Privacy and data security are front page news. Companies know they need a privacy compliance strategy but are often daunted by the prospect of how and where to begin. There is a plethora of global and U.S. laws, e.g., the GDPR50 different state standards for data breach notification, sector-specific laws, and the first state attempt to put comprehensive privacy protections in place for its residents.

Notwithstanding the number of privacy laws, U.S. and international regulators have begun coalescing around certain norms for what elements make up a successful, comprehensive privacy program. These elements include the following:

  • Designating an employee or employees, such as a Chief Privacy Officer or privacy task force, to coordinate and lead the company privacy program,
  • Inventorying data and conducting regular risk assessments for each business operation,
  • Implementing and regularly testing privacy controls and procedures to address identified risks,
  • Mitigating risk through employee training and building privacy principles into product development and research,
  • Implementing a vendor management and annual assessment program,
  • Putting data security policies and procedures in place.