Accepting a CPO position at an organization that does not yet have a formal privacy program is an exciting opportunity. Privacy is becoming a crucial area of focus for organizations of all sizes, and privacy topics are in the news constantly. Such a position gives you the freedom to design a program to fit the needs of your company. However, such an opportunity can also present challenges. Specifically, you may not know much about the business, and the company may have some basic privacy components already in place that need to be integrated or refined. Your job is to lay the foundation, merge any existing and new pieces into one program and then lead the way on all things privacy. Where do you start? What are the priorities? How do you introduce privacy concepts to the company? You need a plan.
Privacy program: Business, people and data
First, before building the privacy program, take some time to get to know the business by becoming familiar with the products or services. What do they offer and who are the customers? Then, looking to privacy, what do the senior leaders see as the most important work ahead of you? Are there any privacy issues that you need to handle right away? Additionally, are there any current policies or practices in place? If so, you have something to build on, but if not, you can craft your own design.
Next, get to know the people. Your colleagues will be vital in helping you understand what kind of data the organization collects, processes and stores. Also, find out what privacy issues your coworkers have confronted in their roles. Asking colleagues to take you to internal product meetings or meetings with customers is a quick way to learn how people in the company discuss their products or services (and most importantly to you, their data) with each other and with customers or partners.
Finally, to help build your privacy program, you need to understand what data your company has, where it comes from, and how it flows through the company. Every organization has a variety of categories of data, and they are very often used for different purposes. This is probably the most complicated piece of learning about the company and involves most, if not all, of the company’s divisions. So, don’t expect to figure it all out right away. Getting started with a rough sketch of what kinds of data you have, why you have the data and where the data is stored is a good start to understanding the nuts and bolts of your job.
Seven building blocks for a robust privacy program
Now it’s time to start building the privacy program. Pulling existing privacy concepts together or building the privacy foundation anew not only establishes your program, but also helps your colleagues get a cohesive picture of privacy and its importance to the organization.
Often times, an internal policy can function like a privacy primer for employees. The policy can address a variety of topics specific to the way you want privacy to function in your organization. You may want to lay out what types of data the organization controls, the proper procedures for handling the various types of data, any security protocols relevant to privacy, or other privacy procedures that make sense for your company.
Building block #3: Employee training
Conducting one or more informal training sessions helps you educate your co-workers on the new privacy rules of the road at your organization, along with opening the door for privacy questions. A privacy training will also help your colleagues get to know you and your privacy program. You have the opportunity to talk about privacy basics and introduce the new privacy policies you have put together, or are planning for the future. Additionally, you can raise awareness on privacy topics and get your colleagues engaged in identifying potential privacy issues in their roles in the company. Finally, having support from senior leadership is vital when it comes to training. It only takes one employee who is unaware of privacy procedures to put the company at risk.