Great, You’re Compliant! Now What?
Compliance with data protection regulations doesn’t make the company privacy focused. If you’ve established a privacy program foundation based on compliance, it’s time to take the next step and maximize your data protection program.
Data protection and privacy aren’t just things to do to keep regulators off the company’s back. There are real people behind the data and numbers. When organizations take data protection seriously beyond compliance, it demonstrates to consumers that the business values their trust.
Companies are now stewards of people’s personal information. That’s a massive responsibility. If handled with care, it can deepen your relationship with consumers and vendors. But if this information is mistreated, some may never forgive the business.
And you won’t just lose customers. Data protection is critical up and down the entire supply chain. Vendors and other business partners are paying close attention to your data protection practices.
While compliance is very important, TrustArc’s 2022 Global Privacy Benchmarks Survey demonstrates that keeping brand trust is the most important reason to take data privacy seriously.
You must get the entire organization on board to maximize your data protection program. Privacy focused companies are formed because everyone understands how data protection drives business value. It’s embedded into the company’s DNA.
5 Ways to Improve a Data Privacy Program
If your organization is ready to move beyond privacy law compliance and start putting privacy first, implement these five tips to improve your data protection program.
#1 Triple Check Your Data Inventory
If your business has a privacy program, it most likely has a data inventory. It’s nearly impossible to comply with data protection regulations like the GDPR or manage data subject requests under California’s privacy laws without one. But a data inventory isn’t something you can do once and file away.
Your data inventory is a snapshot in time – but your organization’s data processes aren’t. Business functions are continuously changing how they capture and use data. It’s necessary to revisit your data inventory and revisit it often to keep up with changes.
An updated data inventory is one of the most important pieces in your privacy program. It contains every source of data (internal and external), what type of data is collected and where it’s stored, where it’s used and shared, and how it’s used and shared. A complete data inventory will include every business partner, affiliate, and third party (vendors) that can access systems or your data.
In most organizations, there’s more data than anyone knows what to do with, and often duplicate data across different databases. Once a data inventory and map are documented, it becomes easier to simplify processes to improve how data flows in and out of the organization and better manage the risk of privacy incidents.
Maximize your data inventory and map to drive business value.
- Reduce duplication across information systems and databases.
- Identify overlaps between functions and simplify the flow of information.
- Implement automation technology to integrate, migrate, and organize data into a centralized inventory with scheduled updates.
- Develop dashboards to monitor how business functions and third parties process data and the risks associated with that processing.
- Dedicate resources to reducing the highest risk areas to enable cross-border data flows and support innovation inside the business.
#2 Go on a Data Minimization Mission
Data Lakes. Big Data. Business Intelligence. Data Analytics. Data Science. Everyone everywhere is focused on getting more value from data.
But the best way to extract more value from your data is to understand what information is most relevant. Businesses don’t need more data to innovate. They need to understand how to better use the information they collect for business intelligence efforts. And a well maximized data protection program will do just that.
The first step in data analysis is to define the project clearly. A well-defined problem statement or goal of the analysis is necessary to discover critical insights that drive innovation. Often, only a subset of the data businesses collect is used. And data scientists spend most of their time cleaning and trimming datasets before ever beginning predictive analysis.
Privacy teams and business analytics teams can work together to reduce the amount of information that is collected and stored. Only collecting data that is absolutely necessary for business functions can drastically reduce your risk and simplify your data privacy program.
The hype around big data and machine learning leads many to wrongly believe that more data is better. But rather than more data, focus on collecting the highest quality data possible with permission from the data subject. And work across the business to stop collecting unnecessary data.
#3 Invest in Automated Capabilities
Maintaining a current data inventory, responding to data subject requests, and mapping compliance against data privacy regulations takes incredible resources. After you’ve developed a manual foundation for your data protection program, including privacy notices, policies, and documenting each department’s data processes, implementing automation improves business workflows.
Privacy Impact, Data Transfer, and Data Protection Impact Assessments become easier with automated workflows and without passing spreadsheets back and forth between departments. When combined with TrustArc intelligence, those assessments can transform into risk analysis and monitoring dashboards.
And that pesky data inventory that keeps changing, you can automate those data flow map updates too. Knowing where your data lives and flows is critical for responding to data subject requests.
