15 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe
Yesterday, I shared the first lesson I’ve learned “Be a counselor” over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The second lesson I learned first caught me by surprise and then over time convinced me that the methods the business teams I was counseling were seeking to solve their business challenges were in fact the potential answer to a problem I encountered six years into serving as a privacy leader. Before I share my tips on building sustainable solutions, I thought sharing my personal story on how I learned this lesson could provide some helpful context.
I was fortunate to learn how to be a privacy leader from an amazing leader, lawyer, counselor, philosopher and friend. He had the vision and the courage of his convictions to lead us to develop a global privacy and protection policy that would set a baseline standard for governance and protection of data across our business globally. Over two years, he persuaded all areas of the organization on the business value of the approach. Over the next thirteen years, only the proliferation of breach notification laws and a mega-merger would necessitate a few substantive changes to that policy.
The surprise to me was the sustainability of the policy given the frequency with which new privacy laws continued to be enacted. Regardless of how often the laws continued to change, the policy always provided the basis for complying with the substantial majority of any new legal and regulatory requirements. The best evidence of that policy’s sustainability, as evidenced by its ability to address even the latest developments in global privacy standards, is that earlier this year, it ultimately became the basis for the first EU approval of a company’s binding corporate rules (BCRs) that were based on a program previously certified by TRUSTe as compliant with the APEC Cross-Border Privacy Rules (CBPR) system.
While we were able to develop a sustainable policy all of those year ago, we were less fortunate in dealing with the rapidly growing number of initiatives that moved from paper to automation to cloud computing to data analytics. Six years into running a global privacy program primarily off of email, documents and sheets, we made our first attempt at using technology to automating some of our workflows. After piloting a number of approaches over the next five years, we concluded that the only way to really serve the business efficiently and effectively over time was to build an integrated privacy management platform that would allow us and business teams to readily determine the risks of a particular technology or business process at any point in its lifecycle. Put simply – build sustainable solutions. Here are some tips to help you develop your own approach.
2. Build sustainable solutions. Not all organizations are ready to put robust, sustainable solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are beginning to move up the maturity curve toward repeatable, defined, managed and optimized.
a. Business is not static. Regardless of an organization’s privacy and data governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.
b. Privacy regulation is unlike any other regulatory area. Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep – privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well. In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.
c. Good governance and technology solutions. Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and to mature over time. Technology solutions support these goals as well. Other business functions that rely on data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics. Privacy and data governance programs can be made sustainable through technology solutions that facilitate creating data processing inventory, evaluating of associated risks, documenting mitigating controls, identifying changes, managing potential incidents and demonstrating what is in place and its effectiveness. While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively so that the privacy leader can focus on tackling new and emerging issues.
In summary, sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value – a concept we’ll explore further in my final post in this series.