Newport Thomson

Privacy Review Process for an Organization

A Privacy Review is a structured assessment of how an organization collects, stores, processes, and shares personal data to ensure compliance with privacy laws, regulations, and best practices. This process helps identify risks, improve data protection measures, and maintain trust with customers and stakeholders. An effective review typically involves the following steps:

1. Define Scope and Objectives

Before starting, clearly outline the goals of the Privacy Review, such as:

1. Ensuring compliance with specific privacy laws, based on where the organization operates.  (e.g., GDPR, CCPA, PIPEDA, CASL). It is important to understand that the authorities do not care where your office is – they care where the individual you are collecting and using personal information lives. For example, if you are collecting and using personal information about people living in Quebec, PPIPS (Law 25) applies, whether you have an office in Quebec or not.

2. Identifying and mitigating risks related to personal data. Many organizations collect data “just in case they might want to use it sometime in the future”. Most privacy and data protection laws call for data minimization and dat retention strategies, so don’t collect what you are not using now and when it has served it’s purpose, delete the data.

3. Assessing data governance policies and internal controls. It is important to understand your current practices at a frozen moment in time. Many organizations have not centralized data management so no single person every sees the whole picture. They are often surprised how data is being used and shared.

4. Aligning privacy practices with business needs.

Key Actions:

• Identify the types of data being assessed (e.g., customer data, employee records, third-party data). A log of all data holdings is a must, as is appointing one individual as Data Manager.
• Determine which departments are involved as users (HR, Marketing, IT, etc.).
• Define the legal and regulatory framework applicable to the organization. An organization that already uses ISO frameworks may wish to use ISO privacy and cybersecurity frameworks they are familiar with. Same applies to NIST standards.

Tools Used:

We recommend Safeguard Privacy. All you do is answer some plain language questions and the platform with provide a prioritized Gap Report along with the % compliance you have achieved against a particular law.

It can also be used to ensure your third party partners have the same privacy standards as your organization. 

2. Map Data Flows and Inventory Personal Data

A comprehensive data mapping exercise is crucial for understanding how data moves within and outside the organization and for understanding what consent the organization has and does not have. Many organizations have several data owners, often based on who uses what data.

Key Actions:

• Identify all sources of personal data collection (e.g., websites, customer forms, CCTV, employee databases).
• Document how data is collected, stored, transferred, shared (internally and with third parties) and deleted.
• Analyze data retention and deletion policies to ensure they align with legal requirements.
• Determine who has access to sensitive information.

Tools Used:

• Data inventory spreadsheets
• Automated data discovery tools
• Interviews with key stakeholders

3. Review Legal and Regulatory Compliance

The Privacy Review should evaluate whether the organization’s data handling practices comply with relevant privacy laws.

Key Actions:

• Assess whether the organization obtains valid consent from users. Quebec has set a very high bar for consent (download the CAI’s Guidance for collecting Valid Consent). Simplified, ubiquitous statements are no longer acceptable.

• Evaluate the effectiveness of privacy notices and disclosures. A Privacy Professional should review all Privacy Statements and Terms of Service.

• Verify data subject rights processes (e.g., right to access, deletion requests, data portability). Using the above Data Map, ensure that all data use is compliant with the laws.

• Check for contractual obligations in third-party agreements (e.g., Data Processing Agreements) to ensure compliance.

• Ensure compliance with cross-border data transfer requirements by understanding how and what data moves across borders.

Common Laws Considered:

• GDPR (EU) – Focuses on data minimization, transparency, choice and accountability.
• CCPA/CPRA (California) – Emphasizes consumer rights and working opt-out mechanisms.
• PIPEDA (Canada) – Requires organizations to obtain meaningful consent.
• CASL (Canada) – Anti spam law for electronic communications.
• PPIPS (Quebec) – very GDPR-like, setting a high bar for Canadians.
• HIPAA (US, healthcare) – Protects patient health information.
• State Laws (USA) – a patchwork of state laws to consider. Best to operate to the highest bar and tweak for other state considerations.

4. Assess Security and Risk Management Controls

Privacy and security go hand in hand. We often say they are “the opposite sides of the same coin”. A Privacy Review must examine the organization’s security posture as it applies to personal information.

Key Actions:

• Conduct risk assessments for data breaches and unauthorized access. All new data protection and privacy laws include rigorous breach reporting processes that include incident response plans and staff training.

• Evaluate encryption and anonymization techniques. This is one of the least defined aspects of privacy but it is critical. Many organizations will choose to anonymize data rather than delete it.

• Review access controls (e.g., role-based access, multi-factor authentication). This includes both who has access and how they access.

• Verify the organization’s vendor security practices if data is shared with third parties. Many breaches start with vendors.

Methods Used:

• Penetration testing and security audits
• Privacy Impact Assessments (PIAs)
• Data Protection Impact Assessments (DPIAs)
• Data Transfer Impact Assessments (DTIA)

5. Review Privacy Policies and Procedures

Organizations must have clear, documented privacy policies that reflect their actual data practices.

Key Actions:

• Ensure the Privacy Policy is compliant, user-friendly, and updated.

• Review internal policies on security, annual privacy reviews, employee access and training.

• Double-check data retention policies to ensure unnecessary data isn’t kept longer than required and review the procedures to ensure they are operationalized.

• Verify how privacy complaints and inquiries are handled.

6. Prioritize Gaps and Recommend Improvements

After collecting and analyzing data, the next step is to identify areas of non-compliance or risk.

Key Actions:

• Create a prioritized gap analysis report outlining the most important privacy or data protection risks.

• Provide specific recommendations for improvement (e.g., policy changes, technology upgrades). For example, most organizations have never had to prove consent, therefore have not implemented simple, automated consent management practices. We recommend implementing CASSIE by Syrenis (UK).

• Prioritize fixes based on risk level and regulatory requirements.

• Assign responsibility to specific teams or individuals.

7. Develop a Privacy Action Plan

Based on findings, the organization should implement changes to strengthen privacy compliance. Annual reviews are often great opportunities to tighten and improve policies and procedures.

Key Actions:

• Assign a Privacy Officer or Data Protection Officer (DPO).

• Update employee training on privacy best practices.

• Improve consent mechanisms and make them more transparent.

• Implement privacy-by-design in future projects.

• Establish a regular review process to continuously monitor privacy compliance.

8. Monitor and Maintain Compliance

Privacy is an ongoing process, not a one-time task. Organizations should establish a framework for continuous monitoring.

Key Actions:

• Conduct annual or biannual privacy reviews.

• Perform regular internal audits and compliance checks, maintaining logs and reports for any incidents.

• Stay updated on new regulations and industry standards.

• Encourage a culture of privacy awareness within the organization.

Conclusion

A well-executed Privacy Review helps an organization proactively manage privacy risks, comply with laws, and build customer trust. Starting with a Privacy Review, including mapping data flows, assessing security, reviewing policies, and implementing necessary changes, businesses can ensure they handle personal information responsibly and ethically, building consumer trust along the way.