To have an effective data protection program, it's essential for privacy and security teams to work in concert, each carrying out their respective functions and coming together on areas of commonality.
Unfortunately, that doesn't always happen. There may be some jockeying for limited resources, a lack of understanding of each other's roles, or teams are just unsure how and where to come together.
Whatever the reason, companies see benefits when privacy and security teams recognize their sum is so much greater than their parts.
Aligning priorities
While their mandates may differ, privacy and security teams share a common goal of maintaining the confidentiality, integrity and availability of personal information. Because of this, the opportunities to work together to build brand trust, achieve legal compliance and create operational efficiencies are many.
As a privacy leader, consider reaching out to your security counterpart during annual planning and budgeting to discuss where you may be able to combine forces and advocate for tools and resources that will support and enable both teams.
Data inventories
A comprehensive data inventory is the basis for any successful privacy program. It is also invaluable for ensuring company data has appropriate risk-based safeguards in place.
The tricky part is security teams have a different way of looking at data than privacy teams. Security teams are focused on what data the organization has in what systems so they can protect it appropriately.
Privacy teams are less focused on how to protect that data and more on what's happening with that data. How was it collected? How is it being used? Who is it being shared with?
When privacy and security teams collaborate on creating a data inventory, it creates a more holistic view of the data in an efficient manner that can better serve the organization.
Additionally, when procuring tools to automate aspects of this work, both privacy and security teams can advocate for the need and show the value of such tools to comply with legal obligations like data subject rights and records of processing obligations and ensure valuable company data is protected appropriate to risk.
Policy creation
Because of the common goal of protecting information, many organizational policies straddle privacy and security concerns. It's important for the two teams to work together to ensure an organization-wide understanding of what data represents higher levels of risk to the organization and its customers.
For example, privacy teams may think of sensitive data in a specific way as defined by privacy laws, whereas security teams may have a very different view of sensitive data, based on what is important or high-risk to the business.
When we think about a data classification policy, only looking at one team's definition of sensitive data can lead to gaps in protections. Privacy and security teams need to reach a consensus over these terms, so data protection policies can provide employees with clear and consistent direction related to data risks and the organization can have proper protections in place.
Additionally, collaboration on things like incident response, compliance, onboarding vendors, and certifying to privacy and security frameworks necessitate coordinated creation of policies and procedures for these areas of the business. Ensuring policies and procedures work within existing systems and workflows for both teams will lessen business disruption and create operational efficiencies.
Third party management
Sharing data with third parties brings risk, so assessing the privacy and security of third parties is an essential step in the procurement process. Organizations need to ensure third parties meet certain security standards and can comply with privacy obligations like data minimization; use, disclosure and retention limitation; and assisting in privacy rights.
It's likely your organization already has a security questionnaire through which you vet third parties. Working together to create a presales risk assessment that covers both privacy and security concerns will build efficiencies into the procurement process and ensure a comprehensive assessment.
For example, security teams may require a third party to certify to the International Organization for Standardization's ISO 27001 and consider that adequate to share data with them. Privacy teams will also want to understand how the third party will use the personal information shared, and whether they can comply with data protection laws, among other things.
Coordinating the cadence and requirements for regular monitoring of third parties will carry those efficiencies throughout the agreement.
Privacy risk assessments
Conducting privacy risk assessments like data protection impact assessments, as required by the EU General Data Protection Regulation, or data protection assessments, as required in many U.S. states, is another area for privacy and security to work together to benefit the organization.
A main concern in a data protection assessment is how the information will be protected. When organizations conduct high-risk processing, they need to ensure additional safeguards are in place to mitigate that risk.
Working with security, the privacy team can better understand existing protections, as well as what protections are available, and make sense within data systems to effectuate processing that is important to the business and falls within an appropriate risk profile.
Training
A coordinated approach to employee training programs is an important tool to shape how data protection is viewed across all areas of the business. Highlighting the importance of privacy and security separately and how they work together underscores a holistic approach to data protection that fosters a culture of responsibility.
Security is integral to data privacy, and security teams can leverage privacy concerns to talk about the importance of security. For example, when training employees on appropriate access to company data, the security aspects easily dovetail with the privacy implications when you center the scenario on inappropriate access to sensitive personal information.
By integrating these concepts, employees understand safeguarding company data means appropriate handling as well as physical and technological protections. Plus, a unified approach streamlines training, making it more efficient and effective in creating a comprehensive defense against data breaches and privacy violations.
Tools and technology
Technology plays an important role in enabling privacy and security teams to safeguard data effectively, and many tools provide features that can serve both teams.
Coordinating on technologies by communicating the goals each team is looking to achieve with a new tool can help when going in front of leadership for approval.
Discovery tools or identity verification tools that are used for internal security operations may be leveraged for privacy needs too.
Privacy, security collaboration is essential
Fostering collaboration between privacy and security teams is not just beneficial, it is essential for any organization aiming to build a robust data protection program.
Though the teams have different focuses, their combined efforts result in a unified and proactive approach that benefits the entire organization by mitigating risks, ensuring legal compliance and maintaining the confidentiality, integrity and availability of information across the board.
By working together on key areas like data inventories, policy creation, third-party assessments, risk evaluations and training programs, organizations can achieve greater operational efficiency, streamline compliance and build a stronger foundation of trust with customers.
Jodi Daniels, CIPP/US, is the founder and CEO of Red Clover Advisors.
