News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to build a 'culture of privacy' Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

It has become clear that data privacy is an imperative for any organization that collects or uses personal data — and let’s face it, that’s pretty much every organization. But most companies still aren’t putting the necessary resources into their privacy programs, and as a result they fall short of their responsibilities. We get it. It’s a real challenge; organizations need to weigh privacy concerns against lots of other objectives and priorities. So, what’s the solution? We believe it’s creating a culture of privacy within your organization and using this to drive alignment and better privacy (and business) outcomes.

This new series for The Privacy Advisor by the team at Sentinel, a privacy consultancy and the company behind the privacy program management technology Ethos, will examine the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this first article, we’ll provide a general understanding of the concept of a “culture of privacy,” why it’s important and some tips on how to implement one within your organization.

What is a 'culture of privacy?'­­­­­

Though you may not realize it by looking at many privacy programs and technology solutions on the market, privacy is about a lot more than legal compliance. In a privacy program operating within a culture of privacy, legal compliance should be one result of a successful program, not the goal. An equally important focus is how personal data supports other business objectives. To do this, you need to look at privacy and data governance through the lens of contractual obligations, customer expectations, organizational ethics and strategic initiatives, as well as regulatory obligations. 

Why create a culture of privacy?

Much like when you embed privacy in your systems and technologies, when you embed it in your organizational culture, you end up with a structure that protects privacy by default while enabling you to use your data to its fullest potential.

It’s important to remember that privacy laws are written by people who don’t know your business. The result is that compliance-focused privacy programs often struggle to engage with stakeholders across the business who may have strategic goals that appear in conflict with protecting personal data. 

A culture of privacy provides a shared understanding of how personal data can and should be used to support broader strategic objectives. This improves the ability of the privacy program to execute and drives alignment with other teams, increasing their understanding of and desire to support the achievement of privacy goals. All these lead to the biggest benefit of all: getting the highest and best use out of your data — both for your organization and individuals.

Additionally, when you build an understanding of privacy at the cultural level, you create a force multiplier for privacy that reaches into every branch of your organization. Many organizations struggle to get the funding for a privacy team that can manage this emerging risk to appropriate levels. Organizations that adopt a culture of privacy approach can multiply the effect of their core privacy team through a shared vision of data usage.

How do you create a culture of privacy?

Get leadership buy-in: Organizational culture starts at the top, and in order to have a shared vision, getting leadership on board is imperative. Start by building support in a few key individuals who can help you advocate to executive management. Then start small, provide a high-level overview of how the program will work and make sure your fellow advocates are in the room.

Create privacy champions: Privacy champions are individuals who will help promote the privacy program within their own team and while working on various projects. It’s good to have these representatives in key functional areas across your organization, especially those that will be significantly impacted by data use.

Talk about it: Find opportunities to talk about data privacy. Did someone in your organization flout a phishing attack? Use that as an opportunity to applaud the employee and underscore the importance of the data your organization holds. Celebrate Data Privacy Day each year by organizing a data clean-up day, and encourage employees to go through their computers and delete information they no longer need. The more touch points — however small — the better!

Include it in your employee handbook and on-boarding training: Culture isn’t just fluff, it’s the things you actually do on an individual basis every day. Show employees from day one that privacy is an important cultural value by including it in your employee handbook and on-boarding. And remember to talk about the privacy of the information you hold about them; this isn’t just about customers.

“Yes, and … ": The privacy team can get a reputation for being the team of "no." Considering privacy doesn’t always mean no, and it’s important that your heavy data users see that you’re interested in working with them to achieve their objectives in ways that agree with your organization’s new culture of privacy.

Breaking it down

In future articles in this series, we will show you how creating a culture of privacy can further your organization’s successes in the following areas:

Legal: With privacy laws being proposed and passed at rapid fire pace, it’s hard to keep track of what laws you need to comply with and understand where these laws conflict or overlap. A culture of privacy will put you in position to quickly adapt to regulatory changes by having strong fundamentals as opposed to requiring a full-scale program to assess the impact every time a new law is proposed.

Contractual: Many privacy programs seek only to align with regulatory requirements; however, this is not a view that encompasses many real-life business scenarios. Often, a business has obligations tied to specific contractual requirements, particularly if they primarily operate as a data processor for other entities. Ignoring contractual requirements that restrict what you can do with data because you assume that your legal-based program is sufficient could be putting your key business relationships at serious risk.

Ethical: Just because you can, doesn’t mean you should. For many businesses, laws and contracts may not apply to data handling practices. But this shouldn’t be interpreted as a license to do whatever you want with personal data. To be ethical, an organization must respect the privacy of employees and customers alike. Ethics is increasingly talked about in terms of a key brand value — and data ethics is a key part of that.

Customer Centric: Meeting expectations of customers and employees is an integral part of building trust within those groups. Engendering a culture of privacy shows both consumers and employees they are important to your business and breeds loyalty based on trust. It also provides individuals with an appropriate level of control over the data that they share with you. The more that individuals trust you and feel that they have control over what you do with their data, the more data they are likely to share and the more unique value you can provide to differentiate you from the competition.

Strategic: Privacy can be a business differentiator. Using privacy by design principles, you can and should build privacy into your company’s offerings and overall data strategy. Aligning privacy with your organizational goals will allow you to position your company as a trustworthy brand. You may also want to make the decision to go above and beyond legal and contractual requirements and strategically do privacy better as part of your overall market differentiation. Understanding the business impact of a strategy like this is a key component of being able to convince executives that this strategy will have a positive ROI.

Photo by La-Rel Easter on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Aaron Weller, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Headshot Emily Leach, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Privacy Operations Management
2 Comments

If you want to comment on this post, you need to login.

  • comment Vincent Renaud • Feb 27, 2020 
    Thank you for this extremely interesting article. I agree, privacy is definitely a business differentiator when seen through the prism of all it pervades instead of just contractual terms that non-legal staff struggle to comprehend. In my experience, successful implementation comes down to education, education and education.
Looking forward to the next articles!
  • comment Megan Young • Mar 12, 2020 
    Thank you for this article, you have very clearly laid out the ground work for an effective privacy culture. I look forward to the rest of the articles in the series.
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
ANPD unveils efforts to streamline DSAR process
Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, and the Ministry of Management and Innovation in Public Services Management and Innovation Secretariat presented a process for streamlining data subject access requests. The improvements include simplifying complaint f...
Read More queue Save This
Related Stories
Tags
Privacy Operations Management
Recent Comments