Building a Privacy Function, From the Ground Up

Consumer data. Who’s collecting it? How is it being used? What regulations are being put in place that can impact how my organization collects, stores, processes and transfers that data? These are the types of questions that we hear over and over again from many of our clients, who are realizing that they are now faced with some of the most stringent privacy laws for their industries that have ever existed in the U.S., Canada, the European Union and around the world. They want to know: Where do we start? Are we focusing on the right things? How do we demonstrate a culture of privacy here?

So in a recent webinar, Establishing an Organizational Privacy Function, we put the basic steps that should be taken to put together a solid foundation together in one place, that’s an easy reference point for anyone looking to get their privacy function started.

We acknowledge there are a number of factors that could be driving an organization to begin the process of establishing a privacy function. Those can range from an enhanced customer experience, to improved operational effectiveness to mergers and acquisitions. Yet the primary driver is likely to be regulatory requirements. During our webinar, we polled the audience about this, and 82 percent selected regulatory concerns, over other options like partnering and outsourcing and improved analytics and decision making. While cost savings and avoidance (avoiding regulatory fines) is also an important driver, new regulations remain top of mind for most organizations.

The Basics

To get started, it’s best to first proactively establish the organization’s primary goals and purposes for privacy. We’ve learned from watching reactive clients that just buying a solution without a sound plan in place may not be the most productive way to go. Privacy can be difficult to implement and, in many cases, requires already stretched resources to perform additional work. We suggest simplifying this exercise by following these guiding principles:

It is important to remember that there is no “one size fits all” approach to privacy. Each organization’s needs and current state are different and there’s no need to “boil the ocean.” Tackle the things you can, given your organization’s capabilities. Communicate regularly and consistency, preferably from the top of the organization and avoiding jargon, to help ensure buy-in and development of that culture of privacy. Privacy is everyone’s job.

Top Down or Bottom Up? Both, Please

For organizations starting out or re-launching their efforts, we often propose approaching privacy initiatives from two directions: top-down and bottom-up. A top-down approach focuses on overall policy guidance, organizational structures, communications management, and change management, while a bottom-up approach focuses on key foundational elements (e.g., metadata data management, data lineage, data ownership, and data quality) for selected data domains (e.g. vendor, customer/client). We believe an approach that “meets in the middle,” blending both is most effective.

With a plan and approach in place, program design is next. There are a number of factors to consider, but you’ll notice that our top six (shown below) align with the principles we’ve been talking about:

Yes, there are a lot of moving parts. Yes, this process can seem overwhelming. Which is why we recommend that everything funnel to and through a business readiness and organizational change management process.  Knowing the organization’s data is also important. How is it collected? Processed? Stored? Are there any cross-border transfers? There’s a lot to consider…but it starts with building an inventory of data assets. Identify assets you have, and what processing activities are affiliated with those assets. Then, go back to the prioritization process already developed. And voila, things start to get easier.

It’s Not Too Late

If you’re among the shrinking business population who feel “who has time for privacy?” (9.3% of attendees in our recent webinar), do know that it is not too late to start developing a high-quality privacy program. This chart illustrates where to focus efforts NOW:

Don’t let more time pass by. Consumers are growing more aware and informed about their privacy rights and are beginning to favor organizations that make them feel comfortable their personal data is well protected. Ask: what can we do NOW to demonstrate to the public that we are considering privacy? It may be as simple as adding a consent banner to your web site home page or adding appropriate mechanisms for consumers to contact the organization. Ensure the company’s privacy notice is in place and maintained. This may be an unforeseen opportunity to present customers with an assurance that their personal data is a top priority for the organization.

To listen to a replay of our privacy series webinar, click here.

Kevin Strope

Associate Director
Technology Consulting – Security & Privacy

Stephen Nation

Senior Manager
Technology Consulting – Security and Privacy