Data privacy best practices should be woven into the very fabric of an organization.
On Tuesday, September 15th, SEI hosted Establishing a Culture of Data Privacy, the second webinar in our data privacy series. Presented by SEI’s data privacy practice lead Jason Michelli and SEI thought leaders Yazeed AbouSaleh and Alan Forinash, the webinar took stock of the evolving regulatory landscape, spelled out key data privacy challenges, and provided attendees with insights on how to develop a roadmap for establishing a robust data privacy program.
While the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), among other privacy legislations, have put pressure on businesses to improve their data privacy practices while providing consumers with increased agency and transparency, these regulations are not the only factors disrupting today’s data privacy landscape.
On one hand, a parade of high-profile data breaches in the past few years has prompted consumers to become increasingly wary of sharing their data. On the other hand, the popularization of data monetization, the advent of the data-as-a-service model, and the proliferation of means by which to capture consumer data — including social media, ecommerce platforms, streaming services, and an expanding Internet of Things (IoT) — have created a range of new opportunities for businesses to leverage data to drive value.
How can organizations take advantage of these opportunities while achieving ongoing compliance, earning and maintaining consumer trust, and enacting data privacy practices that garner organization-wide adoption? The short answer: by establishing an organizational culture centered around data privacy best practices.
Breaking Down Internal Silos
Many organizations attempt to design and execute a data privacy program in a series of silos. They address regulatory jurisdictions, data subject types, breach reporting, and master agreements in their legal department, awareness and adoption efforts in compliance, and policy enablement and operations at the leadership level. This approach may have been effective in responding to past compliance efforts, but taking a piecemeal approach to data privacy in a climate defined by loudening consumer demands for access and transparency will only expose organizations to unnecessary risk.
To mitigate risk while streamlining operations, organizations should take a holistic approach that centralizes their efforts and unifies employees around a common set of goals. In short, they must create a culture of data privacy. The core tenets of a strong culture of data privacy include:
- Responsible data handling at every level
- Top-down buy-in
- Holistic privacy program design
- Customer-centric decision-making
- A commitment to continuous improvement
- An agile approach to regulatory challenges
- Open lines of communication
- Effective training and awareness
Establishing a culture of data privacy centered around these tenets endows an organization with key advantages, including superior data governance, effective technology rationalization, cost-savings, a proactive stance on adapting to change, and improved data quality that enables better decision-making.
5 Steps to Enacting a Culture of Data Privacy
Achieving the ideal end-state — an organizational culture in which all members feel committed to and responsible for ensuring data privacy best practices are woven into every function of the business — requires a series of well-planned efforts. At a high level, these efforts entail:
1. Assessing existing business and privacy operations.
The assessment phase involves identifying and evaluating the nature of an organization’s business and how its customers’ personal information is currently being used. Additionally, it should consider customers’ expectations regarding the company’s use of personal data, as well as examine existing privacy practices, policies, and organizational structure. Essentially, key decision-makers should seek to capture a picture of current data privacy attitudes, behaviors, and activities across their organization and industry. This picture will inform the development of the data privacy framework.
2. Developing a data privacy framework.
An effective data privacy framework addresses processes, data, tools, and people. When it comes to processes, leaders should assess core processes such as data incident management, privacy policy management, data subject requests, consent management, internal audits, and data inventory, as well as cross-functional processes — which may have privacy principles built into their designs — including procurement, vendor management, product design, enterprise data management, and the systems development life cycle (SDLC).
The framework must also address functions that are strictly data-related, including data governance, records retention, data loss prevention, and identity and access management. Further, it should outline the tools that will be leveraged for all data privacy efforts. From simple spreadsheets to solutions designed specifically for streamlining data privacy operations, tools must provide users with maximum visibility into various privacy activities and help mitigate inaccuracies and redundancies, ensure data integrity, and improve efficiency.
Finally, the framework should account for the human impact of changes to the organization’s data privacy program. Key decision-makers should evaluate their organizational structure, roles, and responsibilities to ensure there is clear alignment and ownership of privacy practices across the organization. Leaders should further support cultural alignment around the objectives of their new data privacy program by ensuring that training and communications routines — in addition to detailed subject matter expertise where necessary — are in place to support broad-based awareness of privacy principles.
3. Designing and executing on a roadmap.
Once a framework has been established, leaders can begin to design their implementation roadmap. While execution timelines will vary based on a number of factors, implementation of a new data privacy program should leverage an incremental approach and be expected to span multiple years.
Using this approach, organizations should prioritize and sequence initiatives to first establish foundational processes and roles for the business functions and systems that pose the greatest level of risk. Once this has been done, they can begin to undertake incremental initiatives that enable achievement of the desired end-state. Consideration should be given to initiatives that are function-dependent as well as those that can be undertaken simultaneously.
4. Privacy operations (run the business).
Once the privacy framework has been established, organizations should take care to continually assess and manage privacy operations. Governance routines should be established in order to formalize the process for defining and revisiting privacy policy, and organizations should update key implementations of the policy (e.g. privacy notices, consent forms, cookie policies, etc.). Privacy operations can be further optimized by defining and maintaining a set of KPIs in order to facilitate management of privacy operations according to regulatory requirements and internal SLAs.
5. Implementing measures for continuous improvement.
The final, cyclical phase of establishing a culture of data privacy is ensuring that the organization is equipped with the knowledge and resources necessary for continuous improvement. By leveraging operational KPIs, leaders can benchmark privacy performance and identify opportunities for improvement on a recurring basis. Assessing the impact of new or pending regulatory changes, as well as any actions outlined by data privacy supervisory authorities can provide organizations with clear direction for future improvement. Recurring reviews of training and communications programs, internal privacy audits and remediation activities, as well as record retention schedules, can illuminate additional improvement opportunities.
The outcome of the continuous improvement process should be an iterative revisit of the implementation roadmap, updated with re-prioritized privacy initiatives for implementation over the coming period, aligned to applicable strategic initiatives.
Capitalize on the Benefits of a Strengthened Data Privacy Posture
In a climate of intense and growing concern over consumer data handling practices, it’s more important than ever for organizations to take action to modernize their data privacy programs. With a measured approach that addresses people, processes, data, and technologies, it’s possible to cultivate an organizational culture built around data privacy best practices. As a result, organizations will enjoy cost-savings, improved operational agility and efficiency, and more accurate data inventories — all of which empower them to make more informed decisions that benefit both their customers and the bottom line.
If you’re interested in learning more about how to elevate your organization’s approach to data privacy, register for Leveraging Data Inventories: Privacy, Security, and Third-Party Risk Management, the next webinar in our data privacy series, which will take place on Tuesday, October 27, at 11:00 A.M. EST. We hope to see you there!