How can you decide which automation solutions are worth your resources?
First, record how your time is spent over 1-2 weeks.
- Which tasks are you devoting most of your time to?
- Which tasks are the most important?
- What are things you would like to get to but can’t find the time for?
Look for automation solutions that can reduce the items you spend most of your time on so that you can spend your resources on more important tasks that have been on the back burner.
Also, consider the risk associated with each activity. Where should you spend your time to best mitigate risk for the data subjects and the company, and what can be done to reduce that risk through automation?
The GDPR, CCPA as amended by the CPRA, LGPD, and other privacy regulations mandate that organizations must be able to provide personal information collected on consumers when requested. And complying with these individual rights requests can get complicated. Depending on the regulation, response processes and the required timelines for response vary.
As the business grows, the number of these requests could become extensive. Taking in these requests, making sure they reach the correct parties, finding accurate information, and replying to all within the designated time frame doesn’t have to be a logistical nightmare.
Automation of data subject requests fulfillment speeds up your response times, simplifies your processes, and reduces effort and costs, all while building consumer confidence. Centralize data subject requests across your teams and vendors to easily fulfill these tasks in one portal with TrustArc’s Individual Rights Manager.
#4 Give Consumers Control of their Data
These days, brands are trying to reach customers in any way possible. Furthermore, companies share consumer information with their partners and vendors, who also send marketing messages. Although data use and sharing are often needed for legitimate business purposes, it’s also sometimes abused.
In some cases, people are growing tired of the constant parade of marketing messages and advertisements everywhere they turn. And this isn’t surprising, considering Americans receive an average of 10,000 marketing messages daily.
This marketing fatigue causes people to tune out your message, even though it might be highly relevant to them. As a result, they may even decide to block your email or communication attempts. Letting consumers control their communication preferences builds trust and can reduce the number of people who would otherwise block or ignore your brand completely.
Additionally, putting control in your customer’s hands can help you better manage data subject requests and reporting to comply with GDPR and CCPA. The best example of putting customers in control is a consumer facing portal where they can see what information the business has about them and make changes to communication preferences and consent.
Rather than clicking unsubscribe, preference centers allow customers to select which messages they want. Some brands divide their message categories into topics or industries. Some divide them by message type, such as product updates, marketing, etc. People value transparency, but trust is built when organizations follow through on their promises. If a customer updates their consent, their decision must be respected.
Maximize your data protection program with a customized, customer facing preference center with TrustArc’s Consent and Preference Manager and streamline preference collection across all brand touchpoints while distributing that information to your entire marketing tech stack.
#5 Develop an Annual Privacy Training Plan
As a baseline, many companies send out an annual privacy or security training which usually covers the basics like don’t share login information and how to recognize phishing. But privacy training should go beyond a once-a-year compliance exercise.
And it’s not enough to try to cover privacy during employee onboarding. New hires are already being exposed to tons of new information. Privacy training needs to happen when it can be retained. Although your company might think you’ve covered privacy training enough already, think again.
The majority of companies revealed there is still much to be done when it comes to sufficient privacy training. Only 20% of full-time employees outside the privacy office believe they’re sufficiently trained in privacy matters. And 78% of privacy team members also believe they still need more sufficient training in privacy matters.
To fix this in your organization, incorporate a regular cadence of fun, privacy training sessions for all employees into your data protection program.
- Work with function leads to identify specific departments and topics that need tailored data protection training.
- Create a slack channel dedicated to privacy where people can share news articles and insights about trends in data protection, enforcement, and emerging innovations to keep privacy in mind and demonstrate its real-world context.
- Encourage and sponsor memberships to organizations such as the International Association of Privacy Professionals and external development opportunities that will increase data protection knowledge.
- Share the social media profiles of active thought leaders in the privacy space so other employees can follow them and learn from their content.
- Plan an internal communication strategy using short, frequent reminders of how data protection leads to business value.
To help employees unfamiliar with privacy understand how it applies to individuals and the data the organization collects, explain privacy in personal terms. Use them as the example of the data subject and ask how they would feel if their information was used without their consent.
Most can easily understand privacy once they put themselves in customers’ shoes. And that’s what privacy is really all about, after all. The people.