By Paul Iagnocco, director, consulting ,TrustArc
Global and domestic privacy regulations like GDPR and the California Consumer Privacy Act (CCPA) are forcing businesses to develop and implement comprehensive data management processes to comply with new privacy requirements.
In this age of compliance, privacy strategies have become ongoing initiatives, rather than one-time implementations. New privacy-by-design principles can help companies integrate compliance in their early-stage engineering processes to build compliant-ready products and services. But to achieve sustained compliance, privacy needs to be ingrained in company culture and run through the heart of each employee—whether they touch data in HR, sales, or IT.
To build a self-sustaining operation that’s compliant with both domestic and international data protection standards, business leaders should implement a privacy frame of mind. This mindset is only possible when organizations can find and train critical team ambassadors, and in some cases perform an entire company culture overhaul.
Achieve High-Level Buy-in to Build Culture
At a previous job, I was tasked with building the privacy culture and team. The only way I was able to properly introduce sustained compliance into the organization was by securing buy-in from individuals, such as the marketing senior vice president, CMO, CIO, and general counsel. That’s a lofty cadre of senior-level opinions to sway, and the people whose sign-off matters will change from organization to organization. The point is that it will be difficult to accomplish much if you aren’t able to keep open a conduit of information to senior-level people.
In particular, people in operations roles will be immensely helpful in getting a privacy culture off the ground. At the same company, I worked with senior leadership to develop a set of privacy ethics to guide a new value creation process. Then, the HR team and I amended the handbook to include these new values to ensure that we established a privacy mindset from onboarding onward. When you secure buy-in from senior leadership to create a privacy culture, it creates the expectation internally that privacy is a crucial focus.
Understand Who Maintains Significant Data
With high-level buy-in, privacy and compliance leaders can begin building their teams. The most important part of building a privacy team is to understand who handles the significant data. Leaders should structure their teams around the following groups of people.
Operations team. This team is comprised of businesspeople—it should include people from HR, customer services, marketing, and sales—who touch the data on a regular basis. They are the data stewards who are on the hook if a breach occurs. They are both your first line of compliance and likely source of non-compliance. This team should further include individuals from IT who support these business operations within the company function.
Shared service team. This team is the data protection and privacy compliance team that helps ensure the rest of the organization’s employees maintain compliance with their data handling processes. Typically, this group will consist of people focused on IT infrastructure, IT security and privacy compliance. They take the content, the knowledge, changing regulations, and help determine the actions an organization should take. Oversight comes from both the CISO and chief privacy officer, who should work in tandem to manage the information needed to maintain compliance and the CIA triad (confidentiality, integrity, and availability).
Senior level. If you recall, achieving buy-in from the senior team is an important part of this process. The easiest way to do this is by empowering them into some level of decision making. A senior team will have to determine what level of risk a company is willing to undertake. They’ll also approve the privacy strategy to mitigate any risk, as well as set budgets and approve processes moving forward. The key players here are the CIO and general counsel.
Privacy Isn’t a Box to Check Off
Legislation like GDPR and CCPA will continue to pressure businesses to achieve privacy and compliance at scale. By creating a privacy mindset—with help from everything discussed above, as well as robust technology to manage compliance with privacy regulations and aid the privacy teams—organizations can ensure privacy is part of their fabric. Establishing buy-in from the highest levels, understanding the team’s structure, and ingraining a culture of privacy from the ground up will all help make ongoing compliance an easier achievement. But above all, privacy leaders must remind their organizations that compliance isn’t a box to check off. Privacy must be built into the product and operations of a company by design and by default. Your goal in building a privacy team is to create a mentality shift whereby every member of the company gives pause to consider the privacy implications of their actions. Only when this mindset settles in across the entire organization can companies achieve ongoing compliance.