Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Premium Content - Data Privacy Program (DPP)

ComplianceForge is an authorized SCF partner and offers its Data Privacy Program (DPP) as a solution to accelerate the adoption and implementing of a privacy program at your organization!

The reality for most non-Fortune 1,000 organizations is that data protection duties are often assigned to cybersecurity staff. The concept of establishing a privacy program can be a daunting endeavor and is why the DPP leverages the SCF's Privacy Management Principles. This provides flexibility, due to its mapping to these commonly cited privacy laws, regulations and frameworks:

  • AICPA’s Trust Services Criteria (TSC) (2017)
  • Asia-Pacific Economic Cooperation (APEC)
  • California Privacy Rights Act (CPRA)
  • European Union General Data Protection Regulation (EU GDPR)
  • Fair Information Practice Principles (FIPPs) - Department of Homeland Security (DHS)
  • Fair Information Practice Principles (FIPPs) - Office of Management and Budget (OMB)
  • Generally Accepted Privacy Principles (GAPP)
  • HIPAA Privacy Rule
  • ISO/IEC 27701:2019
  • ISO/IEC 29100:2011
  • Nevada SB820
  • NIST SP 800-53 R4
  • NIST SP 800-53 R5
  • NIST Privacy Framework v1.0
  • OASIS Privacy Management Reference Model (PMRM)
  • Organization for Economic Co-operation and Development (OECD)
  • Office of Management and Budget (OMB) - Circular A-130
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Privacy by Design (PbD) – The 7 Foundational Principles

The DPP is a one-time purchases with no software to install - you are buying content in the form of Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use the DPP! 

What Exactly Is A Data Protection Program? 

The Data Privacy Program (DPP) is an editable "privacy program template" that exists to ensure data protection-related controls are adequately identified and implemented across your systems, applications, services, processes and other initiatives, including third-party service providers. The DPP prescribes a comprehensive framework for the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of Personal Data / sensitive Personal Data (PD / sPD). 

ComplianceForge designed the DPP for cybersecurity and privacy personnel who are tasked to with "privacy compliance" for their organization. This involves advising data privacy stakeholders on Privacy by Design (PbD) matters, while providing oversight to your organization's executive management that stakeholders are being held accountable for their associated data privacy practices.

At its core, the DPP is an editable Microsoft Word document that establishes your organization's privacy program. It is designed to address the who / what / when / where / why / how concepts that need to exist to operationalize privacy principles. If you take a look through the table of contents in the example listed below, you will see coverage for reasonable privacy program expectations:

  • Stakeholder identification and accountability structure
  • Applicable privacy-specific laws, regulations and frameworks
  • Concept of Operations (CONOPS) - mission, vision, strategy and mulit-year roadmap to operationalize the privacy program
  • Targeted privacy maturity level
  • Organization-specific criteria to meet privacy management principles
  • Data classification and handling guidelines
  • And more!

The DPP is a one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The DPP is capable of scaling for any sized company.

  • The DPP is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for ensuring secure engineering and privacy principles are operationalized.
  • This product addresses the “how?” questions for how your company ensures privacy principles are operationalized.

Rosetta Stone Approach To Privacy Principles

Based on our experience, we understand that most smaller-to-medium-sized businesses lack the knowledge and experience to undertake such privacy program documentation efforts. That means businesses are faced to either outsource the work to expensive privacy consultants, write it themselves or ignore the requirement in hopes of not get in trouble for being non-compliant. To solve this issue, ComplianceForge chose to leverage the the Secure Controls Framework Privacy Management Principles (SCF PMP) as an efficient way to align with an assortment of "privacy principles" that organizations are faced with.

When you look at a comparison of privacy-relevant laws, regulations and frameworks, you will see a wide variety of expectations. The SCF PMP's solution to the apples-to-oranges comarison was to create a metaframework of privacy principles that covers ninteen (19) privacy frameworks to provide the ability to demonstrate adherence to multiple privacy principles. 

Privacy Management Principles

Cost Savings Estimate For The Digital Security Program (DSP) - A Fraction Of The Time & Expense 

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the DSP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

  • For your internal staff to generate comparable documentation, it would take them an estimated 120 internal staff work hours, which equates to a cost of approximately $17,000 in staff-related expenses. This is about 4-8 months of development time where your staff would be diverted from other work.
  • If you hire a consultant to generate this documentation, it would take them an estimated 80 consultant work hours, which equates to a cost of approximately $36,000. This is about 2-3 months of development time for a contractor to provide you with the deliverable.
  • The DSP is approximately 8% of the cost for a consultant or 18% of the cost of your internal staff to generate equivalent documentation.
  • We process most orders the same business day so you can potentially start working with the DSP the same day you place your order.

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.