Sometimes it can be difficult for privacy pros to prioritize risks and which problems to mitigate first. The answers might vary depending on context. While sometimes a risk to the organization might also be a risk to the consumer, sometimes they differ, meaning one must be prioritized over another.
In a session at the IAPP’s Privacy. Security. Risk. 2015 last week, Rebecca Richards, CIPP/G, CIPP/US, chief privacy officer of the National Security Agency, and Megan Duffy, CIPP/US, chief privacy officer at Snapchat, discussed their process for evaluating risks across the organization and deciding what to tackle and with whom inside the organization.
Broadly speaking, Duffy, said, it’s about building privacy as a priority into the company culture and making sure everyone knows who it is that does privacy, so when they have a question or need input, they know exactly where to go.
“I’m known for going around and knocking on people’s doors,” Duffy said. “I say, ‘You’ve never met me before, but I hear you’re in design or in products.’ You’ve got to make yourself approachable. It’s about getting it into that culture that the entire company needs to be thinking about everything we’re doing.”
Richards agreed that privacy is a “team sport” because privacy decisions often happen at a granular level within the business, sometimes regarding which pieces of data can and should be collected and which should not. Reaching out to the people sitting at a desk making that decision can mean risk mitigation, Richards said.
Duffy agreed, adding that infusing the organization with a privacy culture creates accountability across the board rather than just within the privacy office.
To ensure that kind of accountability, Duffy recommended privacy pros create an audit process that fits within their organization. That might mean getting business involved, getting communications involved, getting marketing involved.
“Oftentimes you have everyone segregated and don’t understand what everyone is doing,” she said. To get everyone in sync and to understand the broad picture, she recommended privacy pros put a questionnaire in front of each business unit.
“Say, I need you to answer these,” she said.
Richards agreed it’s essential to know what’s happen across the board.
“When I think about some experiences in the NSA in the last two years … because of the way classified programs work, not everyone realized what everyone is doing,” she said. “I bring people who really understand the business into my office so I can really understand how the business works.”
Of course, she can’t be everywhere. So she categorizes with whom she’ll have those conversations based on the kind of data being collected.
“Depending on your organization, you may think certain types of data are more or less sensitive,” she said.
The most important question Duffy asks is, what is the product or service, she said. Second is what kind of information will need to be collected and whether its information the company already has.
“It’s critical to figure out what the business need is,” Duffy said. “We forget to wear our business hat,” but it’s important ot understand whether collecting the data is going to “really move the needle or is it something that’s nice but not something we need to have.”
Despite the fact that Richards works for the U.S. government and so under different protocols and requirements, she said her assessments start in a similar place.
“I start with, ‘Where are the facts?’” she said. “Facts do matter,” because the facts will indicate whether the practice is regulated by an existing law. Maybe there aren’t a lot of ambiguities because the proposed practice is already regulated by the Foreign Intelligence Surveillance Act, for example.
After that, it’s about policy-based questions.
“Do we need to collect everything or are there things we don’t need to collect?” Richards said she asks her people. “In that space, having an internal privacy officer is helpful because you’ve got to know what your company’s business is. Context really does matter.”
But it shouldn’t always be about what’s technically allowed and what isn’t, Duffy said. Decisions should also be made around the relationship to the customer and how any given proposal or product could impact that.
“As a corporate culture, what do you want to stand for? What path do you want to go down?” Duffy said.
If you want to comment on this post, you need to login.