The Integration of Data Privacy into a Data Governance Program
In the Nonprofit Standard’s Winter 2017 issue, the article, “Nonprofits are not Immune to Maintaining Data Privacy” dove into why data privacy considerations are critical for nonprofit organizations. The article provided a step-by-step guide to bolster your data governance preparedness for a data leakage or breach situation. In this blog post, we add to that foundation to provide nonprofit organizations with a guide to building privacy into their data governance programs. A holistic data governance program considers data access, use, and storage; data classification; data related policies and procedures; employee training; and ongoing monitoring and controls. Let’s examine why data governance is important.
Data governance allows an organization to:
-
Improve functionality across the organization;
-
Optimize customer or donor data analytics, trends, and anomalies;
-
Highlight potential vendor fraud;
-
Identify sources of protected data to enhance data security and privacy programs, such as masking or anonymizing sensitive data;
-
Identify business and operational issues; and
-
Improve insight into the organization, such as improved forecasting, higher degree of personalization, and targeted marketing.
Establishing a general framework that aligns with your business is key to an effective data governance program. Equally important is a data governance committee focused on promoting enterprise information as a core asset to the business. BDO’s Data & Information Governance framework (seen below) focuses on governance, data quality, security, availability, management, and business alignment.
Generally, a highly functioning data governance committee should include the following members focused on tasks aligned with their role in the organization and specific responsibilities within the program. In smaller organizations, individuals may serve in multiple roles.
TITLE |
DATA GOVERNANCE COMMITTEE ROLE |
RESPONSIBILITIES |
---|---|---|
Executive / Executive Director |
Executive Champion |
|
Executive Leadership Team (ELT) |
Program Sponsors |
|
Director or Senior Manager |
Program Director/Manager or Program Owner |
|
Information Manager/VP |
Information Management / Records Management |
|
Human Resources (HR) Manager |
HR Constituent |
|
Cybersecurity Director or Executive (CISO, VP) |
Data Privacy and Protection Manager |
|
Chief Information Officer (CIO) |
Technology Representative |
|
Legal/Senior Counsel |
Litigation and Discovery Manager |
|
Compliance Senior Director |
Regulatory Compliance Manager |
|
Marketing & Sales Manager |
Business Unit Manager or Knowledge Manager |
|
Site Champions |
Local/Regional Employees |
|
Outside Data and Information Governance Providers |
Data and Information Governance, Information Management, Records Management, Training, Security, and Information Technology Experts |
|
When establishing a privacy program, it’s important to consider if the organization views privacy as donor or customer-centric. This will help determine where the data that requires protection resides; its sources, types, and uses; and the applicable laws that govern it.
Effective data privacy programs are aligned with the business, with a clearly defined business case and key stakeholders. Creating a process for the program to interface with the business will help to drive a culture of data privacy and protection.
Within the privacy program framework, consider policies, procedures, standards, and guidelines. Other considerations include:
-
Education and awareness—training employees and providing updates on evolving privacy requirements
-
Monitoring regulatory change—regulations applicable to your organization
-
Internal policies and compliance—enforcement of policies
-
Data inventories, data flows, and classifications—locations, use, and protection of sensitive data
-
Risk assessments—assessments required to evaluate vendors or internal products, including formal privacy impact assessments (method of evaluating privacy in information systems and collections)
-
Incident response—response plan to a security incident
-
Remediation—recovery plan from a security incident
-
Ongoing program evaluation and validation—performing regular program audits
Regardless of how your organization structures its privacy program, it’s critical to stay current on local, national, and international privacy laws. If you operate in more than one state or country, consider an automated process for privacy law alerts to help align your program with applicable laws and regulations. This is a critical function of the program, as there are significant penalties for noncompliance. For example, organizations that don’t comply with the European Union’s General Data Protection Regulation (GDPR) face fines up to 20 million euros or four percent of annual global revenue, whichever is greater. (See related Nonprofit Standard blog post on GDPR.)
Once your privacy program is implemented, consider mechanisms to demonstrate success of the program. Metrics might include highlighting the program’s return on investment in terms of consistency and operational improvement:
-
Privacy risk indicators
-
Privacy impact assessment metrics
-
Reduced time for responses to data subject inquiries
-
Reduced incident handling—breaches, complaints, inquiries
-
Reduced disclosure to third parties
-
More effective records retention—data reduction by identifying redundant, outdated, or trivial information
-
Number of employees trained
Once the data privacy program has been implemented, the privacy operational life cycle will drive consistency, ongoing maintenance, and continuous improvement.
Be sure to keep up with the latest happenings in the nonprofit industry by subscribing to our blog, and following us on Twitter @BDONonprofit.
SHARE