Privacy is historically underfunded when it comes to company budgets, even as “data privacy” has become a popular topic. Some stakeholders view regulations, like the GDPR or CCPA, as a one-time, check-the-box project, and therefore fail to fund appropriately. However, those handling privacy management on a day-to-day basis know this is not the case when dealing with numerous complex privacy regulations. Privacy compliance is an ongoing adventure and cannot be approached like a task that will be crossed off the list once compliance has been reached. Developing a mature privacy program is crucial to ongoing risk management and compliance. So how do you do this when there aren’t the proper resources available? Luckily, there’s several ways through which you can get your stakeholders on board the privacy train:
Presenting a Solid Case for Privacy
Be Persuasive. When presenting your case to the stakeholders, be ready to make a convincing argument as to why privacy resources are needed. Be prepared. Be firm. And be early – don’t wait until the last minute to figure your compliance plan when there’s an enforcement date quickly approaching.
Align Visions. Harmonize your privacy vision with the company vision and mission statement. If your company prides itself on its transparency, show that being transparent with your privacy policies and principles syncs with that vision of transparency.
Case Studies. Nothing gets the point across like cold hard facts. Pull together a list of examples that show the importance of investing in privacy, such a recent regulatory fines, data breaches, and any consumer backlash related to data handling. These tangible use cases will demonstrate the severe repercussions when privacy is not taken seriously.
Privacy as a Differentiator. Show your stakeholders how privacy will be an innovator and how privacy will set the company apart from its competitors. At CES 2019, Apple took out a large billboard stating “What happens on your iPhone, stays on your iPhone.” This marketing move focused in on Apple’s commitment to user privacy, and used that commitment as a competitive edge.
Know What’s at Stake. Business leaders need to know how much they have to lose. Regulations, such as the GDPR and the CCPA, come with significant penalties for non-compliance. GDPR fines can total up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher). Furthermore, stakeholders need to evaluate how potential loss of trust could negatively affect brand equity.
Set Goals and Targets
Program Maturity Level. Conduct assessments to understand your company’s maturity level. Explain to the stakeholders the maturity level of the current privacy program and discuss the resources needed and the values of achieving a higher maturity level.
Compliance Metrics. As mentioned before, cold hard facts get the point across. Compile metrics on where the company is at in terms of number of privacy incidents, number of data access requests, number of number of hours dedicated to employee training, for example. Or, conversely, point out that not knowing these key metrics suggests that your organization may be at risk if requested by a regulator, shareholders or prospective M&A partners. Review and analyze past privacy incidents to create qualitative metrics. Set goals for the future and explain what is needed to meet these goals.
Let Technology Help
Automate. Aim for consistency, repeatability and scalability by using technology to automate and operationalize your privacy processes. For risk assessments, use a tool to complete assessments and generate compliance reports, which saves time, increases accuracy, and improves record keeping. Move away from spreadsheets which are very difficult to update and keep current.
Simplification. Technology can simplify the complex world of privacy regulation and privacy management. Managing data privacy and compliance risk is nearly impossible without specialized technology to streamline the process. A data inventory and mapping solution makes it easy to standardize and operationalize the processes and creates a detailed, up to date inventory of data collected along with visual data flow maps of all business processes.
Visit our website to learn more about how TrustArc can simplify privacy management for the GDPR, CCPA and 500+ other global regulations with our comprehensive technology platform.