A privacy program plays a vital role in safeguarding individual and organizational data, ensuring compliance with privacy regulations, and maintaining trust among stakeholders. It serves as a proactive framework that outlines policies, practices, and procedures to protect personal information from unauthorized access, use, or disclosure. It can also come with big challenges. We sat down with Rachael Ormiston, Head of Privacy at Osano, to discuss how organizations can navigate the complexities of building a privacy program.
What are the key steps to building a privacy program from scratch?
Though no one-size-fits-all data privacy program exists, you can take several steps to guide your program’s development. First, identify your privacy program’s drivers, including business-related risks, and how those drivers will influence your program. Then, with those drivers in mind, develop a compliance strategy. You may not have all the answers yet, but outlining your plan provides direction. While you develop a strategy that
prioritizes higher-risk items, you will also want to consider any “quick wins.”
Getting “quick wins” in place will help drive momentum, and hopefully obtain
organizational buy-in, especially from leadership.
Once you’ve gotten your team on board with an agreed strategy, find all the
personal data that may have spread across different parts of your organization in
siloed systems or databases. Classify and record that data — either by creating a
data inventory or a record of processing activities (RoPA). You may not be able
to, or even want to, do all of this at once, so focus on bitesize pieces — perhaps
take it by department or function.
Once you’ve completed the inventory or RoPA, begin reviewing the processing
activities to understand whether there are any privacy risks, and assess those
risks so you can plan to mitigate or remediate any gaps. Use the insight into
your privacy drivers, risks and data processing to develop actionable goals and a
plan for implementing your program. Compliance is not one-and-done. Building
and maintaining a privacy program is an ongoing strategy and an investment in
resources. Prioritizing those gaps will be important as you build out your strategy
to target higher risks as requiring quicker resolution.
Finally, put your plan into action, measure its effectiveness and find ways to
improve. Don’t be afraid to pivot. Try things out and know that you can evolve as
needed. This could be trialing new ways of sharing information, such as via a
Slack or Teams channel to share privacy developments, or piloting new training
programs. Data privacy constantly evolves, so monitor and update your program
regularly to comply with new regulations and keep up with organizational
changes.
What are some common challenges faced when growing a privacy program, and
how can they be overcome?
Many organizations fail to sustain their privacy program once they’ve implemented it.
They view it as a set-it-and-forget-it project rather than an ongoing process that must be
continually nursed to ensure it remains up-to-date and compliant. Or, they may try and
attempt to build everything at once rather than taking things in bitesize pieces to achieve
success gradually instead of overnight. This may result in strategy fatigue and embolden
the “one and done” mindset instead of building a compliance culture. To prevent this
pitfall, empower those responsible for your privacy program by providing them with the
necessary tools — including sufficient staff and resources — to maintain it.
However, obtaining those resources and staff can present another obstacle. Despite the
importance of a data privacy program, leaders often view it as an unnecessary expense
— not a crucial business requirement. Present a convincing argument by clearly identifying your program’s goals and needs and include your organization’s privacy risks,
gaps and actionable plans to mitigate these problems.
One such plan might include investing in a data privacy platform like Osano to
streamline processes and automate tasks like consent management and vendor
assessments. An external platform reduces the burdens on your privacy team, moving
away from hard-to-maintain spreadsheets and evolving the program to one that can
adapt with a tool that simplifies some of the complexities inherent in operationalizing a
data privacy program.
How can companies ensure that their privacy program meets the requirements of
relevant regulations and standards?
My best recommendation for managing compliance with relevant regulations is to
identify a baseline utilizing the most comprehensive law in your region and adhere to
those standards. For many, the strictest law on the books has been the EU’s General
Data Protection Regulation (GDPR), which came into effect in 2018. Since then, the
GDPR has influenced legislation in the U.S., including California Privacy Rights Act
(CPRA) and its predecessor, the California Consumer Privacy Act (CCPA). Montana,
Texas, and Tennessee currently have privacy bills on their governors’ desks awaiting
signature into law. Each of these regulations reflects different cultural and operational
norms that can be brought into a global privacy program.
How important is it to involve stakeholders from different parts of the organization
when building a privacy program?
You can’t build a privacy program without organization-wide support, so it’s critical to
properly train all stakeholders on their privacy responsibilities. Educating everyone about
how to incorporate privacy into their day-to-day activities will position your program for
efficiency and overall success. Many stakeholders will have knowledge of systems and
processes that you do not, so it is important to enlist their help to make sure you have
support from internal champions. This is important knowledge to get at the outset of
creating a privacy program, but it is equally important to continue to receive that
information as your program grows. This may mean setting regular governance calls to
share insights or encouraging team members to collaborate in privacy processes, such
as PIAs, by inviting them to use privacy platforms for centralized record keeping.
What are some of the factors that contribute to a successful program?
A successful data privacy program hinges on clear communication, record management
to document compliance and decision-making and project planning. All of these are
greatly supported by the effective use of technology. To function properly, your program
must have organizational buy-in from the top down. Unless you can communicate the
purpose and goals of your program and its impact on the roles within the organization,
you won’t get the support you need. Data privacy and compliance require collaboration
and cooperation from everyone involved.
Using available data privacy tools can hugely benefit your program. With the intersection
between regulation, technology and customer expectations on data use, it is increasingly
challenging to operationalize and demonstrate compliance without using dedicated
privacy platforms. Data privacy programs are extremely complex, and those complexities
will grow exponentially as your organization scales. Partnering with an external platform
like Osano can help simplify some of the most tedious compliance tasks freeing your privacy professionals to address your organization’s unique privacy needs that software
can’t solve.
###