Over the past 3 to 4 years, there have been significant developments in data protection, and keeping up with those changes can be a challenge for businesses of all sizes. In this article, one of our OneTrust privacy professionals will share their 5 top tips for building out a privacy program that they’ve seen work across multiple growing businesses.
Tip #1 – Gain senior management buy-in
The good news is that if you are a Data Protection Officer (DPO) or have been designated as playing a leading role in your company’s privacy program. There must already be at least some level of senior management buy-in to have realized the requirement.
One of the misinterpretations of data protection by senior management is that by merely hiring a DPO that you are more or less compliant with global privacy laws. The fact is that this is just the first step in the maturity of a program. The ability for the DPO to influence company policy and build out an ecosystem of trust and data ethics is fundamentally relied on having continued access with the senior management in the business. In many scenarios, data protection requires a rewrite of the company’s DNA.
Also, there are significant training and process changes that need to occur to have a business-as-usual privacy program that seamlessly sits alongside existing processes. Getting multiple departments to adhere to the data protection framework, is sometimes a challenge when the obligation has not been disseminated from the top-level leadership down. But, having the sponsorship of every department-head will significantly facilitate the program’s adoption by the business.
One of the biggest challenges a DPO can experience when selling compliance to the business is introducing bloated processes without slowing down the business innovations. Carefully adding processes and educating the stakeholders can significantly improve the business’s cohesion with the adoption of data protection frameworks.
Tip #2 – Build a map your data – Understand your business purposes
The need to understand what data you’re storing, and for what purpose sounds very simple, right? In actual fact, this is possibly the most challenging aspect that the DPO can have in building out a program. Many companies before GDPR had never run an exercise to map the data formally. Exceptions include heavily regulated environments such as the telecom industry, financial services, healthcare, and anyone taking retail payment card information.
However, one thing that incoming DPOs can leverage as an advantage is the current information if there are already snippets of data mapping or if there are previous DPO engagements with the business before you taking on the role. These data sets can go a long way to meeting the requirements of Article 30 under the GDPR. Additionally, other complementary, existing processes could potentially be leveraged. Information security tasks often include assessing the types of data, hosting providers, and security enabled on these IT assets. Many of these are also called for under GDPR Article 32, and, as an example, can be added into the mix.
Many Privacy Enhancing Technologies (PETs) include the ability to import and then populate the delta of the information that is missing using automated assessments to the business process owners to get a more accurate picture of the attribute required by internal and external auditors.
Get familiar with the departments in your company that processes personal data. Start by taking an interest in their development work, joining their meetings, and taking steps to understand the depths and challenges of their role. This is a very organic way of better understanding the purpose of processing and what the real business need is.
Tip #3 – Extending your virtual team
Many privacy programs start with a single individual mapping out the requirements based on global privacy laws. However, as the privacy program becomes business as a usual activity for an organization, there is a need to scale the privacy program to the size of your growing organization.
The role of the DPO is somewhat unique because you have to be an expert in global privacy laws and be an expert in the ins and outs of the business operation from the highest to the lowest level. As one of their key responsibilities, the DPO is required to identify areas of the business that can be a champion for data protection.
An example could be the Human Resources or Customer Services team. These departments store some of the most sensitive information within your organization. The breadth of detail in understanding these areas could be a significant challenge for a DPO independently. However, a solution could be to deputize a member of the HR or Customer Services team, as your eyes and ears into that department. The advantage is that they know the purposes and the data sets intimately but can be given enough training to understand issues related to the Data Protection Officer’s goal. Giving them an affective privacy champion role in addition to their day job.
Tip #4 – Have a privacy roadmap for your company
Like with any employee of an organization, key performance indicators (KPIs) are useful as a measure of success, especially around the implementation progress of the privacy program for a DPO. Typically, the roadmap for a privacy program is attained over several months and possibly years to claim an implemented program. Even after a program is considered ‘implemented,’ it must be maintained and regularly revisited to ensure that changes in the business reflect in the privacy program.
Progress can be more easily traced by having a plan and communicating updates to the plan with a regular cadence to senior management. The need for resources, finances, or employee time in the program’s future phases, can be mapped out and planned for. Any friction points or blockers in reporting can be the best mechanism for notifying the leadership team to give more progressive action utilizing the unique access the DPO has to the top tier of the business.
By tracking KPIs, the performance of the work done is visible. It improves decision making and the ability to make quicker, informed decisions based on factual data but also provides a complete overview of progress towards goals.
Tip #5 – Leverage the DP community
One of the exciting aspects of the data protection and privacy profession is the close-knit community that comes with this unique job. Privacy professionals are much more open to sharing the challenges they have faced and the solutions they have found. Another unique attribute in recent years has been the fact that these laws and their interpretation have been developing and changing over time, sometimes monthly. Guidance gets updated, and interpretations vary. While on the face of it, this can be very useful for organizations, it also creates a level of variance in the implementation of privacy programs between organizations.
Privacy and data protection events, webinars, whitepapers, and articles are a source of insight from many peers that operate in the same industry. Often the same problems are debated with similar business verticals. A consensus on an appropriate way forward can be found by discussing the issue with similar-minded businesses.
Compared to other areas such as information security and the CISO persona, often, problems about security are not discussed in an open forum for obvious reasons. The more active, a DPO, or privacy program leader is in the community, the better time they have at making decisions on policy.
Much of what has been discussed above is contextual to the unique situation you might find yourself in, picking up a privacy program. There are, however, many repeating aspects in every company that can be leveraged by a DPO or data protection leader within your organization. As data protection laws become more engrained in society, many actions may also become mainstream and standardized. Until then, these tips can help give a leg up to those buildings from low-level to world-class compliance.