In A Policy is Not Enough, Ontario’s Information and Privacy Commissioner Ann Cavoukian outlines seven steps organizations should consider implementing to effectively translate privacy policies into privacy practices.
• Implement a privacy policy that reflects the privacy needs and risks of the organization and consider conducting an effective Privacy Impact Assessment
• Link each requirement within the policy to a concrete, actionable item- operational
processes, controls and/or procedures, translating each policy item into a specific practice that must be executed.
• Demonstrate how each practice item will actually be implemented.
• Develop and conduct privacy education and awareness training programs to ensure all employees understand the policies and practices required, as well as the obligations they impose.
• Designate a central go-to person for privacy-related queries within the organization.
• Verify both the employee and organizational execution of privacy policies an operational processes and procedures Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach.