization is handling personal data responsibly. There must be a data map showing what data the organization has and how that data is protected and processed. By definition, this is the privacy engineer's duty. The number of privacy engineers in the privacy profession is rising; in fact, the IAPP launched the Privacy Engineering Section in 2018. The value of such individuals is becoming clear. Perhaps this is the future, where the chief privacy officer, the privacy engineer, and the privacy program manager work together to cover all three roles. Certainly, the organization will need experts in each of these fields to be successful.

There appears to be no one-size-fits-all approach, especially in large multinational and complex organizations. I believe one individual may still be able to cover all of these functions for a small organization; however, I believe privacy program management has matured into a team sport and requires several teammates to be successful.

I would like to thank everyone who assisted with this textbook, especially the individual authors who contributed in their areas of expertise. They were all dedicated and supportive, proving we could work together as a holistic team to achieve success. Finally, I would also like to thank Mr. Edward Yakabovicz once again for assisting me with the final review of this text. His friendship and professional assistance are appreciated deeply.