Future-Proofing Your Privacy Program: 5 Ways to Operationalize a Privacy and Security Program Beyond Just the GDPR & the CCPA
Discussions about possible comprehensive federal privacy regulation is the talk of the privacy town. The fact remains that as of January 1, 2020 — just around the corner from an operational perspective — organizations will need to comply with the California Consumer Privacy Act.
As crucial resources and budget are directed to tackle the latest privacy compliance challenges, it is critical to take a step back now to ensure that your privacy program not only ensures compliance with the letter of the law, but also proactively provides strategic and scalable value to your organization.
1. Root Your Program in Your Company’s Mission and Values
What is the primary objective of your privacy compliance program? If the answer is compliance with laws like the GDPR or the CCPA alone, you stand to miss a huge opportunity to leverage privacy as a key pillar in the success of your business.
Your company’s mission and values are a key component of the navigation system on the corporate ship (ahem, lightening-fast catamaran) and unless you tie your privacy program to the mission and values, it will be lost at sea. At a minimum, if your program is not connected to your mission and values, it will likely lead to avoidable conflicts between the organization’s mission and what your program is trying to accomplish.
For example, many organizations have adopted some iteration of being “customer-centric” as a core value. As a privacy professional, it is crucial to unpack what is “the customer”. Who is he/she/it? What is the customer focused on? Many times, without intention, people superimpose a version of themselves onto the customer without asking how the organization’s actual customer differs in terms of values and priorities.
Nowadays, customers — especially international clientele — are increasingly focused on privacy and security. On the B2C side, individuals are seeing a barrage of news stories about companies saying one thing and doing another with their data. They see companies failing to safeguard their treasured information. You cannot afford to assume that the stickiness that some organizations enjoy with their customers, such as social media platforms, will translate to your business. On the B2B side, we’ve all seen privacy and security becoming increasingly a key or even determinative factor in due diligence and contract negotiations, including in M&A activity.
Saying one thing and doing another with personal data could not only get you in trouble with the FTC, DPAs, or other regulators. Many times — and more impactful — it will result in you receiving adverse press and ending up in the crosshairs of current and potential customers seeing your company in a negative light. The result? Loss of hard-earned brand reputation and trust.
If you ground your privacy framework in your organization’s mission and values, you can help ensure that program is a key strategic component of your business. Encourage employees to think about their own personal data, how they would want it handled, and have them identify how their role fits into that vision for your company. You can empower your employees with tools to ensure that privacy is one prong of achieving the company’s mission.
2. Build a Global Program Where Compliance With Individual Privacy Laws Are Elements, Not The Totality, Of The Foundation
Still experiencing GDPR fatigue? Feeling organizational whiplash trying to reorient your compliance strategy to the CCPA or to Brazil’s new law, the LGPD? These are common pain points echoing through privacy chambers around the world.
The problem is that each new law contains slight to significantly different obligations. Aiming for compliance with each new law alone risks an organizational strategy that feels like a ping pong ball ricocheting from one regulation to the next.
The solve? Build a global program incorporating a principles-based approach with an eye toward not what the law is today, but focusing on where you expect the law to go and where you sense your organization and customers will be 2–5 years out (or beyond!).
While I wish I could pull out a crystal ball and intuit whether federal legislation will be passed, what state laws will spring up in the interim, and when the e-Privacy Regulation will be enacted, an effective privacy program cannot hang in suspense.
As a privacy leader, you need to focus on not only the law, but where you anticipate your customer’s expectations will be and the business is headed. You need to work with members of the business to drill down on the threshold issues that are likely to dictate whether a customer will start and continue to do business with you.
If history teaches us anything, customer trust and loyalty will continue to be key factors. But taking your program to the next level centers on whether you can drive your company being a leader in its space. For example, a B2B SaaS provider may not be required as a matter of law to assist their partners with data governance strategies to comply with complex privacy and security issues. But it may be a huge business opportunity!
The benefit of this principles-based, future-focused approach is that it will help you and your company avoid a whack-a-mole approach to compliance where you’re always one step behind both evolving global regulations and business opportunities.
Equally important, this approach ensures your compliance program keeps pace with the trajectory of advances in your company. Technology — and therefore your business — moves faster than the law. So should your compliance program. Avoid deploying linear approaches to issues stemming from logarithmic growth.
If the current state of the law is one prong in your approach and a principles-based approach with an eye towards where the privacy landscape is headed is deployed, you’re more likely to be ready for what lies ahead.
3. Clone Yourself — No Really, Clone Yourself
You know that feeling like there is an impossible number of “to do’s” and you cannot do it all yourself? Trust me. It’s not just a feeling. You likely face an impossible number of tasks to achieve an effective privacy and security program.
The solution? Okay, you may not be able to clone yourself, but you can create processes and tools that effectuate the same result: (1) create privacy and security champions and (2) build a toolbox of resources for your organization to use.
Privacy and Security Champions
First, if you do not have a privacy champion program built, build one. Invite security into the conversation and partner with information security/IT to ensure your company’s ambassadors are empowered with privacy and security trainings that are not siloed. For the organizations that have some version of a privacy and security champion program, many times there are more ways those individuals can be leveraged. If you’re just training them and sending them out into the organization to be deputies, you’re missing an opportunity for a powerful two-way conversation.
Survey those individuals. Ask about what privacy and security issues they are seeing. Ask them what keeps them up at night. Have them talk to their key colleagues to answer the same questions. That way you have an instant read on your company’s current privacy and security concerns globally.
