Building an Effective Privacy Program
Key Insights from the Roundtable Discussion with members of the TrustWorks Privacy Community
Developing a robust privacy program can be a huge mountain to climb. Whether you are building your company's privacy program or improving an existing one, the question is: where do you begin?
Businesses can successfully navigate this complex terrain by following a well-defined strategy and involving key stakeholders. In a recent roundtable discussion organised by TrustWorks' privacy community, and led by Kimberly Lancaster, Director of Privacy and Data Protection at Marqeta, industry experts shared their insights on enhancing privacy programs and achieving long-term goals.
Key takeaways
What is a privacy program?
Before getting into the nitty gritty, let's start with the basics. A privacy program refers to a set of policies, procedures, and practices implemented by an organisation to protect the privacy and confidentiality of personal information collected from individuals. It is designed to ensure compliance with applicable privacy laws and regulations, maintain the trust of customers and users, and mitigate the risks associated with handling sensitive data.
In practice, this means that the privacy program includes all actions taken by the business that involve the collecting and managing of personal information related to customers, employees or any other group. The program includes what the company is legally obliged to do as well as any extra measures they choose to take to go beyond the minimum requirement.
1. Define Program Goals and Scope
Every great privacy program starts with the company deciding what role they want privacy to play in the organisation. The privacy team will have to sit down with senior management to discuss where the company is now and where they want it to be in the future.
Realistic goal-setting
All roundtable participants had experience with companies that wanted to achieve too much in too little time. So how do you decide which projects to kick off with? It depends on the level of risk and the effort required. Projects that address high-risk areas but require little time investment will likely produce big wins.
It is important not to fill up the roadmap too much, but rather leave room for recurring tasks and surprises. Tasks like Data Subject Requests (DSR) or Data Protection Impact Assessments (DPIA) can come up sporadically and they will have to be done.
Kimberley Laster added, "My roadmap has to be flexible in the sense that I might need to make sideway steps because of a DPA decision that just came out. It causes this constant rotating picture of what I need to do. When you define your scope and goals you keep in mind that flexibility that you need in privacy teams."
Leave room for quick wins
Nothing can be more frustrating than setting up a long-term plan and running into hiccups. Ivor Frater, therefore, suggested adding some quick wins to the planning to maintain motivation. Or, as he phrased it, "It's nice to have a box of cookies to lift the spirits".
As an example, he explained how much easier it was to make an update to a policy than a process. The first one is a set of guidelines established by an organisation to guide decision-making and behaviour. The latter refers to a series of interconnected activities that are performed to achieve a particular outcome. When working on a process, you also have to ensure that the stakeholders know what to do. Providing training is more work than updating a policy that is broad and high-level.
Recommended by LinkedIn
2. Develop the Privacy Roadmap and Operational Strategy
Kimberly Lancaster recommended, "When creating the roadmap, efficiently plan recurring exercises. Consider combining different assessments to save time and ensure alignment. For instance, when I ask my teams to work on a privacy by design review, I may ask them additional questions that will provide enough information to work on the Record of Processing Activities.”
“Engaging with groups like the disaster recovery team helps understand processes and align privacy initiatives. Additionally, maintain a balance with day-to-day work by allowing flexibility in handling strategic planning and operational tasks when establishing a privacy program.” she continued.
3. Complete a Privacy Review
By conducting risk reviews and privacy analyses, organisations can identify complex problems and prioritize areas with the highest risk. After conducting a comprehensive privacy impact analysis and risk assessment, organizations can refine their privacy program needs and goals. The review process will also identify any security gaps that need to be addressed. The adjusted goals should be documented and communicated to senior management and relevant stakeholders. Any gaps in current privacy procedures should be identified and solutions should be listed to meet the established privacy goals.
How to work with privacy ambassadors
Only a few companies have the luxury of a privacy team. More often than not, privacy leaders are still one-man shows. Stakeholders are therefore important if you want to be able to scale your privacy program.
Kimberly Lancaster recruits privacy ambassadors, spread over many different business teams. "I requested a budget to provide them with an International Association of Privacy Professionals (IAPP) membership. I wanted to make sure they got the training they needed and understood why we do the work we do."
"At the same time, I work with the manager of each champion so that privacy is included in their personal and team SKRs, and they get credit for the time they put in. Since I am a one-person team, the ambassador program gets my highest priority. It has been a real benefit because I have a champion in every team, whether HR, Finance or Engineering. That has helped me get the message out and these champions know how to speak to their teams."
A question posed was how others motivated stakeholders to participate in privacy. Kimberly Lancaster said, “Something that helped me is to articulate the benefits and return on investment (ROI) of privacy initiatives to stakeholders and partners. What's in it for them? For sales, the privacy team can provide talking points on operational controls that are in place in the company, which will help convince prospects that their data will be safe with the company. Customer Support Management teams can emphasize to our clients how important privacy is to us as a company.”
She continued, “For engineers, the topic of privacy was already important, and something that would easily convince them is that involvement in the company's privacy team looks good on their resume. They understand the growing importance.“
The benefit of having motivated stakeholders can be huge. Kimberly Lancaster said that the champions would now take care of this in their team meetings instead of her having to speak to hundreds of people across the organisation to ensure the RoPA questionnaires were filled out correctly. This meant that the information is filled out correctly immediately, and a lot of time was saved.
4. Put the plan into action
Following the Privacy Review Analyses, the revised goals include the creation of an implementation plan for selected privacy controls and solutions. This includes documenting use cases, scheduling implementation, and defining metrics and monitoring plans. Communication with senior stakeholders is important, as well as integrating privacy solutions into daily business operations. Employee training is crucial to ensure compliance and understanding of the program's purpose and benefits. Recognizing employee efforts can be done by identifying privacy champions, providing additional training, and incorporating privacy goals into performance evaluations.
5. Define scale opportunities
A successful privacy program should be evaluated by assessing its compliance with regulations and alignment with company objectives. This involves reviewing how well the program has been integrated into daily work routines and identifying any gaps in privacy safeguards that may need to be addressed.
Regular reviews and enhancements are essential to ensure the privacy program remains effective and responsive to evolving needs. By consistently evaluating and adapting the program, organisations can stay up-to-date with changing requirements and maintain strong privacy protection.
Conclusion
Developing an effective privacy program requires careful planning, collaboration, and continuous adaptation. It is crucial to align privacy objectives with business goals and involve all relevant stakeholders to ensure comprehensive protection of privacy rights.
Trusted Privacy, GRC and Data Protection Advisor | Operational Excellence Leader | Founder, Board Member, Speaker, and Author.
1yQueryLayer thank you for the opportunity to talk about my favorite subject! It was a fun discussion.