Document current baseline of your privacy program
Education and awareness
Monitoring and responding to the regulatory environment
Internal policy compliance
Data, systems and process assessment
Risk assessment (PIAs, etc.)
Incident response
Remediation
Determine desired state and perform gap analysis against an accepted standard or law (including GDPR)
Program assurance, including audits
Processors and third-party vendor assessment
Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks, including rules of international data transfer
Understand and leverage the different types of relationships
Risk assessment
Contractual requirements
Ongoing monitoring and auditing
Physical assessments
Mergers, acquisitions and divestitures
Due diligence
Risk assessment
Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs)
Privacy Threshold Analysis (PTAs) on systems, applications and processes
Privacy Impact Assessments (PIAs)
Privacy Operational Life Cycle: Protect
Information security practices
Access controls for physical and virtual systems
Technical security controls
Implement appropriate administrative safeguards
Privacy by Design
Integrate privacy requirements and representation into functional areas across the organization
Information security
IT operations and development
Business continuity and disaster recovery planning
Mergers, acquisitions and divestitures
Human resources
Compliance and ethics
Audit
Marketing/business development
Public relations
Procurement/sourcing
Legal and contracts
Security/emergency services
Finance
Others
Other organizational measures
Quantify the costs of technical controls
Manage data retention with respect to the organization’s policies
Define the methods for physical and electronic data destruction
Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use
