In this series for The Privacy Advisor, we ask privacy professionals who've been in the field for at least a few years to describe how they got their starts. The series aims to help new privacy professionals gain insights and ideas on how they might jumpstart their own careers. See past installments 

Words are the foundation

Words create the foundation of a privacy program. The program will not succeed if messages are interpreted differently throughout the organization or, perhaps, are not even read at all. A strong foundation is consistent, clear, and concise.

Privacy is one piece of a compliance program and intertwines with other areas. Collaborate with peers in similar roles to create a unified message and set reasonable expectations. Employees will not remember multiple definitions for a single term. Employees will not save twenty different links to find risk and compliance resources. Employees will not read multiple 100- page policies on every compliance topic. 

Avoid overwhelming your audience by giving yourself the tools and resources to succeed. A single set of shared terms and definitions with your compliance partners will be important. Also, consider using a single gatekeeper for all compliance messages with the purpose of maintaining a consistent and unified message. Key stakeholder reviews help identify content which may be pertinent to a privacy professional, but is unnecessary for your audience. Keep it simple.

I’m reminded of a quote from the author of The Little Prince, Antoine de Saint-Exupery: “Perfection is reached not when there is nothing left to add, but when there is nothing left to take away.”

Small steps lead to big changes

Once the privacy budget and resources are approved, leadership wants the program built yesterday. What’s the hold-up? 

A privacy program is highly dependent on changing peoples’ behaviors; you need employees on your side. Publishing policies and setting up governance structures will not ensure change adoption. People are capable of accepting a certain amount of change in relatively short time periods. Over saturation of change leads to frustration, confusion and sometimes complete shutdown.

Bring people along with you by taking small purposeful steps with an appropriate amount of change for your audience. Complete a change management plan to bring the impacts to stakeholder groups into focus. Reassess and update plans based on what you learn. Request feedback and monitor metrics to determine the right time for your next step. If metrics indicate a lack of adoption for a specific change, revisit your plans to determine if additional work on that particular topic is needed before moving on.

Be the swan, calm on the surface

Privacy “emergencies” will happen despite precautions. Remain calm or incidents become crises. Living in constant crisis mode takes a toll on individuals, team morale and planned work. Author Stephen Covey has a great quote on this topic: “Between stimulus and response, there is a space where we choose our response.” However, it’s not always easy to stay calm in the eye of the storm.

The key to remaining calm is trusting your team and process. Stay flexible, but now is not the time to architect process changes. Maintain a reasonable schedule. Eat lunch. Do not rush. Project a calm demeanor. Smile. Avoid speaking negatively. 

Afterwards, take the opportunity to complete a lessons learned. The process changes or team reassignments will be driven by actual events instead of suppositions and fear. Targeted improvements following an incident will help ensure every incident is handled better than the last. 

Maintenance is undervalued

Abandoned web pages. Notices that haven’t been reviewed in years. Broken links. Oh my! When managing a privacy program, it’s easy to fall into the trap of creating more web pages, job aids, reports and training than can reasonably be maintained. Success is highly dependent on accuracy and availability of these resources.

Guard the quality of your work products by reviewing requests for additional materials with a critical eye and assigning maintenance as a task. Re-use and update existing materials rather than creating new whenever possible. Don’t forget to check-in with your other risk and compliance partners who may have created similar materials already. Assign maintenance activities to team members as core job duties. Reward maintenance activities with the same praise and recognition as new implementations.

Maintenance competes for the same resources used to develop the privacy program. Consider future maintenance during design and planning to minimize the resources and time needed. Also remember, regular maintenance on your privacy program helps avoid privacy “emergencies” which would pull away even more resources and take even more time.

Not everyone likes privacy and that’s okay

You used the right words. You followed the change management plan. You stayed calm. You maintained accurate and complete information resources. Unfortunately, you still received negative feedback.

Be open to this feedback and flexible, but also know when a task is complete. Continuously questioning decisions can cause privacy paralysis. Privacy is an area where over-rotation happens easily. The topic is complex and often there is more than one good solution. Complete the appropriate steps to explore your options so you have conviction in the decisions made.

The privacy naysayers may, and often do, become your biggest advocates. Use their feedback as an opportunity to create a relationship and incorporate their ideas when appropriate. This will improve the quality of your work products and, hopefully, earn you more privacy supporters.