The Keys to Build a Successful Privacy Program

A privacy program plays a vital role in safeguarding individual and organizational data, ensuring compliance with privacy regulations, and maintaining trust among stakeholders. It serves as a proactive framework that outlines policies, practices, and procedures to protect personal information from unauthorized access, use, or disclosure. It can also come with big challenges. We sat down with Rachael Ormiston, Head of Privacy at Osano, to discuss how organizations can navigate the complexities of building a privacy program.

What are the key steps to building a privacy program from scratch?

Though no one-size-fits-all data privacy program exists, you can take several steps to guide your program’s development. First, identify your privacy program’s drivers, including business-related risks, and how those drivers will influence your program. Then, with those drivers in mind, develop a compliance strategy. You may not have all the answers yet, but outlining your plan provides direction. While you develop a strategy that

prioritizes higher-risk items, you will also want to consider any “quick wins.”

Getting “quick wins” in place will help drive momentum, and hopefully obtain

organizational buy-in, especially from leadership.

Once you’ve gotten your team on board with an agreed strategy, find all the

personal data that may have spread across different parts of your organization in

siloed systems or databases. Classify and record that data — either by creating a

data inventory or a record of processing activities (RoPA). You may not be able

to, or even want to, do all of this at once, so focus on bitesize pieces — perhaps

take it by department or function.

Once you’ve completed the inventory or RoPA, begin reviewing the processing

activities to understand whether there are any privacy risks, and assess those

risks so you can plan to mitigate or remediate any gaps. Use the insight into

your privacy drivers, risks and data processing to develop actionable goals and a

plan for implementing your program. Compliance is not one-and-done. Building

and maintaining a privacy program is an ongoing strategy and an investment in

resources. Prioritizing those gaps will be important as you build out your strategy

to target higher risks as requiring quicker resolution.

Finally, put your plan into action, measure its effectiveness and find ways to

improve. Don’t be afraid to pivot. Try things out and know that you can evolve as

needed. This could be trialing new ways of sharing information, such as via a

Slack or Teams channel to share privacy developments, or piloting new training

programs. Data privacy constantly evolves, so monitor and update your program

regularly to comply with new regulations and keep up with organizational

changes.

What are some common challenges faced when growing a privacy program, and

how can they be overcome?

Many organizations fail to sustain their privacy program once they’ve implemented it.

They view it as a set-it-and-forget-it project rather than an ongoing process that must be

continually nursed to ensure it remains up-to-date and compliant. Or, they may try and

attempt to build everything at once rather than taking things in bitesize pieces to achieve

success gradually instead of overnight. This may result in strategy fatigue and embolden

the “one and done” mindset instead of building a compliance culture. To prevent this

pitfall, empower those responsible for your privacy program by providing them with the

necessary tools — including sufficient staff and resources — to maintain it.

However, obtaining those resources and staff can present another obstacle. Despite the

importance of a data privacy program, leaders often view it as an unnecessary expense

— not a crucial business requirement. Present a convincing argument by clearly identifying your program’s goals and needs and include your organization’s privacy risks,

gaps and actionable plans to mitigate these problems.

One such plan might include investing in a data privacy platform like Osano to

streamline processes and automate tasks like consent management and vendor

assessments. An external platform reduces the burdens on your privacy team, moving

away from hard-to-maintain spreadsheets and evolving the program to one that can

adapt with a tool that simplifies some of the complexities inherent in operationalizing a

data privacy program.

How can companies ensure that their privacy program meets the requirements of

relevant regulations and standards?

My best recommendation for managing compliance with relevant regulations is to

identify a baseline utilizing the most comprehensive law in your region and adhere to

those standards. For many, the strictest law on the books has been the EU’s General

Data Protection Regulation (GDPR), which came into effect in 2018. Since then, the

GDPR has influenced legislation in the U.S., including California Privacy Rights Act

(CPRA) and its predecessor, the California Consumer Privacy Act (CCPA). Montana,

Texas, and Tennessee currently have privacy bills on their governors’ desks awaiting

signature into law. Each of these regulations reflects different cultural and operational

norms that can be brought into a global privacy program.

How important is it to involve stakeholders from different parts of the organization

when building a privacy program?

You can’t build a privacy program without organization-wide support, so it’s critical to

properly train all stakeholders on their privacy responsibilities. Educating everyone about

how to incorporate privacy into their day-to-day activities will position your program for

efficiency and overall success. Many stakeholders will have knowledge of systems and

processes that you do not, so it is important to enlist their help to make sure you have

support from internal champions. This is important knowledge to get at the outset of

creating a privacy program, but it is equally important to continue to receive that

information as your program grows. This may mean setting regular governance calls to

share insights or encouraging team members to collaborate in privacy processes, such

as PIAs, by inviting them to use privacy platforms for centralized record keeping.

What are some of the factors that contribute to a successful program?

A successful data privacy program hinges on clear communication, record management

to document compliance and decision-making and project planning. All of these are

greatly supported by the effective use of technology. To function properly, your program

must have organizational buy-in from the top down. Unless you can communicate the

purpose and goals of your program and its impact on the roles within the organization,

you won’t get the support you need. Data privacy and compliance require collaboration

and cooperation from everyone involved.

Using available data privacy tools can hugely benefit your program. With the intersection

between regulation, technology and customer expectations on data use, it is increasingly

challenging to operationalize and demonstrate compliance without using dedicated

privacy platforms. Data privacy programs are extremely complex, and those complexities

will grow exponentially as your organization scales. Partnering with an external platform

like Osano can help simplify some of the most tedious compliance tasks freeing your privacy professionals to address your organization’s unique privacy needs that software

can’t solve.

###