The Integration of Data Privacy into a Data Governance Program

In the Nonprofit Standard’s Winter 2017 issue, the article, “Nonprofits are not Immune to Maintaining Data Privacy” dove into why data privacy considerations are critical for nonprofit organizations. The article provided a step-by-step guide to bolster your data governance preparedness for a data leakage or breach situation. In this blog post, we add to that foundation to provide nonprofit organizations with a guide to building privacy into their data governance programs. A holistic data governance program considers data access, use, and storage; data classification; data related policies and procedures; employee training; and ongoing monitoring and controls. Let’s examine why data governance is important.

Data governance allows an organization to:

• Improve functionality across the organization;

• Optimize customer or donor data analytics, trends, and anomalies;

• Highlight potential vendor fraud;

• Identify sources of protected data to enhance data security and privacy programs, such as masking or anonymizing sensitive data;

• Identify business and operational issues; and

• Improve insight into the organization, such as improved forecasting, higher degree of personalization, and targeted marketing.

Establishing a general framework that aligns with your business is key to an effective data governance program. Equally important is a data governance committee focused on promoting enterprise information as a core asset to the business. BDO’s Data & Information Governance framework (seen below) focuses on governance, data quality, security, availability, management, and business alignment.

 

Generally, a highly functioning data governance committee should include the following members focused on tasks aligned with their role in the organization and specific responsibilities within the program. In smaller organizations, individuals may serve in multiple roles.

 

TITLE	DATA GOVERNANCE COMMITTEE ROLE	RESPONSIBILITIES
Executive / Executive Director	Executive Champion	Promotes the program and drives support throughout the organization Provides program direction linked with the organization’s overall strategy Secures project resources to support the Program Director/Manager Champions the program at the executive level to secure buy-in and ongoing investment Presents updates and business impact analyses to the program sponsors and other executive stakeholders
Executive Leadership Team (ELT)	Program Sponsors	Supports the Executive Champion and the Program Director/Manager Provides department-level and organization-wide feedback Promotes data governance throughout the organization by allocating team members to perform data governance tasks
Director or Senior Manager	Program Director/Manager or Program Owner	Drives program structure and consistency through regular team meetings, clear objectives, and identification of gaps and risks Works with the Program Sponsors to promote the data governance program Tracks budget and schedule Provides status and feedback to the Program Sponsors and the Executive Champion Develops program charter, project plans, timelines, and budgets
Information Manager/VP	Information Management / Records Management	Understands and drafts records retention schedules, guidelines, and other information management requirements Creates and maintains the data classification structure Understands records compliance requirements; identifies tools and methodologies to manage and enforce those requirements Verifies that the systems and environment support retention and other requirements
Human Resources (HR) Manager	HR Constituent	Provides guidance on HR needs and requirements Establishes effective information management within the HR department
Cybersecurity Director or Executive (CISO, VP)	Data Privacy and Protection Manager	Employs appropriate data protection measures to enable the business to operate efficiently while protecting employee, donor, patient, and other personally identifiable information Supports the Executive Champion and Program Director/Manager
Chief Information Officer (CIO)	Technology Representative	Drives data governance program compliance and consistency among Information Technology teams Promotes data governance throughout the organization Supports the Executive Champion and Program Director/Manager
Legal/Senior Counsel	Litigation and Discovery Manager	Provides guidance as it relates to legal holds, discovery requests, preservation and collection requirements, and other litigation/investigation related tasks Manages and maintains organization contracts
Compliance Senior Director	Regulatory Compliance Manager	Identifies regulations that drive data governance needs
Marketing & Sales Manager	Business Unit Manager or Knowledge Manager	Provides guidance on marketing, user access, website retention requirements, analytics, and other data sources impacted by business needs Responsible for communicating benefits of effective data governance to business unit Drives business unit compliance with the data governance program, including training, policies, and standard operating procedures
Site Champions	Local/Regional Employees	Employee data governance program champions identified to advocate for compliance among local office groups
Outside Data and Information Governance Providers	Data and Information Governance, Information Management, Records Management, Training, Security, and Information Technology Experts	Provides guidance to the Executive Champion and Program Director/Manager Conducts educational sessions for the data governance committee Imparts industry knowledge as it relates to information and records management, tools to assist with compliance and enforcement, and data privacy/protection requirements Assists with the development of roadmaps, change management, and implementation

 

When establishing a privacy program, it’s important to consider if the organization views privacy as donor or customer-centric. This will help determine where the data that requires protection resides; its sources, types, and uses; and the applicable laws that govern it.

Effective data privacy programs are aligned with the business, with a clearly defined business case and key stakeholders. Creating a process for the program to interface with the business will help to drive a culture of data privacy and protection.

Within the privacy program framework, consider policies, procedures, standards, and guidelines. Other considerations include:

• Education and awareness—training employees and providing updates on evolving privacy requirements

• Monitoring regulatory change—regulations applicable to your organization

• Internal policies and compliance—enforcement of policies

• Data inventories, data flows, and classifications—locations, use, and protection of sensitive data

• Risk assessments—assessments required to evaluate vendors or internal products, including formal privacy impact assessments (method of evaluating privacy in information systems and collections)

• Incident response—response plan to a security incident

• Remediation—recovery plan from a security incident

• Ongoing program evaluation and validation—performing regular program audits

Regardless of how your organization structures its privacy program, it’s critical to stay current on local, national, and international privacy laws. If you operate in more than one state or country, consider an automated process for privacy law alerts to help align your program with applicable laws and regulations. This is a critical function of the program, as there are significant penalties for noncompliance. For example, organizations that don’t comply with the European Union’s General Data Protection Regulation (GDPR) face fines up to 20 million euros or four percent of annual global revenue, whichever is greater. (See related Nonprofit Standard blog post on GDPR.)

Once your privacy program is implemented, consider mechanisms to demonstrate success of the program. Metrics might include highlighting the program’s return on investment in terms of consistency and operational improvement:

• Privacy risk indicators

• Privacy impact assessment metrics

• Reduced time for responses to data subject inquiries

• Reduced incident handling—breaches, complaints, inquiries

• Reduced disclosure to third parties

• More effective records retention—data reduction by identifying redundant, outdated, or trivial information

• Number of employees trained

Once the data privacy program has been implemented, the privacy operational life cycle will drive consistency, ongoing maintenance, and continuous improvement.

Be sure to keep up with the latest happenings in the nonprofit industry by subscribing to our blog, and following us on Twitter @BDONonprofit.