Integrated privacy consulting. Why you cannot buy compliance indulgence.
The problem
I saw many privacy projects performed for the sake of appearance while consulting for different companies ranging from large corporations to small startups. Companies hire consultants for short-term projects; the consultant completes their work, prepares an implementation plan, and drafts some policies. Once they have completed the project, the company’s management is confident that they are privacy compliant.
The company grows and implements new processes and features, but policies languish and accumulate technical and compliance debts. Eventually, the company’s I.T., security, compliance, or legal departments, a meticulous user, or, in the worst case, the authority discovers this skeleton in the closet.
The company returns to the beginning and seeks a privacy specialist. Businesses must learn from their mistakes and understand that you cannot buy compliance indulgence.
Integrated consulting
We believe that compliance has to be ongoing.
Deep learning processes from the inside
Every company is a unique organism. On the surface, all companies appear to share many common processes, such as onboarding and off-boarding employees, but each does so in its own way. They use different tools, assign distinctive roles and store data in diverse formats and locations.
Rather than introducing disconnected-from-reality template documents and policies businesses won’t implement, integrated consulting is about learning the company’s processes and carefully adopting them to become compliant.
Deep learning is also shedding a light on hidden processes that involve personal data.
It’s cheaper to prevent mistakes than to correct them
Words such as refactor, rebuild, redesign, or rework do not imply progress. No business owner wants to hear them because it means they must devote resources to correcting previous mistakes.
Almost every business process involves personal data. When a company adopts a privacy culture, it incurs fewer technical and compliance debts.
The changing landscape
Privacy is a rapidly evolving sphere of regulation. More and more countries are enacting privacy laws. Authorities in Europe’s 27 member countries publish new guidelines and interpretations almost daily, and courts are issuing new cases and imposing fines.
Companies must adapt to a changing landscape. What is legal today may become illegal tomorrow. For example, widely used Google Analytics became almost illegal in Europe.
How it works
Work smarter, not harder
Compliance, particularly privacy compliance, is a process with no endpoint. It is a cost rather than an income for businesses. Every business understandably wants to cut costs. However, the government requires the fulfillment of human rights and has the authority to issue fines.
Our goal is to strike a balance between costs and risks. Let’s examine the diagram of the total sum of fines by violation as an example.
It demonstrates that half of all fines fall into one category: Non-compliance with general data processing principles, usually the result of user complaints. Thus, it’s rational to prioritize gaps visible to end users and processes to handle end-user requests.
Planning is important
Regulators also recognize that compliance is a process and that no business can ever achieve it fully. They need to see that you understand your gaps, have a roadmap to close them, and follow it at a reasonable pace.
Only data inventory and in-depth analysis can provide a good roadmap; this phase varies from company to company. To be more specific, we conducted a poll of privacy consultants and in-house data protection officers (DPOs). The results are as follows:
After analyzing the results, we discovered that independent consultants take less time than in-house DPOs, and it’s obvious why. Some consulting companies push individual consultants with strict key performance indicators while burying them under 5 to 15 simultaneous projects.
Our approach is more akin to that of an in-house DPO. We spend more time learning about your product and company and don’t make template decisions that won’t work for you.
The post-planning phase
At this stage, the roadmap becomes live. Again, compliance is a process with no endpoint. You cannot be completely compliant; the authorities want you to understand your gaps, have a roadmap, and move at a tangible pace.
Most business owners do not understand this simple premise and try to buy compliance indulgence that is just an illusion.
This deception can be explained by the fact that the business intends to control costs and would rather pay a one-time fee than incur the lifetime expense of hiring a full-time DPO. Small startups, in particular, cannot afford this option.
A robust privacy culture, awareness, and collective knowledge at all levels of the organization help to prevent many mistakes in the early stages. Employees should have enough knowledge to make typical decisions themselves. As Benjamin Franklin stated, “an investment in knowledge pays the best interest.”
Thus, the company can enlist a DPO for extraordinary requests and periodic health checks.
Recap
Integrated privacy consulting is primarily suitable for companies that are too small to have a dedicated DPO but want to add true value to their clients by caring about their privacy rather than having formal documents to present to authorities.
Integrated consulting rests on three pillars:
- The deepest possible analysis
- Risk-based prioritization
- Collective knowledge and corporate culture
Money-wise integrated consulting sits between the cost of a one-time consultancy project and an in-house DPO.
If you find our philosophy aligns with yours, we’re probably the perfect match! Please visit our website , and we can discuss your project.
