Please wait...

DSCI Framework- Privacy Strategy & Processes

Overview of DSCI Data Privacy Framework

In the previous article (‘Need for Data Privacy Framework’) we discussed the DSCI (Data Security Council of India) Privacy Framework (DPF©) and a layered approach to implementing your data privacy processes.

As we ring in the new year with jabs of vaccinated hope to lay the foundation for new beginnings, we take a look at the base layer of this framework – ‘Privacy Strategy & Processes’.

What comprises of Privacy Strategy and Processes?

Strategic planning is an important, foundational process that decides the way forward for your organization to accomplish its data privacy goals. When deployed correctly, it helps you align with the company’s vision and mission, prioritize functions, highlight problems, helps find solutions, and monitor progress. It is considered the basis for any new initiative within the organization.

DSCI Privacy Framework is based on an elaborate layer of ‘Privacy Strategy & Processes’. It aids in establishing the strategic and tactical elements for privacy through the following practice areas.

Practice Area: Visibility over personal information (VPI)

How does it help: Gives a comprehensive overview of personal data your organization manages

Practice Area: Privacy Organization & Relationship (POR)

How does it help: Establishes sound relationships with different entities of an organization for coordinating and collaborating on privacy

Practice Area: Privacy Policy & Processes (PPP)

How does it help: Guides and provides directions for privacy implementation - supported by appropriate processes that promise consistently effective privacy measures

Practice Area: Regulatory Compliance Intelligence (RCI) & Privacy Contract Management (PCM)

How does it help: Ensures alignment of privacy initiatives to the changing regulatory landscape, contractual requirements, and proportionality of measures to the liability exposure

You can implement these areas in parallel, although, it is recommended to set the high-level privacy policy and direction at the beginning.

Consider the story of Healthcare Technology company ‘XYZ’ currently providing medical billing software, which wants to expand its solutions and services further.

XYZ has come up with a solution for engaging patients online, scheduling appointments, and generating electronic medical records (EMRs). They are also working on an analytics solution for patients to monitor their health and get preventive check-up reminders. There is a plan to market these solutions to hospitals and other healthcare providers in India. XYZ is also in discussion with their business partners to launch these solutions in the United Kingdom, the Middle East, and the USA.

As expected, prospective customers in these areas want assurance that XYZ’s practices comply with their respective regional and sectorial data protection requirements. 

XYZ's legal team is familiar with high-level details of upcoming personal data protection bills in India as well as similar regulations in some of the other countries. However, they are not sure about the timeline in which the new bill is going to be enacted and the applicability of other regulations.

XYZ decides to adopt the approach suggested by DSCI’s Privacy Framework to comply with data protection regulations in multiple countries. The idea is to save compliance efforts and come up with a single, sustainable system to meet all data protection compliance requirements.

XYZ’s CEO, the dynamic and no-nonsense Dr. Asha Rodriguez, forms a task force comprising of key members from each department (Product & technologies, Client Service, Facilities operations & supplier management, IT Infrastructure, Human Resources & Legal.)

Dr. Asha takes the lead in articulating her organization’s commitment and intent on how XYZ wants to deal with the privacy of data it gathers or receives. She further assigns each team responsibility of developing SOPs (Standard Operating Procedure) to carry out their tasks. In-line with the ‘Privacy Policies & Procedures’ practice area, The SOPs are also expected to describe data privacy & security measures each team is to implement at each step of process workflow.

The next step is to get visibility of personal information - a comprehensive overview of business processes, enterprise & operational functions, client and supplier relationships that deal with personal information. The following points are key in building this comprehensive overview:

-        Business process workflows for each solution

-        Data elements in various forms unmasked, obfuscated, hidden, randomized

-        Data received from various sources such as websites, chatbots to assist in making appointments for a remote or in-person consultation, data collected from apps used by patients 

-        Cloud service providers and providers for other AI/ML-driven services such as email, chatbots,

-        Internal applications, shared drives, network systems, messaging systems storage, and transmission

While XYZ’s ‘Product & technologies team’ is busy creating a detailed data inventory, the HR team is debating about what kind of organizational structure they should have for effective data privacy management and also avoid any conflict of interest.

Following inputs from practice area ‘Privacy Organization & Relationship’ guide the XYZ task force to create the final organization structure: 

-        All activities contributing to privacy initiatives in the organization

-        Efforts, resources & additional competencies required

-        Information flow and reporting concerning data privacy & security

-        Existing team structure and changes required to ensure conflict of interest and segregation of duties

  • legal team’s responsibilities & competencies concerning data protection regulations
  • security audit team which was reporting to the IT Infrastructure team
  • possibility of combining any functions such as product development & client service

-        Need for central governance; if privacy should report to security


The XYZ task force decides to hire a Chief Privacy Officer who reports directly to the CEO; an existing information security audits team forms a separate ‘Risk & Compliance team’ & ‘Product & Technology’ is combined with ‘Client Service’ are combined to get a new name ‘Product Development & Support’. They propose the following organizational structure:

 DSCI Framework Process

 

 

Once the organizational structure is in place, Dr. Asha, the CEO, initiates the hiring of a Data Privacy Officer.

Taskforce members from the legal, & supplier management team also begin going over applicable regulatory and contractual requirements.

Other than the upcoming personal data protection bill in India, the Legal team is also familiar with requirements within India such as ‘EHR (Electronic Health Record) standards published by India’s Ministry of Health & Family Welfare (MoH&FW). They decide to deep dive further into it.

They also refer to practices suggested by Regulatory Compliance Intelligence and Privacy Contract Managementand consider the following inputs to come up with applicable regulatory and contractual requirements for clients & suppliers:

-        Map legal & compliance requirements to each data element

  • Identify the data elements falling under the definition of ‘Sensitive Personal Information’ and liabilities imposed by the regulations concerning specific data elements
  • Impact of political changes such as Brexit on regulations of the target territory
  • Look at the legal requirements from the perspective of the data element.
  • Check ‘Entity Regulations’ which intend to protect vertical-specific information; ‘Functional Regulations’ which address specific functions; and ‘Geographical Regulations’ that represent geography-specific law.
  • Create a list of current & prospective clients as well as suppliers to verify the data exchange and applicability of regulations

 

-        Adopt contemporary approaches, trends & practices

  •  Use of data protection regulatory notification and analysis services
  •  Integration with enterprise security solutions such as DLP & SIEM

 

After the initial frenzy of activities, a few weeks down the line, XYZ completes the groundwork for building the framework and is ready to move to the next layer of the (DPF©) ‘Information Usage & Access’.

The team is now eagerly waiting to onboard their data privacy officer and spearhead their data protection compliance program!! It is all about new beginnings after all!

 

 

By Sucheta V. Upendra

Senior Vice President – Information Security & Risk Advisory

Email - Sucheta.Upendra@riskpro.in