Steps Prior to Developing Your Privacy Management Program

Preliminary Due Diligence

Article Content

    All Posts
    June 29, 2021

    This series will provide an overview of different privacy challenges that startups face. To get started, in this article, we list a few tasks that you may want to undertake before embarking on the adventure of building your privacy management program and that could save you valuable time and resources.

    Privacy To-Dos

    1. Understand what ‘personal information’ means:
      • Recognize what legislation, regulations, and guidelines apply to your business.
      • Province to province variations.
      • The impact of federal and international legislation: Consider the extraterritorial reach of legislation such as GDPR (Europe) and CCPA (California).
    2. Discuss with your team what and how privacy issues impact your business. Document your findings.
    3. A more in-depth analysis: If there is no dedicated in-house privacy professional, designate a “privacy committee” from your existing employees to identify gaps, concerns, and doubts about your systems and business processes.
      • The committee should gather and document the information provided by all teams. Including a project manager in the committee would be helpful.
      • Start a communication process with all teams. Focus in particular on teams that handle data and teams that design systems.
      • Get a good understanding of how your systems and business processes work.
      • Determine what policies and procedures are in place.
    4. Identify and map personal information held by your company (not only client information but also your company’s internal information) and determine where it comes from, where it goes, and where it is being stored.
      • Consider inflows and outflows of information received from your employees, clients, through integrations with partners or services, etc.
      • Consider what information is being disclosed to service providers and subcontractors.
    5. Identify relevant internal and external stakeholders:
      • Who will be impacted positively and negatively by the program?
      • Who has the information that will be needed to develop and implement the program?
      • Who can make decisions about the program?
      • Where will the budget come from?
    6. Identify relevant agreements and engage a professional to identify risks if you haven’t done so.

    You Gathered the Information. Now What?

    With the information above, you can already determine what needs to be improved. Likewise, you may also be able to gauge the effort it will take to solve those issues. This information will allow you to decide whether or not you need to engage a professional to create your custom privacy management program.

    Wrong Thought: "It Doesn't Matter Because the Company Will Automate the Process"

    Even if you decide to automate some processes by implementing privacy management software (OneTrust or a similar one), the items mentioned above will still be key to a successful implementation. More than certainly, doing some groundwork will save you time and money if you decide that automation is the right solution for your business.

    • Most of those services rely on your policies and procedures to set up automated workflows.
    • Unless you know what isn’t working well prior to implementation, you will be taking the risk of purchasing services (or modules within the service) that don’t satisfy your business needs.