Establishing a culture of privacy
Ten years ago, privacy was a new conversation for many organizations. Today, the leaders of most large organizations are talking about it. Boards’ and executives’ top concerns are:
Meeting increased regulatory requirementsPreventing or responding to data breachesNavigating the pitfalls and prizes of data analyticsIn the age of big data, and growing penalties for data protection fails, any company collecting personal information in any form, from clients, consumers, or employees, needs to be up to speed on privacy compliance. Yet for many organizations, it still isn’t a priority. According to a 2018 federal poll, 50% of Canadian companies don’t have internal privacy policies, and 60% have no data breach protocols.
Privacy compliance can be something of a minefield, where a simple error can have devastating consequences for an organization’s reputation and budget. Unfortunately, the solutions are not simple. Developing a comprehensive privacy program, like any new initiative, means reconciling different perspectives and priorities.
Different Vantage Points on Privacy
In many organizations, three roles are primarily responsible for privacy governance: executives, boards of directors, and privacy officers. The people in these roles tend to approach privacy in distinct ways:
Executives are most often concerned about organizational reputation, legal compliance, and protecting data assets and intellectual property. They want to know how data protection will help the organization meet their strategic goals, and what return on investment privacy will deliver; for example, privacy as a selling point, and the enhanced opportunities to utilize data analytics. They are less likely to be involved in the technical side of implementation, and will respond best to a focus on risk, compliance, and opportunities.Boards of directors share the same concerns as executives. Together with the CEO, boards are legally accountable for data protection, and so are responsible for overseeing privacy governance. This includes: integrating privacy and security into the organization’s mission and strategic goals; leading the development of a governance framework for privacy; overseeing the privacy program; and establishing performance measurement for compliance. Boards also determine the budgets for privacy programs and solutions. Most board members are committed to compliance as a goal, but may need to upgrade their legal and technical knowledge to make well-informed decisions about privacy governance.Privacy officers are most directly responsible for the implementation of privacy policy, and this will almost always be their first priority. However, privacy officers come from a wide variety of educational and professional backgrounds, and have very different skill sets and approaches. Some have strong technical skills and tend to focus on implementation through IT and security practices; they may struggle with communications and change management. Some have a strong legal background and tend to focus on policy and contracts; they may struggle with the technical and management aspects of the role. Some are managers who may be adept at communication and change management, but lack a depth of legal and technical knowledge. Privacy officers need a broad base of experience and expertise, as they are often in the position of developing a privacy strategy for their organization and “selling” it to boards, CEOs and everyone else.Getting Everyone on Board with Privacy
Some key steps towards getting everyone on board with a privacy program:
Ongoing privacy maturity requires buy-in from top-level executives and the Board of Directors, an engaged Privacy Governance Committee, an efficient and respected Privacy Officer, and responsible staff committed to protecting personal information. Ultimately, everyone in the organization is a stakeholder in effective privacy compliance.
This article is based on my book, Privacy In Design: A Practical Guide to Corporate Compliance