K Royal, CIPP/US, CIPP/E, Sr. Privacy Consultant
Companies need a privacy partner, not just a privacy consultant. This is a concept that I have learned with our clients while being a part of the consulting team at TRUSTe. Having been a privacy officer (both as an attorney and a non-attorney) in several industries – healthcare, medical devices, emerging technology and with clients ranging from local government to national, from financial to education in the global realm and specifically within the US sectors – I cannot say that I have seen it all, but I have seen a whole lot of it. No one person can possibly be an expert in all areas of privacy/data protection. However, at TRUSTe we have a team, tools and methodology that can, and that is what is critical to our customers.
Companies need a privacy partner. They need a team that can not only can assess them for the European Union (“EU”) General Data Protection Regulation (“GDPR”) readiness, but can also review their EU/US Privacy Shield compliance needs or review cross border transfer mechanisms in general, such as Binding Corporate Rules (“BCRs”) or Cross Border Privacy Rules (“CBPRs”) in the Asia Pacific. And then, map that to their GDPR requirements or even further, to their HIPAA compliance in the US and even support framework questions, whether HiTrust, the International Organization for Standardization (“ISO”), or the National Institute of Standards and Technology (“NIST”) – or other framework. Further, a privacy partner can review the legal requirements, assess policy application, understand implementation constraints and flexibility, and adjust approach based on client expectations, level of maturity, industry standing, and future considerations.
Being able to partner in this way with companies is a professionally satisfying experience. Every client is different and requires a different set of knowledge, skills, and mindset. At times clients may come to us with one need – to assess Privacy Shield readiness (and over 500 companies have approached TRUSTe for this), but realize during that time that they have multiple needs that are identified and have not been addressed or they simply click with the team and TRUSTe approach and engage us as a partner in several more areas. In that case, are we a serial partner?
I have found that typically we become an ongoing privacy partner. Perhaps we start by building a Privacy Impact Assessment (“PIA”) for EU data use, and then expand that assessment to PIAs for other areas, such as HIPAA in the US, or other geographic-specific needs. It is made possible by keeping the needs of the customer in mind – sure, we’re only building a PIA for HIPAA, but if we add in certain gating questions, then you can use one initial PIA to divert to specific PIAs based on region (or even down to a state) and the personal information involved. We have the technical expertise to build that into the process.
And it’s not all about people. TRUSTe tools make it easier for me to do my job. I also get to help design some of the tools given my industry knowledge. For example, most companies desperately need a data inventory done – we can do it. Also, companies will insist to me that they have no unnecessary cookies on their websites – we can run a test for cookies. But beyond that, companies can use our technology to enhance their own capabilities, such as using our Assessment Manager platform to run their Privacy Impact Assessments (which are required under several privacy regimes).
The really valuable aspect from all of this is that we are not about a single consultant, we are TRUSTe. I have little experience in FERPA, but if the customer I am working with has a FERPA element, I can tap a colleague. As a partner, we engage in frank conversations with the company and truly function as a partner, not as a generic consultant. We have your best interests at heart and look to develop that ongoing relationship that works to your benefit.
Why do companies need a privacy partner? To serve in an ongoing role that tackles the heavy lifting, listens carefully, provides a heads up on overlapping issues in order to fill several requirements with one action, watches for duplication, foresees possibilities for expansion, and is open and frank in addressing who you are as a company, with your needs, constraints, flexibility, timing, maturing, standing, and drivers. We’re not selling you a product (although we can); we are offering you a cost-effective, widely experienced, highly efficient, privacy partner.