Risk and ComplianceSecurity

Building a Privacy Function, From the Ground Up

Kevin StropeStephen Nation
October 24, 2019
4 min read

Consumer data. Who’s collecting it? How is it being used? What regulations are being put in place that can impact how my organization collects, stores, processes and transfers that data? These are the types of questions that we hear over and over again from many of our clients, who are realizing that they are now faced with some of the most stringent privacy laws for their industries that have ever existed in the U.S., Canada, the European Union and around the world. They want to know: Where do we start? Are we focusing on the right things? How do we demonstrate a culture of privacy here?

So in a recent webinar, Establishing an Organizational Privacy Function, we put the basic steps that should be taken to put together a solid foundation together in one place, that’s an easy reference point for anyone looking to get their privacy function started.

We acknowledge there are a number of factors that could be driving an organization to begin the process of establishing a privacy function. Those can range from an enhanced customer experience, to improved operational effectiveness to mergers and acquisitions. Yet the primary driver is likely to be regulatory requirements. During our webinar, we polled the audience about this, and 82 percent selected regulatory concerns, over other options like partnering and outsourcing and improved analytics and decision making. While cost savings and avoidance (avoiding regulatory fines) is also an important driver, new regulations remain top of mind for most organizations.

The Basics

To get started, it’s best to first proactively establish the organization’s primary goals and purposes for privacy. We’ve learned from watching reactive clients that just buying a solution without a sound plan in place may not be the most productive way to go. Privacy can be difficult to implement and, in many cases, requires already stretched resources to perform additional work. We suggest simplifying this exercise by following these guiding principles:

It is important to remember that there is no “one size fits all” approach to privacy. Each organization’s needs and current state are different and there’s no need to “boil the ocean.” Tackle the things you can, given your organization’s capabilities. Communicate regularly and consistency, preferably from the top of the organization and avoiding jargon, to help ensure buy-in and development of that culture of privacy. Privacy is everyone’s job.

Top Down or Bottom Up? Both, Please

For organizations starting out or re-launching their efforts, we often propose approaching privacy initiatives from two directions: top-down and bottom-up. A top-down approach focuses on overall policy guidance, organizational structures, communications management, and change management, while a bottom-up approach focuses on key foundational elements (e.g., metadata data management, data lineage, data ownership, and data quality) for selected data domains (e.g. vendor, customer/client). We believe an approach that “meets in the middle,” blending both is most effective.

With a plan and approach in place, program design is next. There are a number of factors to consider, but you’ll notice that our top six (shown below) align with the principles we’ve been talking about:

Yes, there are a lot of moving parts. Yes, this process can seem overwhelming. Which is why we recommend that everything funnel to and through a business readiness and organizational change management process.  Knowing the organization’s data is also important. How is it collected? Processed? Stored? Are there any cross-border transfers? There’s a lot to consider…but it starts with building an inventory of data assets. Identify assets you have, and what processing activities are affiliated with those assets. Then, go back to the prioritization process already developed. And voila, things start to get easier.

It’s Not Too Late

If you’re among the shrinking business population who feel “who has time for privacy?” (9.3% of attendees in our recent webinar), do know that it is not too late to start developing a high-quality privacy program. This chart illustrates where to focus efforts NOW:

Don’t let more time pass by. Consumers are growing more aware and informed about their privacy rights and are beginning to favor organizations that make them feel comfortable their personal data is well protected. Ask: what can we do NOW to demonstrate to the public that we are considering privacy? It may be as simple as adding a consent banner to your web site home page or adding appropriate mechanisms for consumers to contact the organization. Ensure the company’s privacy notice is in place and maintained. This may be an unforeseen opportunity to present customers with an assurance that their personal data is a top priority for the organization.

To listen to a replay of our privacy series webinar, click here.

Kevin Strope

Associate Director
Technology Consulting - Security & Privacy

View all posts

Stephen Nation

Senior Manager
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More