eBook: 4 Things to Get Right When Operationalizing a Data Privacy Plan

The 4 Things to Get Right When Operationalizing a Data Privacy Plan

Business trust and performance depend on data protection and privacy. But, shifting regulations, poor processes, and siloed teams make ensuring these a challenge. LinkSquares and BreachRx can help.

The U.S. House and Senate recently proposed the American Data Privacy and Protection Act – a comprehensive federal data privacy bill. The proposal adds to an already-crowded regulatory landscape.

In addition to ADPPA, companies must already navigate measures like California’s Privacy Rights Act (CPRA), the EU’s General Data Protection Regulation (GDPR), new bank reporting requirements, and ambitious legislation from Brazil to Thailand, and within nearly a dozen states.

The scope of regulation is deep and complex. And given record-levels of cyberattacks, supporting privacy and compliance is an ever-increasing burden.

Vigilance is not just a task for IT and Security. Executive teams and company boards often expect legal departments to lead data privacy initiatives.

This guide shares four pillars for operationalizing a data privacy plan. We add insights on how to plan, build, and execute effectively within each. Although a great privacy plan won’t eliminate every threat, by applying these ideas, legal teams can reduce incident impacts.

1. Assess the internal data landscape

Better data privacy operations start with identifying security needs, vulnerabilities, and existing data risks. This includes understanding the type of data you collect, identifying where privileged data exists, and assessing encryption levels for your ‘crown jewels’ and critical information assets. Even your insurance and other strategic policies might be targeted by attackers.

According to Tim Parilla, Chief Legal Officer at LinkSquares, this effort provides an understanding of your actual risk levels and improves response decision making.

“A company that only gathers email addresses and usernames has a much different risk profile than one that collects banking information and social security numbers”
- Tim Parilla, LinkSquares’ Chief Legal Officer

Once companies map their internal data landscape, they are equipped to assess the relevant laws and regulations they need to comply with surrounding data storage and breach notification.

2. Establish a team of “privacy champions”

Next, legal must establish alliances with security counterparts and stakeholders internally. This is essential to help participants understand privacy program steps, response tactics, and roles.

In a webinar with Andy Lunsford, CEO and Founder of BreachRx, we explored the idea of “privacy champions.”

These cross-functional leaders support the development of playbooks and response workflows. To this point, Forbes reinforces the importance of “mobilizing legal and compliance teams alongside technical and engineering teams” to ensure the execution of response plans. Legal leaders will likely take the reins in forming these relationships.

“It’s crucial to prepare for and stay informed of changes in the privacy and cybersecurity landscape to minimize regulatory and contractual risk.”
- Andy Lunsford, CEO and Founder, BreachRx

In this stage, the team at BreachRx encourages leaders to start “at the seams.” That is, understand necessary interactions between teams in any existing processes.

For example, privacy champions may assess how communications occur between PR and legal to avoid putting privilege at risk.

Small or inexperienced legal teams should not be afraid to meet with experienced outside counsel. They can provide guidance and direction at the outset, enabling you to evaluate your preparedness.

3. Practice incident management

Hall of Fame Boxer Mike Tyson once said, “everyone has a plan until they get punched in the mouth.” This is certainly true for cyber-incident responses.

While having no plan is unacceptable, when a malicious actor attacks, even a pre-scripted plan will be stressed to its limits. There is nothing like the real thing, but enterprises should regularly practice incident simulations or “tabletop” exercises.

A proper tabletop exercise tests response capabilities by taking participants through a scenario designed to assess processes for dealing with data incidents. The hands-on training helps surface flaws in your breach response. If no workflows exist, now is the time to generate them.

According to a leading incident advisory firm, enterprises should assess their plans against the following questions:

What happens when you encounter a breach?
Who does what, when, how, and why?
What roles will legal, IT, law enforcement, marketing, and company officers play?
Who is spearheading the effort and what authority do they have?
What resources are available when you need them?

Then, test a variety of scenarios.