You can and should also train the privacy and security champions about the biggest privacy and security risks you and your CISO see so that they are better positioned to identify and address evolving privacy and security threats globally. This approach ensures that your employees are the first line of offense and defense for you. On offense, they can be ambassadors to your customers and partners, among others. On defense, they will be empowered to properly address questions that could pertain to matters pertinent to regulatory scrutiny.
Privacy and Security Toolbox
Second, stop what you’re doing and identify the issues that are repeatedly arising for you. Once you have that list identified, consider what resources you can create that will enable your internal clients to self-serve in as many areas as possible. They will appreciate the expediency (no one likes a bottleneck) and you will appreciate time to focus on the most crucial questions.
For example:
- Privacy Provision Playbook: Do you keep getting brought into contract negotiations in an ad hoc matter to address pertinent privacy and security clauses? Create a privacy and security contract clause playbook that identifies the most important provisions to the business as well as “must have” and “nice-to-have” provisions. This will have the added benefit of bringing consistency to your company’s approach to contract negotiations and expediting deal closure. This can be leveraged in everything from your data protection addenda negotiations to M&A activity.
- Do’s and Don’ts with Personal Data: “Can I send this spreadsheet loaded with personal data to someone outside the organization?” Sound familiar? Work with different constituencies in your company to identify common questions and create “Do’s and Don’ts” documents to address their recurring questions.
- Guidelines for Marketing and Customer Onboarding. “Which countries are opt-in versus opt-out for electronic direct marketing?” “We are rolling out a new version of the app and we are thinking about having a pre-ticked checkbox. Can we do that?” There is no need for every question like this to hit your desk or, even worse, to have your clients go rogue or internally lawyer-shop to find the answer that suits. Create guidelines for the questions that surface frequently throughout your organization, such as for building and maintaining a pipeline of customers, tracking technologies, customer onboarding, employee data, and sales.
- Self-Serve Checklists. While principles of privacy and security by design may make it feel like you need to attend every meeting where a product is conceived or iterated, that is not scalable. Create checklists your colleagues can use to channel many of the key questions you would ask and answer. Does the business need all of that personal data? Can the data still be useful if we aggregate it? Do we really need to store the data that long?
For all documentation, do not forget to track versions of the documents and have a central repository of resources so employees always have access to the latest guidance and resources.
Baking out a solid privacy and security by design program as well as building out these tools will enable you to focus on the highest risk, highest reward activities for your enterprise and have the added benefit of arming your employees with the tools they need to mitigate risk on their own.
4. Establish a Data Governance Program
As each new law roles out, do you find yourself reconstituting the group of people to help solve the issue? The bottom line is that new privacy and security regulations and codes of conduct will be the modus operandi for the foreseeable future. Moreover, without a steering committee, chances are your organization is missing the opportunity to fully leverage its data.
Build a cross-functional group or steering committee with relevant executives from the business that meets on a regular basis. The goal is to break down the artificial silos of privacy, security, internal audit, and other compliance efforts (e.g., SOX compliance) and, even more important, ensure that those efforts further the strategic goals of the business, including the useability of data. This group can also help guide the privacy team on questions that are critical to the business.
Many enterprises having archaic systems and servers from days of yore or from past acquisitions. They also struggle to identify what data they have. If you went through GDPR compliance efforts, you are probably further along in the data inventory and hygiene journey.
But those that are new to the game and conducting a CCPA gap analysis are for the first time surveying the extent of the morass that is their stockpile of data. While it is key to identify what California personal information is in scope for purposes of the CCPA, it is also a lost opportunity if an organization does not evaluate what personal data in general is a key competitive driver of the business.
Once your governance group is formed, it is key to identify its mandate, obtain executive buy-in and support, identify the issues and goals it will address, and triage. It is important to include in this group not only privacy and security compliance professionals, but also members of the business that have a pulse on how the data will actually be used. A data governance program is essential to ensuring that the overall privacy program is not siloed, is sustainable, and focused on data infrastructure that serves the strategic goals of the business while enhancing privacy.
5. Build a User Experience That Goes Beyond Compliance
How do you communicate with your customers about privacy? If they searched for “privacy” and your company’s name, would they find your privacy policy and not much else?
Customer satisfaction is the sum total of numerous micro-interactions with your company, from sales to customer service to the overall user experience. If you don’t communicate with your customer in a user-friendly way focused on what they are concerned about, you have dropped the ball on a key customer touchpoint.
Break the bad habit of assuming the privacy policy is sufficient. It may “check the box”, but circling back to the first point, it misses your company’s strategic goal to be customer centric.
The solution is to build external tools that build your company’s privacy narrative, by enhancing customer trust, making things easier for the customer, and empowering them with the resources they need. Meet with members of your product design team. How can the overall “look and feel” of the website in everything from customer support to the privacy center contribute to empowering customers with information they can understand and choices regarding how to exercise their rights? Conduct user testing to see what strategies work best to engage with your customers about privacy. Would you need a JD to understand what information is being collected and shared? Can more just-in-time notices or icons be deployed with concise, transparent explanations of what data is being collected or used, and why?
Future-proofing a privacy program takes a village. But the more you can (1) root your program in your company’s mission and values; (2) deploy a principles-based approach beyond just the law; (3) create processes and tools that extend and enhance your reach; (4) bake out a cross-functional data governance program; and (5) build a privacy UX that empowers and delights the customer, you’ll be that much closer to creating a global privacy program that not only complies with the law, but is a strategic asset for your business and delights your customers.
