Mike Tyson once said “Everybody's got plans ... until they get hit.” Eventually a privacy incident, a data breach, will occur within your organization.While a complete privacy program has an incident response plan in place, it seems that there is always some twist during an event that was not anticipated.
A successful privacy program is a complex undertaking. The privacy team needs to stay abreast of regulatory and statutory changes, watch for potential threats from both external and internal sources, assure compliance in existing or emerging business practices, respond to stakeholder inquiries, and provide privacy leadership to their organization, to name just a few of their myriad responsibilities. With this many balls to keep in the air, how can you quickly explain the key attributes of a successful program?
This new series for The Privacy Advisor suggests there are three As that answer this question: Alignment, Accountability and Adaptability.
Discussions surrounding alignment tend to focus on how a privacy program supports and enhances business goals and strategies. Clearly, this is a key, if not the central component to meeting organizational privacy needs. This, however, is only a single dimension of the alignment focus of a privacy program.
An organization depends on the privacy team to maintain alignment with regulatory requirements. As privacy professionals, we all invest time understanding the laws and regulations related to the collection, processing, and protection of personal information. We attempt to anticipate where these requirements are going in the future, including for emerging technologies. Without regulatory alignment in place we leave our organizations susceptible to fines, oversight, and legal action.
Similarly, the privacy program needs to maintain alignment with the needs of an organization’s stakeholders. Customers, employees, investors, and suppliers all have privacy perspectives that need to be considered. The privacy team needs to provide insight into these perspectives for the organization. The team then must balance these varying and potentially conflicting needs to assure that they do not become an impediment to organizational success.
Regulatory and stakeholder alignment provides vital information to the establishment of organizational goals and strategies. By understanding the external requirements that must be addressed to achieve these alignments, a privacy program adds value to the organization by assuring objections, negative publicity, investigations, and other distracting activities do not impede the efficient achievement of organizational goals. In fact, with proper insight to these two domains, the privacy team could provide a strategic advantage to an organization.
While organizational alignment focuses on the support of goals to be achieved, operational alignment focuses on providing support for how these goals are being achieved. Ultimately, this is the core activity of a privacy program.
Regulators, attorneys general, data protection authorities, customers, employees, and investors all hold organizations accountable for protecting personal information. Organizations appoint a privacy officer to oversee and respond to this accountability. However, accountability for the execution of the privacy program cannot end there. A successful privacy program recognizes that there are privacy responsibilities throughout an organization.
An organization’s leadership, especially their executives, need to accept and acknowledge their privacy responsibilities through both words and actions. They, in turn, should support the privacy team in working with each department to meet the privacy responsibilities delegated to them, Ultimately, line management must provide that same support to the privacy team to work with individual staff members.
Each level of the organization must be held accountable for meeting their responsibilities. This may only be done through appropriate communication of those responsibilities through a coordinated program of training and awareness followed by compliance testing.
Over time the privacy environment changes. Sometimes it takes years, often the time is minutes. A privacy program needs to be adaptable, some may say nimble, to meet these transformations.
Recent events in the EU are a perfect example of the need for adaptability with respect to the regulatory environment. For many organizations it seemed that in a blink of an eye Safe Harbor was found invalid. While the EU-U.S. Privacy Shield has been announced, the requirements for compliance have yet to be exposed. There is even some uncertainty as to if Privacy Shield will be adopted. There has also been discussion of the long term viability for model contracts, data transfer agreements, and binding corporate rules. Privacy professionals need to be ready for however the chips may fall.
Of course, while regulations and laws are changing organizations morph. New products and services are introduced while some may be dropped; new geographies are entered while some may be exited; acquisitions are made and divestures executed. All of these require privacy programs to be reviewed and for them to be adapted to the new business configuration.
Meanwhile, new technologies are routinely being introduced and organizations are finding ways to integrate them. This integration is either by design or due to employees embracing the technology for personal use. In either case, privacy programs must assess the technology and determine if there are potential privacy compliance issues.
Sometimes the privacy team must provide that assessment in a previously unexplored area. Take, for example, the introduction of drones. From a privacy perspective, a myriad of questions have been raised; from a business perspective, opportunities for efficiency and safety improvements became apparent. Some early adopters began testing before regulatory or legislative action was even being discussed. This required privacy teams in these organizations to provide guidance, adapting their programs to address potential uses for the new technology.
Mike Tyson once said “Everybody's got plans ... until they get hit.” Eventually a privacy incident, a data breach, will occur within your organization.While a complete privacy program has an incident response plan in place, it seems that there is always some twist during an event that was not anticipated. In this situation your privacy team needs to rapidly adapt the incident response plan to address the twist.
Once the situation is remediated, the privacy program may need to be modified to address the root cause of the incident. Once an after event analysis is complete, privacy impact assessments, policy and process improvements, training and awareness additions, or increased compliance oversight are all examples of adaptations to be considered.
The inter-relationship between alignment, adaptability, and accountability
Establishing alignment, implementing accountability, and being adaptable are not one-time events. In fact, the three As all depend upon each other to evolve.
For example, once alignment is established, the accountability activities may uncover areas where the program may need to adapt to new or previously undiscovered business requirements. This, in turn, may require an adjustment to the alignment between business practices and the privacy program.
This interdependency provides a foundation for a privacy program lifecycle consisting of an ongoing review, assessment, and adjustment of an organization’s privacy policies and procedures.
If you want to comment on this post, you need to login.