Being a CIPM
I can proudly affirm that I have recently earned the CIPM certification from the IAPP. I devoted my (scarce) free-time to get prepared for the certification exam, consulting the digital version of the Privacy Program Management book and keeping constantly updated with the news in the privacy domain.
But, what does a CIPM is for? What did I learn? Let’s have a global look to the CIPM daily routine.
Privacy Program Management
Being a privacy pro (whatever it means) is not enough in order to provide a professional service to your clients.
On one hand, you may know all the secrets of obtaining the consent; but, on the other hand, you need to deal with the secrets of managing a program. Otherwise, you’ll be the savant who knows everything about the data protection legislation but you’re unable to provide a viable solution to a specific problem in a timely manner.
First thing first: «Vision and Mission»? Do we really need to start from that?
Well, it depends. If the Vision and Mission chapter in your home page is just an empty statement, you better avoid to even mention them.
In that case, you should also review your entire program: is the C-level really committed? If you’re unsure of the answer, I’ll tell you a secret: the answer is no.
In order to have a viable and useful Privacy Governance program, you should have the following points fully covered:
- Vision and Mission;
- Framework(s) you’ll use;
- Tools and Vendors available;
- Your Team (if any…);
- A Governance model (suggestion: centralized models rarely work…);
- A reporting structure (if you don’t report your work, you don’t even exist).
Privacy Laws and Regulations Inventory
A key moment, in order to establish your program. «Oh, that’s easy. I’m just a small European company. It’s all about the GDPR, right?«. Well, «yes» but also «it depends«. Are you sure that the brand-new Colorado privacy legislation is not applicable to your entity? What about the CCPA? Are you aware of it? Does it apply to your company? Not sure? Drop us an email and let’s talk.
Inventories, records, impact assessments, vendors management… Complicated, isn’t it? Well, once again, it depends. For example, we rely on a specific tool, which helps us in dealing to all those Data Assessments tasks, prioritizing efforts and, at the same time, maintaining the tracks of all the tasks, according to their status.
No more blurring email interchanges, where you don’t know who did what.
Drafting, amending, proposing, approving, reviewing internal and external policies can be demanding and, in most cases, time consuming. Don’t get stuck in a loop of infinite changes of uncountable versions. We have the right tool for your entity.
You are not based in the EU, are you? So, you think you can’t use our tool. Well, again, call us and we’ll show you how our tool works: you can access it from anywhere in a secure manner (yes, MFAs are included).
Data Subject Rights – DSRs
Finally, answering to legitimate Data Subjects Rights (DSRs) will not be a nightmare anymore. We even asked the Spanish DPA (Agencia Española de Protección de Datos) for the official instructions in order to comply with the legitimate rights and don’t disrupt our operations in a substantive way.
Training and Awareness
A successful privacy program must count on a solid Training and Awareness program. Otherwise, your well-written policies will be forgotten/ignored in a matter of weeks (have you said «days«?).
Protect, protect and protect! The technical measures are the essential parts of your defense. It’s mandatory to put in place all the resources available (according to your needs, specific sector, size, maturity, risk appetite, etc.), in order to protect the personal data you’re a controller of. And don’t forget to check that:
- they are in place;
- they fulfill the purpose of security;
- they are deployed in an efficient manner.
Data Breach Incident Plans
Yep, «s**t happens«: it’s useless to ignore this fact. A CIPM has always a Plan B to deal with this incidents. Are you ready for a «worse-case scenario«? And, even more important, have you tested your plan?
Measuring, Monitoring and Auditing
If you don’t measure, you don’t if it works.
If it works, but you don’t monitor it, you don’t know if it keeps on working.
If you don’t audit it, well, you are missing something extremely important.
Call a CIPM and see what he/she has to say in order to enhance your privacy program.