3 Lessons to go From Privacy Leader to Business Enabler
Viewing a privacy leader as a business enabler – not just a leader who focuses on providing compliance, policy, and legal guidance – it’s critical to your organization’s success. Data privacy doesn’t happen by accident.
To establish a culture of privacy in any organization, all leaders, including the CEO, must set an example.
The Privacy Leader as a Business Enabler
Here are three lessons for all business leaders turned privacy enablers to learn.
Be a Counselor
Regardless of an organization’s maturity in governing data, protecting data, or implementing a privacy program, business teams must focus on delivering business results.
Business units may feel they don’t have time to worry about data privacy regulations and processes that detract them from that focus.
What they need is a counselor – someone who helps them think through their business needs for the data and the business risks associated with not governing and protecting the data effectively and sustainably.
How can you be a counselor?
Have a Conversation
Seek to understand what the business wants to do with personal data: What are their goals? What do they want to achieve? What data do they believe are needed for that purpose? Do they think they might want to do with the data in the future?
Based on your discussions with them about the value of the data to them, help them understand the risks associated with not protecting the data.
Help them envision transparency tools, such as notice, consent, and account management for individual rights like access and correction, to meet broader communications objectives for projects.
For example, a newsletter might be a vehicle to deliver a required privacy notice as well as a mechanism to invite the recipient to consent to additional other types of interactions with the organization.
Choose the Best Vendors
Business teams often will be guided for expense management reasons to select vendors primarily based on cost.
Often, however, the lowest cost vendors are ill equipped to support the risk management and regulatory obligations for which the business is responsible.
Worse yet, some business teams don’t realize that their data responsibilities and liability doesn’t end when data is in the hands of the vendor.
Guiding the business to select vendors that appropriately balance cost and mitigate risk will help prevent data breaches and other liability problems that can obliterate any immediate cost savings.
Build Sustainable Solutions
Not all organizations are ready to put robust, sustainable data privacy solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are moving up the maturity curve toward repeatable, defined, managed, and optimized.
Business Isn’t Static
Regardless of an organization’s data privacy and governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.
Privacy Regulations are Unlike any other Regulatory Area
Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep.
Privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well.
In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.
Good Governance and Technology Solutions
Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and mature over time. Technology solutions can support these goals as well.
Other business functions that rely on personal data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics.
Privacy and data governance programs can be made sustainable through technology solutions that facilitate:
- creating data processing inventory,
- evaluating of associated risks,
- documenting mitigating controls,
- identifying changes,
- managing potential incidents,
- and demonstrating what is in place and its effectiveness.
While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively.
Thus, privacy leader can focus on tackling new and emerging issues.
Sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value.
Maximize Net Data Value
The final lesson is that it’s not enough to focus on regulatory compliance, maturity, accountability or even ethics.
All of these are important components of an effective, holistic, progressive approach to managing a program.
But in order to truly embed privacy and data governance into the functioning of a business, a privacy leader needs to help the business understand the value of data as an asset – as well as the data risks – not just on the individual project level, but across the organization.
In other words, the privacy leader needs to think and speak the language of the business and the way in which the business thinks about successful outcomes.
When you are guiding business teams on how to realize the value of the data to their specific projects, you should help them see the corresponding risks associated with not effectively governing and protecting that data.
While that can and should be done on a project-by-project basis, in order to truly enable the business, the privacy leader should look for opportunities to partner with other data stakeholders in the organization to drive or support the organization in support of a broader data governance strategy.
Partner for Integrated Data Governance
A broader, holistic data governance strategy for an organization that enables it to concurrently view data needs, data value and data risks, needs to take into consideration not only privacy and data protection-related data responsibilities.
But rather, how those responsibilities align with other information lifecycle management and compliance responsibilities within an organization.
Such responsibilities might include:
- financial data, for which the chief financial officer is the primary stakeholder;
- trade secrets and other intellectual property, for which the chief innovation officer, chief technology officer, research or product leader of the organization is responsible;
- customer data, for which the chief marketing officer typically is the key stakeholder;
- e-discovery for which the general counsel is primarily responsible;
- and administrative, technical and physical risks associated with sensitive, confidential and proprietary business information which the chief information security officer typically oversees;
- and compliance program implementation and effectiveness, which the chief ethics and compliance officer monitors and oversees for the organization.
Consistent data identification and classification strategies across all of an organization’s data types can inform consistent evaluation of data uses and reuses, benefits and risks.
Consistent Data Evaluation Drives Better Business Decisions
Establishing an integrated data governance program can not only help organizations understand the benefits and risks of data in a holistic way, it can drive consistent evaluation of the value and costs associated with acquisition, storage, use and reuse of the data.
This in turn can inform the business of how effective management of the data is key to driving a range of potential business outcomes and also how to make key business decisions based on that knowledge and understanding.
Early work is underway to quantify the value of data as an asset.
This work may lead to better assessment of the value of data generated in connection with an innovative new technology, in a potential divestiture or sale of a line of business, or compromised by a breach, and the investments in resources, controls, and insurance to preserve that value.
Over time, perhaps there will be accounting standards for recognizing most data on an organization’s balance sheet, and for how data contributes to revenue, expense, and net income or loss.
For now, however, viewing one’s privacy responsibilities as part of a broader data governance strategy can help earn the privacy leader a seat at the table in strategic discussions about business drivers, compliance and risk.