Building customer trust and solving for compliance obligations, with a recent focus on health IT & AI.
Privacy Program Development
New or early stage programs typically benefit from a gap/risk assessment to inform program development, which includes data mapping, control evaluation, policy review, recommendations report and a risk register. Established programs may need tighter roles and responsibilities to inform role-based training and access controls, designing program oversight and monitoring, and / or establishing metrics for ongoing risk assessment. Typical questions from clients we hear:
- Established: Do we have the right accountabilities identified? Is our training program forward looking or missing new trends?
- Nascent: We’ve got the basics, but can you tell us what we should do next?
- Getting Started: We’ve got very limited resources and our lawyers told us to do something. What’s the best path forward?
“Privacy by Design”
Proactively identifying the “alphabet soup” of privacy requirements (GDPR, OECD, CCPA, COPPA, FERPA, HIPAA, GAPP, ISO/NIST, DOJ, FTC, PIPEDA, PHIPA, APA, NZPA, PIPA, HIA, HIPA [Sask] as examples) and turning them into meaningful requirements that can be built into a product, service or system before it’s launched. This is particularly helpful for organizations doing work in high sensitivity spaces, including mobile apps and the use of any third party services (e.g. ChatGPT or related API calls). Typical questions from clients we hear:
- Established: How do we extend our existing PbD program to new technologies like Generative AI?
- Nascent: Privacy requirements pop up late in our lifecycle; how do build it in proactively for product and engineering?
- Getting Started: There’s too many requirements and they conflict; how do we know what is P0 and what we can iterate on?
Privacy Impact Assessments (PIA, DPIA, PR)
Privacy Impact Assessments are a type of impact assessment, that provides a point-in-time view to help organizations identify and manage privacy risks arising from new or existing projects, initiatives, systems, processes, strategies, policies, and products. They are both beneficial to a variety of stakeholders, and often a legal requirement. There are a variety of jurisdiction specific mandates and standards to consider in identifying the right methodology for your organization. Typical questions from clients we hear:
- Established: We’re selling in a GDPR market; how do we demonstrate to the Regulator that we’ve done our due diligence?
- Nascent: We want to respond to a procurement opportunity; how do we know we’ve done everything we need to for privacy?
- Getting Stated: We don’t really have sensitive data; do we even need to do anything for privacy?
Third Party Due Diligence / Mergers & Acquisition Readiness
Buying companies comes with significant risks around the use of customer data, and is of particular interest to regulators (both in North America and Western Europe). We can help with due diligence at the RFP stage through identifying contract requirements. For cloud and other managed services, we can provide policy guidance and help make a build versus buy case. Typical questions from clients we hear:
- Established: We want to buy out a competitor because they have great data sets; how can we guarantee we can use it right away?
- Nascent: We’re merging with a competitor so we can expand the use of our data for LLM training. That’s ok, right?
- Getting Started: We want to be a good target for acquisition; how do we demonstrate that we’re not bringing big privacy risks in a buyout?
Just want to talk? We’re available for ad hoc consulting and on-retainer models (which can be useful for incident response scenarios). Reach out to info @ privacyand.com for a free consultation.
If you’re not sure what you need, check out Audiences and see if something resonates.