When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases:
Phase 1: Appoint at least one leader/task force to lead the privacy program.
Phase 3: Conduct a gap analysis/risk assessment by benchmarking practices identified in Phase 2 with the applicable legal requirements.
Phase 4: Conduct a data impact assessment for high-risk processing (e.g., data flows associated with children, medical, financial, or location data).
Phase 5: Mitigate risks identified in Phases 3 and 4 by implementing appropriate policies and procedures to govern data practices, including internal governance policies and procedures, external facing policies (e.g., website, mobile app), vendor management policies, and employee training.
Phase 6: Create an auditable record to demonstrate compliance.
By using this roadmap, businesses can streamline compliance efforts, reduce their exposure to litigation and enforcement, and present a defensible position if faced with such a situation.