In the Winter 2017 issue of the Nonprofit Standard, the article entitled “Nonprofits are not Immune to Maintaining Data Privacy” dove into why data privacy considerations are critical for nonprofit organizations.
The article provided a step-by-step guide to bolster your data governance preparedness for a data leakage or breach situation. In this article, we add to that foundation to provide nonprofit organizations with a guide to building privacy into their data governance program. A holistic data governance program considers data access, use, and storage; data classification; data related policies and procedures; employee training; and ongoing monitoring and controls. Let’s examine why data governance is important. Data governance allows an organization to:
- Improve functionality across the organization;
- Optimize customer or donor data analytics, trends, and anomalies;
- Highlight potential vendor fraud;
- Identify sources of protected data to enhance data security and privacy programs, such as masking or anonymizing sensitive data;
- Identify business and operational issues; and
- Improve insight into the organization, such as improved forecasting, higher degree of personalization, and targeted marketing.
Establishing a general framework that aligns with your business is key to an effective data governance program. Equally important is a data governance committee focused on promoting enterprise information as a core asset to the business. BDO’s Data & Information Governance framework (seen below) focuses on governance, data quality, security, availability, management, and business alignment.
When establishing a privacy program, it is important to consider if the organization views privacy as donor- or customer-centric. This will help to determine where data that requires protection resides; its sources, types, and uses; and the applicable laws that govern it.
Effective data privacy programs are aligned with the business, with a clearly defined business case and key stakeholders. Creating a process for the program to interface with the business will help to drive a culture of data privacy and protection.
Within the privacy program framework, consider policies, procedures, standards and guidelines. Other considerations include:
- Education and awareness – training employees and providing updates on evolving privacy requirements
- Monitoring regulatory change – regulations applicable to your organization
- Internal policies and compliance – enforcement of policies
- Data inventories, data flows, and classifications – locations, use, and protection of sensitive data
- Risk assessments – assessments required to evaluate vendors or internal products, including formal privacy impact assessments (method of evaluating privacy in information systems and collections)
- Incident response – response plan to a security incident
- Remediation – recovery plan from a security incident
- Ongoing program evaluation and validation – performing regular program audits
Regardless of how your organization structures its privacy program, it is critical to stay current on local, national and international privacy laws. If you operate in more than one state or country, consider an automated process for privacy law alerts to help align your program with applicable laws and regulations. This is a critical function of the program as there are significant penalties for noncompliance. For example, organizations that do not comply with the European Union’s General Data Protection Regulation (GDPR) face fines up to 20 million Euros or four percent of annual global revenue, whichever is greater.
Once your privacy program is implemented, consider mechanisms to demonstrate success of the program. Metrics might include highlighting the program’s return on investment in terms of consistency and operational improvement:
- Privacy risk indicators
- Privacy impact assessment metrics
- Reduced time for responses to data subject inquiries
- Reduced incident handling – breaches, complaints, inquiries
- Reduced disclosure to third parties
- More effective records retention – data reduction by identifying redundant, outdated, or trivial information
- Number of employees trained
Once the data privacy program has been implemented, the privacy operational life cycle will drive consistency, ongoing maintenance, and continuous improvement. Stay tuned for our Summer issue where we will share insights into the privacy operational life cycle.
For more information, contact Karen Schuler, partner, BDO National Data & Information Governance Practice Leader, at firstname.lastname@example.org or
Mark Antalik, managing director, BDO National Data & Information Governance Practice, at email@example.com.
Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP.