Corporate privacy programs are rapidly ascending in importance to the enterprise as are the leaders of these programs. Stiff penalties associated with the EU’s General Data Protection Regulation (GDPR), the impact of data breaches and the public relations value of a fair and transparent privacy program are elevating privacy issues to the agendas of CEOs and corporate boards.
This has led to the ascent of the Chief Privacy Officer or CPO. Privacy programs are no longer optional and no longer simply a means of staying out of the courtroom…they are critical components of a corporation’s DNA. TechVision Research released a report last summer called Privacy Beyond Compliance that described 29 business cases for evaluating privacy-based expenditures and just released a report by Jill Phillips that focuses on best practices for building a world-class privacy program in light of an increasingly complex regulatory environment.
So how does a new CPO build a comprehensive privacy program (or evaluate an existing program), how should this program be built and what considerations should be evaluated in building this program? Jill Phillips, the former Chief Privacy Officer at Chevron, Dell and, most recently General Motors shares her pragmatic privacy program experience in our TechVision Report on this topic. We’ll summarize key points here.
She describes the process for developing a pragmatic privacy program as including the following four major elements:
1. Understand Core Organizational Values and Culture: Includes understanding communication methods/styles, code of conduct (formal and informal), compliance tolerance, embarrassment threshold, safety policies and core company values. This is used to frame the overall program, gauge risk profiles and guide the overall structure of the privacy program.
2. Assess the Impact: This phase involves careful prioritization to maximize use of limited resources, leveraging successful existing initiatives (often an information security program) and gain feedback by providing training, promoting privacy awareness and providing privacy tools.
3. Create “Workable” Solutions: This focuses on what will work within the context of the organization and impact assessment described above. It is critical to be flexible, compromise where possible, gain consensus and provide consistent feedback and updates to all key stakeholders. It is not about winning the privacy battle, it is about winning the long-term privacy war and compromise is often an imperative, especially early in the process.
4. Execute with Excellence: This may seem obvious, but the seeds that are being planted need to be fed, watered and properly fertilized. There are often naysayers that will question budget allocations and the value of this program. It is important to really incorporate feedback, gain executive sponsorship and communicate regularly with those sponsors, present complete solutions while wherever possible “embedding” privacy principles into the culture.
A reference architecture for building a well-integrated privacy program can be framed by answering specific questions to ensure consistency with corporate values, culture and key enterprise business initiatives. A key is to have your privacy program as an extension of the business and compatible with the culture, not a compliance-based appendage superfluous to the “real” enterprise programs.
To get a sense for the questions to ask and how to assess and build your privacy program, I’m attaching a link to an excerpt from Jill’s most recent TechVision Research report. We also have a team of senior privacy leaders to help organizations walk through this process. Good luck in building your enterprise privacy program. https://techvisionresearch.com/project/enterprise-privacy-guidelines-changing-regulatory/