You might simulate the compromise of your cloud storage provider or pretend your organization is the target of spear phishing email attacks.

Alongside assessing vulnerabilities, developing processes, and documenting workflows, legal should invest in relationships with corporate counsel at key customer or partner organizations.

Practice is the key step for teams to get started.

“Build a relationship so that no one is afraid to pick up the phone when something serious happens.”
- Tim Parilla, LinkSquares’ CLO

This can keep those relationships from becoming adversarial when managing an already stressful situation.

4. Mitigate risk with purpose-built tech

During a data breach, relying on static response playbooks or manually combing through contracts leads to delays and unnecessary legal or financial exposure.

Technology solutions can help augment teams and streamline many of the preparation steps we outlined above. Below, we highlight how enterprises of all sizes can strengthen their security postures with contract lifecycle management and incident readiness software.

Boosting data privacy operations with CLM

Companies with mature data privacy programs integrate contract lifecycle management (CLM) software into their response plans.

Here are a few ways CLM improves legal’s data privacy program efforts –

Using a modern CLM, legal teams can deploy automated contract analysis to quickly assess governing law and the privacy expectations of customers or partners.

During the data assessment phase, a CLM can surface contract details like compensation standards and maximums, notification periods, and cyber-insurance and incident reporting obligations.

As regulations evolve, modern CLMs make it easier (and less costly) to manage privacy clauses and create privacy compliance reports for your executive team or regulators.

Modern contract management solutions offer capabilities to improve cybersecurity posture and accelerate response time regardless of the breach or attack type.

Maintaining readiness with an Incident Management platform

Prepared enterprises also rely on automated privacy incident readiness and response technologies. Automation is essential for scaling response effectiveness – particularly as regulation complexity multiplies.

In particular, incident management platforms help design tailored action plans and custom response playbooks, secure coordinated communication, and monitor metrics about response efficiency.

Modern solutions also integrate an updated library of regulatory requirements customizable to your risk posture, data uses, and locations. When regulations change, for example, your response playbooks automatically update.

By moving out of Excel and email, privacy champions also simplify task assignments – no more “throwing things over the wall.” BreachRx and other modern solutions also incorporate KPI reporting and a dashboard of insights for process improvement.

“Successfully managing an incident begins and ends with how well you are prepared to address it.” - Steve Mancini, Former CISO of Eclypsium

Putting Your Plan to Work

The hardest part of operationalizing a data privacy program is getting started. So focus on the basics: Understand your data landscape, identify champions, and evaluate existing response steps. Add in simulation exercises – then tweak and repeat.

But don’t overwhelm yourself or your team.

“Let go of perfectionism to combat inertia,” guides Parilla. “It’s OK to start small.”

Of course, trust the experts too. Talk to experienced outside counsel and evaluate resource-saving technologies accelerating IT, legal, and security team response.

No longer is it a question of if you’ll experience a data breach, but when.

Will you be ready

About LinkSquares

LinkSquares is the company behind the AI-powered contract management platform of choice for legal teams aiming to move their business forward faster. With LinkSquares Finalize you can develop standardized legal agreements with maximum speed and minimal staff oversight. With LinkSquares Analyze, you can parse and extract key data from every legal agreement in your portfolio, then use that data to drive tasks in your other critical applications. Together, they form the best end-to-end contract lifecycle management suite that money can buy.

If you’re ready to write better contracts and improve your security posture, contact LinkSquares today.

About BreachRX

BreachRx is the automated workspace where businesses manage one of their biggest incident & data breach response challenges today: their regulatory and compliance risk surface. The platform’s automated workflows proactively minimize business risk and streamline workflows and collaboration across security, privacy, and legal departments, freeing up the bandwidth of internal teams. BreachRx further augments team readiness with cyber readiness exercises spanning all facets of incidents, unlike alternatives that overlook the legal and privacy requirements key to every incident.

To learn more about the only holistic approach to incident readiness and response, visit BreachRx.