14 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe
Part 1. Be a Counselor.
Last Thursday I had the honor of delivering a firestarter session at the IAPP Practical Privacy Series in Washington D.C. I had been asked to speak about re-envisioning the role of a privacy leader as a business enabler – rather than a leader who solely focuses on providing compliance, policy and/or legal guidance, and it inspired me to share three invaluable lessons I’ve learned over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. Based on the kind feedback I received from participants, I am sharing highlights from the session in a three part blog series.
- Be a counselor. Regardless of an organization’s maturity in governing data, protecting data, or implementing a privacy program, business teams need to focus on delivering business results. They may feel that they don’t have time to worry about privacy regulations and processes that detract them from that focus. What they need is a counselor – someone who helps them think through their business needs for the data and the business risks associated with not governing and protecting the data effectively and sustainably. How can you be a counselor? Follow these tips to get started.
- Have a conversation. Seek to understand what the business wants to do with the data: What are their goals? What do they want to achieve? What data do they believe are needed for that purpose? Do they think they might want to do with the data in the future? Based on your discussions with them about the value of the data to them, help them understand the risks associated with not protecting the data.
- Transparent communications. Help them envision transparency tools, such as notice, choice and account management for individual rights like access and correction, to meet broader communications objectives for projects. For example, a newsletter might be a vehicle to deliver a required privacy notice as well as a mechanism to invite the recipient to consent to additional other types of interactions with the organization.
- Choose the best vendors. Business teams often will be guided for expense management reasons to select vendors primarily based on cost. Often, however, the lowest cost vendors are ill equipped to support the risk management and regulatory obligations for which the business is responsible. Worse yet, some business teams don’t realize that their data responsibilities and liability don’t end when the data are in the hands of the vendor. Guiding the business to select vendors that appropriately balance cost and mitigate risk will help prevent data breaches and other liability problems that can obliterate any immediate cost savings.
If you found this guidance helpful, I hope you’ll return for the other two parts in this series.