Data Privacy Program (DPP)

Data Privacy Program (DPP) - Editable Privacy Program Template

Product Walkthrough Video

This short product walkthrough video is designed to give a brief overview about what the DPP is to help answer common questions we receive.

What Is The Data Protection Program (DPP)?

The Data Privacy Program (DPP) is an editable "privacy program template" that exists to ensure data protection-related controls are adequately identified and implemented across your systems, applications, services, processes and other initiatives, including third-party service providers. The DPP prescribes a comprehensive framework for the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of Personal Data / sensitive Personal Data (PD / sPD). ComplianceForge designed the DPP for cybersecurity and privacy personnel who are tasked with "privacy compliance" for their organization. This involves advising privacy stakeholders on Privacy by Design (PbD) matters, while providing oversight to your organization's executive management that stakeholders are being held accountable for their associated data privacy practices.

At its core, the DPP is an editable Microsoft Word document that establishes your organization's privacy program. It is designed to address the who / what / when / where / why / how concepts that need to exist to operationalize privacy principles. If you take a look through the table of contents in the example listed below, you will see coverage for reasonable privacy program expectations:

• Stakeholder identification and accountability structure
• Applicable privacy-specific laws, regulations and frameworks
• Concept of Operations (CONOPS) - mission, vision, strategy and multi-year roadmap to operationalize the privacy program
• Targeted privacy maturity level
• Organization-specific criteria to meet privacy management principles
• Data classification and handling guidelines
• And more!

The DPP is a one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The DPP is capable of scaling for any sized company. 

• The DPP is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for ensuring secure engineering and privacy principles are operationalized.
• This product addresses the “how?” questions for how your company ensures privacy principles are operationalized.

What Problems Does The DPP Solve?

• Lack of In House Security Experience - Writing cybersecurity & privacy documentation is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive data privacy documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The DPP is an efficient method to obtain comprehensive guidance documentation to implement privacy principles within your organization!
• Compliance Requirements - Requirements such as EU GDPR require companies that store, process or transmit the personal data of EU citizens to ensure that both cybersecurity and privacy principles are built into processes by default. Can you prove how privacy principles are implemented at your organization?
• Audit Failures - Cybersecurity and privacy documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The DPP provide mapping to leading privacy frameworks to show you exactly what is required to both stay secure and compliant.   
• Vendor Requirements - It is becoming more common for clients and partners to request evidence of a privacy program and this includes policies, standards and procedures. With EU GDPR, vendors and other partners will be expected to demonstrate evidence of compliance with the EU GDPR.

How Does The DPP Solve These Problems?

• Clear Documentation - The DPP provides a comprehensive approach to operationalizing privacy principles. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - The DPP can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific privacy needs. 
• Alignment With Leading Practices - The DPP is written to support leading cybersecurity and privacy frameworks!   

The DPP is a "Rosetta Stone" approach to privacy principles. Based on our experience, we understand that most smaller-to-medium-sized businesses lack the knowledge and experience to undertake such privacy program documentation efforts. That means businesses are faced to either outsource the work to expensive privacy consultants, write it themselves or ignore the requirement in hopes of not getting in trouble for being non-compliant. To solve this issue, ComplianceForge chose to leverage the Secure Controls Framework Data Privacy Management Principles (SCF DPMP) as an efficient way to align with an assortment of "privacy principles" that organizations are faced with.

When you look at a comparison of privacy-relevant laws, regulations and frameworks, you will see a wide variety of expectations. The SCF DPMP's solution to the apples-to-oranges comparison was to create a metaframework of privacy principles that covers nineteen (19) privacy frameworks to provide the ability to demonstrate adherence to multiple privacy principles.

The SCF DPMP is a “Rosetta Stone” of data privacy management principles that maps to the following privacy practices:

1. AICPA’s Trust Services Criteria (TSC) (2017)
2. Asia-Pacific Economic Cooperation (APEC)
3. California Privacy Rights Act (CPRA)
4. European Union General Data Protection Regulation (EU GDPR)
5. Fair Information Practice Principles - Department of Homeland Security (DHS FIPPs)
6. Fair Information Practice Principles - Office of Management and Budget (OMB FIPPs)
7. Generally Accepted Privacy Principles (GAPP)
8. HIPAA Privacy Rule
9. ISO/IEC 27701:2019
10. ISO/IEC 29100:2011
11. Nevada SB820
12. NIST SP 800-53 R4
13. NIST SP 800-53 R5
14. NIST Privacy Framework v1.0
15. OASIS Privacy Management Reference Model (PMRM)
16. Organization for Economic Co-operation and Development (OECD)
17. Office of Management and Budget (OMB) - Circular A-130
18. Personal Information Protection and Electronic Documents Act (PIPEDA)
19. Privacy by Design (PbD) – The 7 Foundational Principles

Product Example - Data Privacy Program (DPP)

The DPP addresses program-level guidance on HOW to actually manage privacy principles, so that secure processes are designed and implemented across your organizationt. Policies & standards are absolutely necessary to an organization, but they fail to describe HOW privacy principles are actually planned and managed. The DPP provides this middle ground between high-level policies and the actual procedures of how developers, PMs, system integrators and system admins do their jobs to design, implement and maintain technology solutions while applying applicable data protection controls in their day-to-day operations.

View Product Example

Cost Savings Estimate - Data Protection Program (DPP)

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the DPP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

• For your internal staff to generate comparable documentation, it would take them an estimated 120 internal staff work hours, which equates to a cost of approximately $17,000 in staff-related expenses. This is about 4-8 months of development time where your staff would be diverted from other work.
• If you hire a consultant to generate this documentation, it would take them an estimated 80 consultant work hours, which equates to a cost of approximately $36,000. This is about 2-3 months of development time for a contractor to provide you with the deliverable.
• The DPP is approximately 8% of the cost for a consultant or 18% of the cost of your internal staff to generate equivalent documentation.
• We process most orders the same business day so you can potentially start working with the DPP the same day you place your order.

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

Cybersecurity & Data Privacy By Design - Program Level Privacy & Security Documentation

Optional Professional Services (Add On)

ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at: www.complianceforge.com/contact-us/.

We offer our professional services in bundles of: five (5), ten (10) & twenty (20) hours.

Purchased professional service hours will expire after 120 days (4 months) from the time of purchase before they expire.