Editor’s Note: We asked privacy pros to weigh in with their recommendations for getting board or executive-level support for privacy efforts and building strong privacy programs. In this series, Norine Primeau-Menzies, CIPP/C, Chris Pahl, CIPP/G, CIPP/US, and Michael Spadea, CIPP/US, share insights they’ve gained from their work. More experts in the privacy field will discuss obtaining and sustaining executive buy-in and other key issues during the preconference workshop Getting Results: 13 Proven Tips for Managing an Effective Privacy Program at the IAPP Privacy Academy in San Jose, CA, on October 10.
Tips for gaining buy-in for your privacy program
- Ensure that the appropriate senior leader for the function is in place. This also includes aligning where that function will sit in the company. If the function will support the entire company, then burying it within a department shows to senior executives that the function is not that important. Moving the function to part of the organization with enough "clout"; e.g., ethics and compliance, will help get the attention which it deserves.
- Ensure that the senior leader is passionate and understands why the program exists. While the program may exist for "regulatory purposes," it is important for the senior leader to personalize the "why" to senior executives and those below them. It is very beneficial when the "why" examples are based from the company's perspective. For example, providing examples from within and outside the industry is helpful, but "a-ha" moments are generated when specific examples from the company is discussed. Many examples may be available by consulting the division that conducts employee investigations.
- Gain buy-in through providing a high-level overview of how the program will work, including leveraging existing resources. With companies continuing to focus on budget costs, buy-in could be gained by leveraging existing qualified staff to lead the program. In many cases, existing lawyers, compliance officers or records managers may have the foundational expertise to implement the program.
- Start small, and periodically report to the board about progress, risks and solutions. Regular updates as short as a few minutes keep the board engaged.
- While key program documents are under development; e.g., charter and policy, have the senior leader in charge of the privacy function start meeting with key stakeholders to explain the program and how it will support that department's work. Stakeholders generally do not welcome more oversight, rather a partnership. Again, messaging should be crisp and discuss identified gaps.
- Develop tools and resources, and promote them. Once stakeholder meetings have concluded, take the feedback and help identify tools and resources and promote them. The key to ongoing support is to show value through collaboration.
- Invite the stakeholders to be part of the decision-making process. Generally, this can be done through including privacy as part of an existing committee; e.g., IT, which garners more support and synergy. We are seeing the synergy between cybersecurity and privacy with the proposed amendments to the Cybersecurity Act.
Chris Pahl, CIPP/US, CIPP/G, works at Southern California Edison, but his comments here do not necessarily represent the company.
