You’ve finally made it. Congratulations! You’re in your new office and all you survey is in your purview. Now it’s time to start working, but where do you start? Let’s cover the basics first. Do you have any: Ability to multitask? Allies? Staff? Policies, procedures, standards and guidelines? Mission and vision statements? Elevator speeches ready? Privacy initiatives? Privacy impact assessments done or due? Deliverables that are already overdue?
First things first: If you aren’t already great at multitasking, get good at it quickly. Odds are you’ll be expected to design and develop the privacy office while addressing issues and incidents that were waiting for you when you first entered the building. Think “changing your clothes while running ... while eating lunch ... while sleeping” and doing all of these things at the same time.
Identify and Build Allies
While you are learning your environment, you must suss out your key stakeholders as future partners in privacy within your organization. Keep in mind these folks are fundamental to your success. Partnering with them to implement privacy is crucial. Build bridges and reinforce them by saying what you do and doing what you say. Be authentic. Try finding a long-term employee that you can lean on a little to help you learn who’s who and what is where. Not knowing what and where the roadblocks are may endanger your new title!
If you inherit staff, bring them together regularly and often, as least initially. Show them you’re more of a leader than a “manager." Assure them you will give them room to grow and the support to do it; then back that up by doing it. In other words, be authentic. If you are hiring, keep to the old adage and hire someone who is smarter than you. Obviously, IAPP certification is a bonus, but, realize some individuals with plenty of experience have not had the opportunity to certify. This is a great opportunity to do some lifting for someone else; it establishes trust and grows your office and the profession—win, win, win! An additional tip: listen to your staff, delegate and, if they fail, have their backs. Your staff’s resulting loyalty will benefit you in spades.
Policies and Procedures
Review what documents you have and consider whether they are current or if they need work. If they need attention, be certain you consider who authored the policy or any adjustments that may “break” something else. Office politics exist in just about every organization, and it can make or break your tenure in the privacy office. This is where those stakeholders come into play, and their contributions and advice will be invaluable. Most important to this process is active listening.
Mission and Vision
If the privacy function already has mission and vision statements, dust them off and make sure they reflect your and the organization’s current culture and compliance environment. If the statements don’t exist, you have a great opportunity to build rapport with your staff, if you have one, by engaging them in the mission and vision-development process.
Do the people in your new environment “get” privacy? Make sure you have it defined in terms of your new position. Does everyone understand the difference between security and privacy? Have a quick go-to definition of the two and a short opinion about how and why they are different. This may be your first and/or only chance to pitch your vision and needs.
Once the office’s mission and vision statements are ready for prime time, introduce your team and your function to the rest of the organization via the HR or corporate newsletter. If such a newsletter doesn’t exist, consider creating and distributing a new privacy office newsletter. Perhaps name it “Privacy Matters.” The objective is to engage your team and get the word out that there is a new player at the table.
And, it’s time to work on building those relationships again. Ask for contributions from general counsel, risk management, human resources, research, IT security, physical security, etc. Or, maybe it’s not a newsletter, it’s a brown bag event. This type of marketing and communications increases the visibility of the office. And don’t forget the WII-FM, or "What’s In It For Me?" Making privacy personal as well as institutional imparts information that employees can use to help protect their personal information outside of work and their identities.
Privacy Impact Assessments (PIAs)
Complete or not yet begun, PIAs will give you a birds-eye view and overall idea of the institution’s privacy posture. Many PIAs need to be customized to fit the environment, and they are far from being one-and-done activities. For examples you may want to check out the IAPP Resource Center or the Department of Homeland Security (DHS) webpage. DHS conducts and publishes PIAs regularly.
Deliverables That Are Already Overdue
Don’t be surprised to learn that on Day One, you are already late on some deliverables. After all, you would not have been hired if the organization didn’t need you and your skills. Remember to breathe and put one foot in front of the other. That said, make sure you are in synch with your supervisor. S/he may know compliance, ethics or the law, but they may not really understand what it takes to stand up a successful privacy function. Get a clear understanding of expectations and priorities, and to be on the safe side, get it in writing.
Remember, you are not alone! Reach out to your peers and colleagues through the LinkedIn privacy pages, via the IAPP networking opportunities and the IAPP membership directory. For me, personally, I know I am happy to help, and I have yet to meet a CIPP who won’t.
If you want to comment on this post, you need to login.