Accepting a CPO position at an organization that does not yet have a formal privacy program is an exciting opportunity. Privacy is becoming a crucial area of focus for organizations of all sizes, and privacy topics are in the news constantly. Such a position gives you the freedom to design a program to fit the needs of your company. However, such an opportunity can also present challenges. Specifically, you may not know much about the business, and the company may have some basic privacy components already in place that need to be integrated or refined. Your job is to lay the foundation, merge any existing and new pieces into one program and then lead the way on all things privacy. Where do you start? What are the priorities? How do you introduce privacy concepts to the company? You need a plan.
Privacy program: Business, people and data
First, before building the privacy program, take some time to get to know the business by becoming familiar with the products or services. What do they offer and who are the customers? Then, looking to privacy, what do the senior leaders see as the most important work ahead of you? Are there any privacy issues that you need to handle right away? Additionally, are there any current policies or practices in place? If so, you have something to build on, but if not, you can craft your own design.
Next, get to know the people. Your colleagues will be vital in helping you understand what kind of data the organization collects, processes and stores. Also, find out what privacy issues your coworkers have confronted in their roles. Asking colleagues to take you to internal product meetings or meetings with customers is a quick way to learn how people in the company discuss their products or services (and most importantly to you, their data) with each other and with customers or partners.
Finally, to help build your privacy program, you need to understand what data your company has, where it comes from, and how it flows through the company. Every organization has a variety of categories of data, and they are very often used for different purposes. This is probably the most complicated piece of learning about the company and involves most, if not all, of the company’s divisions. So, don’t expect to figure it all out right away. Getting started with a rough sketch of what kinds of data you have, why you have the data and where the data is stored is a good start to understanding the nuts and bolts of your job.
Seven building blocks for a robust privacy program
Now it’s time to start building the privacy program. Pulling existing privacy concepts together or building the privacy foundation anew not only establishes your program, but also helps your colleagues get a cohesive picture of privacy and its importance to the organization.
Often times, an internal policy can function like a privacy primer for employees. The policy can address a variety of topics specific to the way you want privacy to function in your organization. You may want to lay out what types of data the organization controls, the proper procedures for handling the various types of data, any security protocols relevant to privacy, or other privacy procedures that make sense for your company.
Building block #3: Employee training
Conducting one or more informal training sessions helps you educate your co-workers on the new privacy rules of the road at your organization, along with opening the door for privacy questions. A privacy training will also help your colleagues get to know you and your privacy program. You have the opportunity to talk about privacy basics and introduce the new privacy policies you have put together, or are planning for the future. Additionally, you can raise awareness on privacy topics and get your colleagues engaged in identifying potential privacy issues in their roles in the company. Finally, having support from senior leadership is vital when it comes to training. It only takes one employee who is unaware of privacy procedures to put the company at risk.
Building block #4: Privacy by design
Privacy by design means that your organization takes a proactive approach to privacy, building privacy considerations into new products, systems, business processes, etc. Whatever project it may be, if you have the opportunity to voice any potential privacy concerns at the outset, then you are using a privacy by design approach. And such a privacy-centric approach will save your organization both time and money, as handling privacy matters proactively is always more efficient than changing designs, options, or technical specifications after the project is completed. Additionally, as more people become concerned with how businesses are handling their data, privacy by design illustrates that your organization takes privacy seriously.
Building block #5: A breach response plan
Privacy experts like to say that it isn’t a matter of if, but only when, an organization will suffer a breach of personal data. Depending on your organization, the tech department or the security team may already have a breach (or data incident) response plan in place. If so, the plan should be reviewed, as it may need an update. If your company does not yet have a breach response plan, putting together a new plan is a priority. A breach response plan should address topics like the establishment of a data breach response team, how a data breach investigation will be conducted and who will handle items like legal compliance with breach laws and coordination with law enforcement and the media, if necessary. Fortunately, there are many excellent resources on preparing for and handling data breaches.
Building block #6: A protocol for data retention
If your organization doesn’t have a policy on data retention, it’s time to design a plan which addresses the types of data you control and how long your organization will retain that data. Not only can this reduce the risk and impact of a data breach, but it will also cut data storage costs. This project can take some time, but talking to the development team and other stakeholders about how much data you have and how far back it dates is a good place to start. Digging into the details on how long you need the various types of data will likely require decisions from senior leaders. This project can encompass various organization-specific decisions, but designing a data deletion policy is a worthwhile effort.
Building block #7: GDPR assessment
Last but certainly not least, you will want to conduct a GDPR assessment for your organization. As the EU’s General Data Protection Regulation takes effect in May 2018, and has a more wide-ranging impact than previous data protection laws in the EU, there are many new considerations for businesses. If your organization offers goods or services to EU residents, this law will likely impact your organization. Fortunately, there are a lot of publicly available resources on the GDPR to help you understand exactly what the law requires. Concepts of notice, consent and the legal bases for processing data are critically important, along with documentation illustrating how your organization complies with the law’s requirements. As changes to business processes or technical modifications may be required, it is best not to neglect this project until next spring.
Keep building on your privacy program
Once you have made progress on these seven building blocks, you are well on your way to a robust privacy program. As you continue to build and improve your program, there may be challenges, but there are numerous privacy resources to keep you current and help you tackle privacy issues. Being a part of the community of privacy professionals is a valuable resource and can help you navigate your way to the privacy program you hope to build at your organization. Enjoy your progress and don’t forget to stay aligned with senior leadership on your need to keep an ongoing role in all parts of the organization. It will be the secret to your continued success. Best of luck!