Establishing a culture of privacy
Ten years ago, privacy was a new conversation for many organizations. Today, the leaders of most large organizations are talking about it. Boards’ and executives’ top concerns are:
- Meeting increased regulatory requirements
- Preventing or responding to data breaches
- Navigating the pitfalls and prizes of data analytics
In the age of big data, and growing penalties for data protection fails, any company collecting personal information in any form, from clients, consumers, or employees, needs to be up to speed on privacy compliance. Yet for many organizations, it still isn’t a priority. According to a 2018 federal poll, 50% of Canadian companies don’t have internal privacy policies, and 60% have no data breach protocols.
Privacy compliance can be something of a minefield, where a simple error can have devastating consequences for an organization’s reputation and budget. Unfortunately, the solutions are not simple. Developing a comprehensive privacy program, like any new initiative, means reconciling different perspectives and priorities.
Different Vantage Points on Privacy
In many organizations, three roles are primarily responsible for privacy governance: executives, boards of directors, and privacy officers. The people in these roles tend to approach privacy in distinct ways:
- Executives are most often concerned about organizational reputation, legal compliance, and protecting data assets and intellectual property. They want to know how data protection will help the organization meet their strategic goals, and what return on investment privacy will deliver; for example, privacy as a selling point, and the enhanced opportunities to utilize data analytics. They are less likely to be involved in the technical side of implementation, and will respond best to a focus on risk, compliance, and opportunities.
- Boards of directors share the same concerns as executives. Together with the CEO, boards are legally accountable for data protection, and so are responsible for overseeing privacy governance. This includes: integrating privacy and security into the organization’s mission and strategic goals; leading the development of a governance framework for privacy; overseeing the privacy program; and establishing performance measurement for compliance. Boards also determine the budgets for privacy programs and solutions. Most board members are committed to compliance as a goal, but may need to upgrade their legal and technical knowledge to make well-informed decisions about privacy governance.
Getting Everyone on Board with Privacy
Some key steps towards getting everyone on board with a privacy program:
- Hire an excellent privacy officer, not just a qualified one. Ideally, privacy officers will have a background in both the legal and technical aspects of privacy compliance, as well as being good managers, strong communicators, and adaptable to change.
- Don’t rely exclusively on your privacy officer. Good governance is key to building an effective Privacy Program. Privacy should be governed by a committee that includes board members, the CEO or CFO, and the Chief Revenue Officer, so that both compliance concerns and financial concerns will be represented. The Privacy Governance Committee will work with the Privacy Officer to develop policy and data governance strategy.
- Develop a privacy culture. Make sure everyone in your organization, from the newest hire to the CEO, understands the importance of privacy and their role in protecting it.
Ongoing privacy maturity requires buy-in from top-level executives and the Board of Directors, an engaged Privacy Governance Committee, an efficient and respected Privacy Officer, and responsible staff committed to protecting personal information. Ultimately, everyone in the organization is a stakeholder in effective privacy compliance.
This article is based on my book, Privacy In Design: A Practical Guide to Corporate Compliance