In the previous chapter, we had the opportunity to present the stakeholders involved in the implementation and deployment of a privacy compliance program (“Privacy Program”) as well as the governance models that the organization could adopt to carry out its compliance activities. This chapter will focus on the steps used to define the scope and objectives of the program. These are important as they ensure that the necessary efforts and resources are devoted and invested in the implementation and deployment of the program.
This series of bulletins, presented in chapter form, will demystify this concept and suggest concrete measures for initiating compliance.
Chapter 3: How to define the scope and objectives of the Program?
a. Program Vision and Mission Statement
The implementation of a Privacy Program cannot be carried out before having first established its vision and mission. The vision and mission statement of the program must be consistent with the strategic objectives of the organization. Beyond mere compliance, the Privacy Program supports a change in organizational culture with regard to privacy. The vision and mission should therefore be captured in a clear and concise statement that can be reproduced in the organization’s various policies, confidentiality notices, guidelines, procedures, and training and awareness material. In this regard, in order to maximize employee adherence and customer confidence, the vision and mission of the Privacy Program should be endorsed by the organization’s senior management.
For example, some companies may choose to strategically emphasize privacy in their product or service offering as a competitive advantage, while others may choose to make it an organizational value. This type of positioning should be reflected in the organization’s vision and mission statement.
b. Scope of the Program
Defining the scope of the program makes it possible not only to choose the appropriate setting for its privacy compliance, but also to correctly identify areas of risk and to plan its compliance efforts. A typical approach to determine the scope of the program is achieved by performing these two steps :[1]
1) identify personal information processed by the organization (type, source, etc.)
2) identify the regulations that apply to the organization regarding the protection of personal information.
i. Identification of Personal Information Processed by the Organization
In order to ensure effective compliance, the organization must have a sufficiently detailed description of the personal information it collects, uses, discloses, retains and destroys.
Several approaches are possible in order to achieve this. For example, the initial approach could be to conduct interviews with representatives of the various departments and business units of the organization in order to have a better idea of the types of information processed.
Additionally, unlike the GDPR,[2] Bill 25 does not specifically require that a registry of personal information processing activities be kept by the organization. However, several obligations of this bill require that the organization know what personal information is processed and for what purpose.[3] The identification process can therefore be structured through the creation of such a registry.
Moreover, other tools may allow organizations to complete the identification of personal information processed, for example: the mapping of their data flow in their technological environments, their application catalogue, their data catalogue, the list of their business processes, the registry of third parties (suppliers, subcontractors, partners, etc.) with whom the organization does business, etc.
ii. Identification of Applicable Privacy Regulations
Once the organization has identified the personal information it collects, uses, discloses, retains or destroys, it is easier to identify the legislative and regulatory contexts that apply to these activities and to establish a description of the applicable obligations.
A good practice to adopt when analyzing the relevant legislative and regulatory contexts is to ensure compliance with the strictest requirement when establishing the program, in order to avoid the costs of duplicate controls and to ensure consistency in their implementation. Another good practice would be to target upstream the so-called "exceptional" obligations that cannot be matched with requirements from other legislative contexts in order to be able to address them separately.
This exercise will also allow the organization to define its compliance strategy by identifying the requirements to be considered in relation to the compliance with the protection of personal information. It is in the next and final chapter that we will have the opportunity to present to you the elements to be taken into consideration for the design of this type of setting, which is at the heart of the Privacy Program.
[1]Ron DE JESUS, “Introduction to Privacy Program Management”, in Privacy Program Management. Tools for Managing Privacy Within Your Organization. 2nd ed., Portsmouth, International Association of Privacy Professionals, 2019, p. 254, at page 14.
[2]Section 30 of GDPR.
[3]See Section 8 of Bill 25.
