It might be a sad truth, but it’s likely the truth nonetheless: The most important job for any privacy professional, before even caring for data, is continually justifying why you exist. If you don’t exist, the data is significantly less likely to stay safe and be used correctly, after all.
In their preconference session here at the IAPP Privacy Academy and CSA Congress on how to manage an effective privacy program, Chris Zoladz, CIPP/US, CIPP/E, CIPP/G, CIPM, CIPT, and Jay Cline, CIPP/US, discussed producing the metrics to justify your existence, rallying a team to help you exist and getting prepared for the worst should it occur.
How can you convince your CEO that you should be funded sufficiently? Show them the numbers, Cline and Zoladz said. CEOs love numbers and charts attached to data that means something. Showing them an audit report with columns “in the red” isn’t impactful. What does that red mean? How did you measure it?
To take a measurement, you need data. By way of example, Zoladz described his work as vice president of information protection at Marriott Hotels. At the time, the hotel chain was beginning to establish its e-booking system, a process that would be most cost-efficient in the end but would take some time to catch fire. To make the case for privacy resources, Zoladz conducted simple A/B testing, in which one group of consumers saw a message that told them Marriott cares about their privacy before asking them to book online. A second group did not see the message. In the end, the group that saw the message was more likely to book. While the testing results represented a small fraction of the total bookings, when multiplied across the brand, the number became significant—a figure high enough to attract the ears of those Zoladz needed to attract.
Think About the Team, Not Just the Players
But it’s not just the higher-ups that should be thinking about privacy in order to have an effective program, Zoladz and Cline said. It’s essential to assemble a team of privacy champions.
“People love privacy. It’s emotional,” Cline said. “People will raise their hands. Privacy is sexy; it’s cool. You give them a title, and they put it on their resume; it becomes searchable on LinkedIn, and it helps their career.”
And don’t be surprised if that team doesn’t look like the kind you’ll find on a Wheaties box. Sometimes the players that would be considered first-stringers are only going to stick around for a couple of years, so finding some second-stringers—people you see potential in—to train and invest in their development, and you'll have a longer-term privacy champion on your hands.
“High-potential players can be mentored into A players; it just takes time and commitment on the part of both mentor and mentee,” Cline said. “Focus on the power and balance of the team and not just each individual player.”
Be Ready for Disaster
Zoladz said he’s been in both scenarios, with the company that doesn’t have a plan for disaster and the company that does, and the one that does always fairs better.
It’s essential to have a playbook for how the company will respond if there’s an incident. That means putting a team together comprising primary and secondary people (IT, HR, security, legal) and giving that team a process to follow, including confirming there’s an incident and managing the investigation around the incident, including staying ahead of the media.
That kind of prep work will be essential when the regulator comes around for a check-in or an audit.
“Your level of preparedness sets a first impression,” Cline said. “Your auditors are human, too. Your regulators are human, too.”
Have policies and procedures documented completely and thoroughly, Cline advised.
“If there are gaps, right away, the professional skepticism of your auditor is piqued,” Cline said. “That level of completeness is very important to set that first impression.”
If you want to comment on this post, you need to login.