Turn data privacy into an opportunity to enhance customer experiences.
Privacy for every customer
Comprehensive privacy and security standards
What should customers do?
1. Get buy-in and build a team
Raise awareness of the importance of privacy with organization leaders.
Obtain executive support for necessary staff resources and financial investments.
Choose someone to lead the effort in establishing and maintaining a global privacy program.
Build a steering committee of key functional leaders, including people within security, marketing, sales and compliance.
Identify privacy champions throughout the organization.
2. Assess the organization
Understand in which countries you operate and what data protection laws in those countries apply to your organization.
Review existing privacy and security efforts to identify strengths and weaknesses.
Identify all the systems where the organization stores personal data and create a data inventory.
Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity.
3. Establish controls and processes
Confirm privacy notices are accessible wherever personal data is collected.
Implement controls to limit the organization’s use of data to the purposes for which data was originally collected.
Establish mechanisms to manage individuals’ preferences, such as consent management.
Implement appropriate administrative, physical, and technical security measures and processes to detect and respond to security breaches.
Establish procedures for responding to individuals’ requests for access, rectification, objection, restriction, portability, deletion (right to be forgotten), and other potentially applicable rights such as to opt out from “sales” or direct marketing.
Enter into contracts with affiliates and vendors that collect, receive, or process personal data.
Establish a privacy impact assessment process.
Train employees and vendors to increase privacy and security awareness training.
4. Document compliance
Compile and maintain up-to-date and accurate copies of privacy notices and consent forms, data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts.
If required, appoint a data protection officer.
Conduct periodic risk assessments.