Key takeaways:
- Cross-department communication is easier when you’ve built a culture of privacy — other teams need to understand the importance of protecting personal data. You can foster this culture by creating awareness, communication, and training.
- It can be helpful to find privacy champions throughout the enterprise, but it’s important to find the right model for your organization.
- Always position your team as business enablers to avoid any inaccurate or negative connotations associated with privacy.
An effective data privacy program can’t operate without good enterprise partnerships.
Whether it’s with compliance, information security, marketing, or data strategy, cross-department communication is a key component of ensuring the viability of your initiatives.
The relationships take work to build and sustain, and often tension or miscommunication around responsibilities, policies, and priorities can derail your efforts.
As an enterprise privacy head, how can you break down obstacles to collaboration and strategic thinking?
Bolster a culture of privacy
Effectively working with other lines of business is made easier when you’ve built a “culture of privacy.”
The International Association of Privacy Professionals (IAPP) defines a privacy culture as a shared understanding of how personal data can and should be used to support broader strategic initiatives.
Developing this culture is much more involved than just ensuring legal compliance. Of course, companies need to adhere to applicable laws such as GDPR, but doing so doesn’t demonstrate a privacy-first mindset.
Whitney Merill, Data Protection Officer and Lead Privacy Counsel at Asana spoke to this idea in a Microsoft interview, stating, “Just because you’re compliant with GDPR doesn’t mean you’re a privacy-focused company or that you process information in the most privacy-centric way.”
Instead, Whitney prescribed a holistic and proactive approach to bolstering your privacy culture. The entire enterprise needs to fully embrace the notion that data privacy is crucial to the success of the company. If not, someone will inevitably take a shortcut that will expose the company to risk.
But when every employee is focused on their own set of deadlines and goals, how can you encourage them to believe in and support the mission of your program?
Richard Purcell, Corporate Privacy Group Founder and former Microsoft Chief Privacy Officer, outlined a three-step practice for achieving this: awareness, communication, and training [ACT].
Your initial step is to ensure everyone understands the foundational components of your data privacy program. Then, you’re able to communicate strategy based on everyone’s responsibilities and how and when they interact with data within their role throughout its lifecycle.
“You have to be cognizant of the context of the individual’s function in order to communicate the kind of processes and controls you want that person to follow,” Richard told the Data Privacy Board.
Find your privacy champions
Cross-department communication on privacy initiatives can be further enhanced by instituting privacy champions across the enterprise.
As defined by IAPP, a privacy champion is “an executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.”
A network of privacy champions can help your program gain better visibility and ensure all lines of business are accountable for the protection of personal data.
This network will vary in size and structure depending on the organization but should include representatives from IT, infosec, HR, marketing, and other key areas.
However, while privacy champions can be very effective, they may not be the best fit for every enterprise.
During a Data Privacy Board panel on scaling your program, Jennifer Garone, Senior Director of Privacy and Information Governance at Carnival, addressed some of the challenges of operating these groups.
She said there’s a lot of overhead required in order for a privacy champs program to work, and those involved need to have clearly articulated roles and expectations. Even so, she mentioned that at a prior company, privacy champs just lacked the subject matter expertise to really provide the needed support.
During the panel, Patrick Chavez, Chief Privacy Officer and Associate General Counsel at Edward Jones, also mentioned moving away from operating a privacy champion network due to a lack of role clarity.
Now that the organization has a centralized program, Patrick said they’ve decided to move these roles back under the privacy umbrella.
“What is the effort to try to train people to be division privacy leaders when in fact, we could centralize the work,” Patrick explained.
Position your team as business enablers
Even if a privacy champion network isn’t the right fit for your company, it’s imperative that privacy leaders are engaged with other lines of business.
Too often, privacy receives the inaccurate connotation of being a compliance burden or business inhibitor. Furthermore, Jennifer mentioned that some employees may feel hesitant when they’re contacted by the privacy team.
“Sometimes, when you reach out to them even for the most innocuous thing, they start to think that they’re getting in trouble,” she said.
It’s important to counter these misconceptions. That’s why Data Privacy Board Chair Robin Sooklal, Senior Director of Enterprise Privacy at Loblaw, agreed that branding is one of the primary responsibilities when standing up your privacy program.
He told the Data Privacy Board that it’s beneficial to brand your team as “data enablers.”
Some enterprise teams may hold the preconceived notion that privacy’s role is to come in and shoot down certain initiatives, but that couldn’t be further from the truth.
“We’re here to say, if not, we’ll work to find a creative solution to get you to your end result,” Robin said. “You’re still there to be enablers.”
Benchmark your organizational structure
Your organization’s structure is often a big factor in the relationships between privacy and key stakeholders in data strategy, governance, and IT.
For example, during a private conversation, Data Privacy Board members who reported into IT mentioned a much stronger relationship and easier access to key stakeholders. For those in legal, members felt they spent a lot of time explaining privacy impacts on enterprise operations to data strategy – even more so than they had expected.
Yet for any structure, members said the operationalizing of governance can be a tricky area to navigate.
With so many stakeholders, privacy leaders often find themselves included in discussions where the majority of content isn’t relevant to their roles, but they can’t afford to be absent for the small percentage where they need to give input.
A general trend among members seems to be integrating privacy more with security, which will hopefully produce stronger collaboration options around governance.
If you could benefit from benchmarking your organizational structure and partnership strategies, you can apply to join the Data Privacy Board.