With the EU General Data Protection Regulation fast approaching, alongside the continued spread of breach notification regimes around the globe, organizations can hardly afford to paper over their privacy compliance obligations. Indeed, given the potential fines in the GDPR, the cost of noncompliance is now more or less prohibitive. As a result, privacy accountability is increasingly gaining the attention of boards of directors and senior leadership, and all levels of the organization are looking to their privacy leaders to help the organization safely navigate the hazardous terrain of today’s privacy compliance landscape.
You, as privacy leaders, may rightfully feel a bit uncomfortable with this heightened attention from leadership, but the increased attention also presents privacy leaders with a tremendous opportunity.
In short, with attention often comes budget, and privacy leaders now have the opportunity to drive organizational change by taking the transformative step of “automating” the privacy office and, in doing, so increase the ability to use the data. Privacy technologies offer a significant improvement in the visibility and control the organization has over its personal information.
Of course, it should be little surprise that taking steps to automate the privacy office is no small task. It represents a near seismic shift from the traditional view of the privacy function as narrowly occupied with paper-based (or perhaps office-based) compliance activities to one that recognizes and embraces the idea that meaningful compliance (i.e., operational and demonstrable) and risk mitigation depend on the development and adoption of innovative technical privacy solutions to effectively address the privacy compliance challenges facing today’s organizations.
Good news and not-so-good news
The good news is that, in recent years, the market has produced a wave of new technical privacy solutions promising to address many of the organization’s long-standing data discovery and data governance needs. Whether it is inventorying and mapping of personal information, data deletion or portability, consent management, breach notification or other compliance monitoring and reporting needs, there is an ever-growing number of available privacy tools that privacy leaders can leverage to help automate the privacy function.
The not-so-good news is that many of today’s privacy leaders do not possess the technical know-how to evaluate the efficacy of these tools for their respective organizations nor do they have the experience or relationships within their organizations to successfully make the case to senior leadership to invest in one or more of these technical privacy solutions. Furthermore, the results of the IAPP-EY 2016 Governance Report note that privacy offices have limited budgets that do not account investments in technology.
Given the above, how can you persuade leadership that the benefits of automating the privacy office outweigh the not inconsiderable expenditures?
- Know the process and know your decision-makers: This may seem too obvious to mention, but the importance can’t be overstated. Privacy leaders may only get one bite at the apple, and taking the time to maximize your odds of getting buy-in and funding from senior leadership is imperative. One of the key considerations here will be around the proposal process itself. Privacy leaders may have experience with making budget requests, but there may be a different set of protocols when presenting a proposal for technology investment. It will also be important to identify who the ultimate decision-makers are (e.g., individual versus committee), what their priorities are (e.g., risk mitigation, monetization of data assets) and what has persuaded them in the past (e.g., heavy on technical detail or focus on ROI) and what has not.
- Have a clear justification for adopting the technology: The proposal itself will need to clearly articulate the reasons leadership should invest in the technology. Reasons for adopting the technology could include risk mitigation, regulatory obligations, ROI considerations, evolving customer expectations and alignment with the broader corporate data strategy. Whether one or more justifications are provided, privacy leaders should make an effort to speak to leadership’s priorities.
- Know what groups have technology budget: Another factor you can leverage is the result of an already occurring transformation of the privacy office. As noted in the 2016 EY-IAPP Governance Study, there is empirical evidence that privacy professionals are moving out of the corporate offices and working directly with the business functions. As a consequence, the users of privacy technology are more and more sitting outside of their traditional home at corporate (e.g., right to be forgotten is typically handled by the business rather than corporate function), and it may very well be the case that the technology budget rests with the business rather than corporate. For privacy leaders, this means that, in many instances, they will have to partner with and lobby the business directly to make the case for automation.
- Make the privacy business case: You should be well positioned to make the privacy business case for automating the privacy office to counterparts in other functions tasked with carrying out a variety of privacy-related responsibilities. For example, automation can benefit the compliance and internal audit functions by making it possible for these functions to meet the new GDPR accountability requirements to not just document, but also to demonstrably verify compliance with a growing number of regulatory requirements. Similarly, other privacy tools that automate the use of personal information processing can drive efficiencies in functions like marketing and customer service by significantly reducing the time needed to conduct a marketing campaign or the time needed to respond to an individual’s access, correction or process restriction request. Working with as many functions as possible to ascertain whether there is a strong privacy business case for the adoption of the tool will certainly increase your chances of getting executive buy-in and budget.
- Leverage your experience and relationships to make the case: Privacy leaders may be relatively new to the world of securing technology buy-in and budget, but you still have many tools in the proverbial toolbox to facilitate the adoption of technology and automate the privacy office. In fact, many privacy leaders should have had prior exposure to initiatives around technology adoption driven by other functions (e.g., IT, InfoSec) either via your regular reporting structure within the organization or via participation in any number of cross-functional steering committees or working groups (e.g., data protection committees or GDPR working groups). Over the course of this exposure, privacy leaders should have a good sense of what many of the key stakeholders driving these initiatives, including key decision-makers, will need from a technology proposal to be convinced of the benefits of supporting and investing in these new privacy technologies.
Automate or perish
You will increase your chances of buy-in and budget if you’re able to work with key stakeholders to identify the benefits of automation beyond a narrow business case. There are, for example, all sorts of key data assets that need to be processed and protected (e.g., business plans, trade secrets) that are not personal information. Technical privacy tools designed for data discovery tasks can also be used to create enhanced levels of data inventory control for non-personal information. In doing so, automation of the privacy office provides a clear mechanism for privacy leaders to begin to steer the organization on a track that aligns with leadership’s vision for protecting and maximizing key data assets.
Considering the looming requirements of the GDPR, failure to take steps toward automation is not an option. It’s automate or perish.
Photo credit: atelier PRO atelier PRO - town hall Overbetuwe, Elst 09 via photopin (license)
If you want to comment on this post, you need to login.