It has become clear that data privacy is an imperative for any organization that collects or uses personal data — and let’s face it, that’s pretty much every organization. But most companies still aren’t putting the necessary resources into their privacy programs, and as a result they fall short of their responsibilities. We get it. It’s a real challenge; organizations need to weigh privacy concerns against lots of other objectives and priorities. So, what’s the solution? We believe it’s creating a culture of privacy within your organization and using this to drive alignment and better privacy (and business) outcomes.
This new series for The Privacy Advisor by the team at Sentinel, a privacy consultancy and the company behind the privacy program management technology Ethos, will examine the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this first article, we’ll provide a general understanding of the concept of a “culture of privacy,” why it’s important and some tips on how to implement one within your organization.
What is a 'culture of privacy?'
Though you may not realize it by looking at many privacy programs and technology solutions on the market, privacy is about a lot more than legal compliance. In a privacy program operating within a culture of privacy, legal compliance should be one result of a successful program, not the goal. An equally important focus is how personal data supports other business objectives. To do this, you need to look at privacy and data governance through the lens of contractual obligations, customer expectations, organizational ethics and strategic initiatives, as well as regulatory obligations.
Why create a culture of privacy?
Much like when you embed privacy in your systems and technologies, when you embed it in your organizational culture, you end up with a structure that protects privacy by default while enabling you to use your data to its fullest potential.
It’s important to remember that privacy laws are written by people who don’t know your business. The result is that compliance-focused privacy programs often struggle to engage with stakeholders across the business who may have strategic goals that appear in conflict with protecting personal data.
A culture of privacy provides a shared understanding of how personal data can and should be used to support broader strategic objectives. This improves the ability of the privacy program to execute and drives alignment with other teams, increasing their understanding of and desire to support the achievement of privacy goals. All these lead to the biggest benefit of all: getting the highest and best use out of your data — both for your organization and individuals.
Additionally, when you build an understanding of privacy at the cultural level, you create a force multiplier for privacy that reaches into every branch of your organization. Many organizations struggle to get the funding for a privacy team that can manage this emerging risk to appropriate levels. Organizations that adopt a culture of privacy approach can multiply the effect of their core privacy team through a shared vision of data usage.
How do you create a culture of privacy?
Get leadership buy-in: Organizational culture starts at the top, and in order to have a shared vision, getting leadership on board is imperative. Start by building support in a few key individuals who can help you advocate to executive management. Then start small, provide a high-level overview of how the program will work and make sure your fellow advocates are in the room.
Create privacy champions: Privacy champions are individuals who will help promote the privacy program within their own team and while working on various projects. It’s good to have these representatives in key functional areas across your organization, especially those that will be significantly impacted by data use.
Talk about it: Find opportunities to talk about data privacy. Did someone in your organization flout a phishing attack? Use that as an opportunity to applaud the employee and underscore the importance of the data your organization holds. Celebrate Data Privacy Day each year by organizing a data clean-up day, and encourage employees to go through their computers and delete information they no longer need. The more touch points — however small — the better!
Include it in your employee handbook and on-boarding training: Culture isn’t just fluff, it’s the things you actually do on an individual basis every day. Show employees from day one that privacy is an important cultural value by including it in your employee handbook and on-boarding. And remember to talk about the privacy of the information you hold about them; this isn’t just about customers.
“Yes, and … ": The privacy team can get a reputation for being the team of "no." Considering privacy doesn’t always mean no, and it’s important that your heavy data users see that you’re interested in working with them to achieve their objectives in ways that agree with your organization’s new culture of privacy.
Breaking it down
In future articles in this series, we will show you how creating a culture of privacy can further your organization’s successes in the following areas:
Legal: With privacy laws being proposed and passed at rapid fire pace, it’s hard to keep track of what laws you need to comply with and understand where these laws conflict or overlap. A culture of privacy will put you in position to quickly adapt to regulatory changes by having strong fundamentals as opposed to requiring a full-scale program to assess the impact every time a new law is proposed.
Contractual: Many privacy programs seek only to align with regulatory requirements; however, this is not a view that encompasses many real-life business scenarios. Often, a business has obligations tied to specific contractual requirements, particularly if they primarily operate as a data processor for other entities. Ignoring contractual requirements that restrict what you can do with data because you assume that your legal-based program is sufficient could be putting your key business relationships at serious risk.
Ethical: Just because you can, doesn’t mean you should. For many businesses, laws and contracts may not apply to data handling practices. But this shouldn’t be interpreted as a license to do whatever you want with personal data. To be ethical, an organization must respect the privacy of employees and customers alike. Ethics is increasingly talked about in terms of a key brand value — and data ethics is a key part of that.
Customer Centric: Meeting expectations of customers and employees is an integral part of building trust within those groups. Engendering a culture of privacy shows both consumers and employees they are important to your business and breeds loyalty based on trust. It also provides individuals with an appropriate level of control over the data that they share with you. The more that individuals trust you and feel that they have control over what you do with their data, the more data they are likely to share and the more unique value you can provide to differentiate you from the competition.
Strategic: Privacy can be a business differentiator. Using privacy by design principles, you can and should build privacy into your company’s offerings and overall data strategy. Aligning privacy with your organizational goals will allow you to position your company as a trustworthy brand. You may also want to make the decision to go above and beyond legal and contractual requirements and strategically do privacy better as part of your overall market differentiation. Understanding the business impact of a strategy like this is a key component of being able to convince executives that this strategy will have a positive ROI.
Photo by La-Rel Easter on Unsplash