By: Ramon Peypoch|
May 9, 2019|
Positioning Privacy Teams for Success
Major events like the adoption of the European Union’s General Data Protection Regulation (GDPR) privacy legislation and the social media manipulation of the 2016 US Presidential election have driven data privacy to the top of news cycles, corporate and regulatory agendas, and consumer concerns. Privacy was long ignored, both by the companies collecting online data and the data subjects eager for digital conveniences and relegated to the domain of compliance departments for those in regulated industries. Now, it feels like it’s talked about everywhere.
Beyond punitive risks, good privacy is good for business. Cisco’s 2019 Data Privacy Benchmark Study found that 87% of respondents report sales delays due to customer data privacy concerns. Alleviating those concerns would reduce or remove such delays and speed up revenue.
With the stakes raised, the pressure is on Privacy leaders and Data Protection Officers to ensure their organizations are correctly managing sensitive data. Yet they are generally expected to do it on shoestring budgets and limited resources. Recent research from CPO Magazine reveals that 46% of their 250+ survey respondents allocate less than 5% of their annual governance, risk and compliance budget to data protection and privacy; another 20% allocate between just 5 to 10%. With security budgets continually increasing, privacy efforts are usually left with very little funding. In that constrained environment, what should privacy officers focus on?
- Educating and engaging senior leadership. Privacy needs to start from the top down. Senior executives have woken up to the significant consequences data breaches can impose – financial loss, regulatory action, shareholder suits, and even some executive job losses (think Equifax, Sony, Yahoo, and more). While data security is now top of executives’ minds, leaders, especially in unregulated sectors, must understand that privacy, while tangential, is a separate issue. Senior leadership’s example of a strong privacy ethos and practice is an absolute must for an organization to follow. An organization’s privacy team has a major role to play in guiding and advancing that posture. And that leads to…
- Driving a privacy-aware culture. Senior leaders and privacy teams need to help all staff understand, accept and implement effective privacy measures. It’s challenging to change organizational behaviors across especially when everyone is moving at warp speed. Training programs, awareness-raising campaigns, executive messaging and consistently integrating privacy into normal course-of-business discussions will move the needle. Laws and regulations are changing all the time, so the privacy team needs to stay on top of what’s new and continually guide the organization.
- Data governance. Controlling access to sensitive data goes a long way in protecting it. Privacy and Security teams need to partner to drive a governance framework that accounts for the access, tools, skills and change management needed to make privacy work in their organization. That framework must account for proper data stewardship, including managing permissions, appropriate use, and data quality. The fewer hands touching any given data set, the lower the risk.
- Driving execution of data mapping and clean-up. Governing data requires that you know what you have and where it is. With cloud-centric environments and extensive 3rd party data exchanges, this is especially challenging. Privacy teams own the very heavy lift of directing every organizational department that uses sensitive customer and employee data to map what they have and where it goes, to the best of their knowledge; if a data audit reveals problems, a clean-up effort is required. You can imagine the significant resistance to such an involved exercise! Senior executive support is crucial to driving this step.
- Guide privacy-by-design (PBD). Retrofitting existing systems for privacy is difficult. As new systems are planned and developed, it’s best to integrate PBD so that privacy-centric attributes are integrated from the beginning. While this is normally associated with new IT development, PBD can be baked into any process that involves gathering and/or using sensitive data. Privacy teams set PBD guidelines that are shared throughout business units for use as they stand up new systems and processes.
Of course, everyone wants privacy “done” without business interference, leaving privacy officers struggling to balance organizational safety and productivity. With these broad responsibilities and limited budget, privacy teams need all the help they can get. Leading-edge technology like VERA is a great go-to resource.
VERA’s always-on file security protects files and secures collaboration offering privacy teams assurance that sensitive data is not accessed by unauthorized users. If a file accidentally or intentionally gets into the wrong hands, VERA provides a ready digital trail and real-time access control that can cut off anyone’s access instantly, wherever the file is stored or sent. These capabilities allow organizations to mitigate compliance risks, and employees to safely leverage modern collaboration tools with those outside of the organization.
Managing sensitive data in this automated way frees privacy teams to stretch limited bandwidth and gain peace of mind that critical data assets are better protected.
Sr. VP Product Management
 Maximizing the value of your data privacy investments: Data Privacy Benchmark Study,” Cisco, January 2019
 Data Protection and Privacy Officer Priorities 2019, CPO Magazine, 2019