You know what’s hard work? Building a successful data privacy program, that's what. As consumers, we are very grateful for privacy laws like GDPR and CCPA, which put power back into the hands of the rightful data owner. But let’s be honest: as data professionals, these laws are often the source of a whole lot of headaches.
Building out a comprehensive data privacy strategy is more than just complex. It can be nearly impossible given the countless siloed resources that may — or may not — hold personal data on your customers. Many privacy program managers have every intention of building a robust and effective program, only to find out it’s a lot harder to do than it seems at first glance.
I’ve been involved with multiple data privacy programs. While each company clearly knows their people and their processes far better than I do, and therefore knows what will work for their particular company, I’ve observed what works and what doesn’t work when trying to create an effective data privacy program.
One of the most important elements is this: to ensure the success of your data privacy program, as the privacy program manager, you're going to need help from some key stakeholders from the very earliest stages of the project. Moreover, these teams (and you!) need to understand their obligations in regard to the project. The more each team is aware of, and understands their obligations, the less room there is for errors and oversights down the road.
Who Are the People in Your (Data Privacy) Neighborhood?
What groups need to be involved to make sure your program is a success? Understand that nobody is excited about embarking on new and complicated undertakings, especially ones where there's so much at stake. This is why you not only need to establish why these groups must to be involved and how they can contribute, you must also show them what's in it for them (WIIFT) and what they gain from being involved. The reciprocal value should be enough of an incentive to get them on board and engaged with the efforts.
Related Article: Could California Become an EU Data Privacy Darling?
Who Should Be Involved, What Are Their Contributions and WIIFT?
The Security Team
Your security team is tasked with protecting your organization’s data assets. One of the most important data assets is customer data, and this is the heart of the privacy program.
- Contribution to the effort: The security team has the knowledge and the tools to successfully implement advanced technology that can analyze any type of data in every format, including data in motion. They also have the most experience in implementing data-related regulations based on their security tools. To analyze data, you need access to the data. Security holds the keys and has the know-how to provide access to this data on a large scale, while maintaining appropriate security measures.
- WIIFT?: They get unprecedented control over the data and the visibility they’ve always wanted on every piece of it. Best of all, they don’t even need to pay for it since it comes from the privacy regulation budget.
The Privacy Team
Officially, the privacy team is responsible for organizational readiness and complying with privacy regulations.
- Contribution to the effort: They are in charge of creating awareness and establishing training for all employees. They are also the ones who need to find the budget for the program and must guide the security team regarding regulation needs. The privacy team builds the relevant process of maintaining an effective privacy program including interacting with the data subjects.
- WIIFT?: This is their job. Overseeing the privacy program is a part of how they fulfill their responsibilities as data protection officers.
Related Article: GDPR: A Deeper Look at the Data Protection Officer Role
The Data Team
Slicing up data in countless permutations to extract new insights is what data teams thrive on.
- Contribution to the effort: As the team most interested in data for their own purposes, they know where the main sources of data are (root data assets) and the meaning of each element (entity) of personal data or related information and are the most suited to help with data mapping.
- WIIFT?: Your data team gets a “free” customer master catalog that can be used for all IB processes. As part of privacy requirements, it must be 100% accurate, with the highest level of data quality. This is exactly what data teams are dying to get their hands on, but they often face resistance when it comes to trying to get their organization to invest in it. Now there is a clear need for this pristine catalogue, and the best part (for the data team, anyway) is that it’s the privacy team’s job to secure the budget to maintain it over time.
Once all the relevant parties are on board, ensuring the success of your data privacy program becomes a wash-rinse-repeat process. A regular, ongoing check in with each of the involved teams will make sure everyone is keeping up with their duties.