Group of people holding hands showing why the ownership of privacy should be shared between legal, customer and security teams in an organization

Who Owns Privacy?

How the privacy problem is breaking down organizational silos and driving new cross-functional collaborations.

With GDPR, CCPA, and a US federal bill being actively considered by Congress, we’ve reached a regulatory ‘point of no return’ with privacy compliance. GDPR alone has generated over 30 large fines worth more than 400 million euros in less than 24 months… And we’ve yet to observe the initial cost of non-compliance with CCPA.

Regulation aside, we’re seeing a dramatic increase in awareness among customers, employees, and ‘data subjects’ about how their information is used in the data economy. This rising awareness has spurred demands for more transparency and control over data access, deletion, and rectification — with our recent DataGrail study finding that 65% of participants desire to know what information is collected on them.

As of today, most of the means for organizations to deliver on privacy expectations are unsustainable. Another DataGrail survey from 2019 found that the average company involved 26 different stakeholders across almost as many functional groups to deliver an access request [link]. The pervasiveness of personal data across a modern business — from marketing, to customer support, to finance, to business intelligence — has forced a sprawl in responsibility.

For one European media business, a weekly email was sent to more than 50 employees, listing email addresses to look up and delete any associated data. The majority of these employees weren’t even hired or trained for privacy matters. This lack of efficiency cost hundreds of aggregate hours to dig through files, only to deliver results a day before the deadline.

Given the experience thus far, organizations collecting personal information are quickly recognizing that they must dramatically change their operations. The two open questions are:

  1. How will that change manifest?
  2. Who will own both the change management as well as ongoing processes to deliver on privacy requirements?

It’s a legal thing

Historically, lawyers have been the starting point for organizations trying to identify who takes ownership of privacy. In many ways, the buck stops with counsel, as they’re responsible for setting the terms for which products/services are delivered and the organization’s policies.

The legal-first approach only functions well when the primary concern is regulatory compliance. Legal teams have extensive expertise in reviewing, interpreting, applying legislation to businesses’ operating domains, and understanding both legislators as well as enforcement authorities’ requirements.

The problem is that privacy is much more complicated than merely achieving compliance. With customers and employees demanding a more active role in how their data is managed, legal teams need the support and collaboration of customer-facing teams to communicate and deliver on the market’s privacy expectations.

It’s also customer thing

While legal teams were locked away to review their terms of service, privacy policies, and processes to ensure compliance with new privacy regulation, customer-facing teams have experienced the brunt of the operational challenge of actually fulfilling privacy requirements. This translates to support teams, as customers that exercise their rights intuitively contact customer support. It also includes other customer-oriented functions, like sales and marketing.

Despite legal often listing a dedicated email address to submit privacy inquiries in corporate privacy policies, customer support as well as customer care teams across Europe are all too familiar with the pain of delivering on heightened customer privacy expectations.

In one case, I met a VP Customer Support Operations at a German publisher whose team — despite having a Legal counterpart dedicated to privacy — had been designated as the operational owner responsible for the fulfillment of customer requests for data access and deletion. The team was fulfilling requests one day before the deadline (on average), working overtime and without holiday for over a year.

In large part, this particular customer team’s new duties were made much more burdensome due to a brittle and archaic tech strategy. The VP had failed to win the support of his counterparts in IT, and as a result, didn’t have the budget or authority to implement change… pointing again to the deeply cross-functional challenge that the privacy issue raises.

It’s also a security thing, too

At its core, the privacy issue is a data issue, and data is tied to the hip with security. Under GDPR and other privacy regulations, the problem with data and information security has received a new examination with fresh rules for minimizing the risk of security breaches impacting personal data and notifying data owners in the event that a breach occurs.

Beyond their immediate responsibility to prevent and respond to security breaches, security teams have the power to drive efficiency across functional groups, enabling customer and compliance teams responsible for operational execution to function faster and with more efficiency. Increasingly, CISOs are growing into an integral component of the privacy discussion and are looked to for leadership to drive change.

For organizations with the primary activity of processing data, this means leading deep infrastructure and product-level changes. For those who are primarily concerned as data controllers, it means continuously monitoring the organization’s ‘data estate’ and making it easy for internal users to be responsible custodians of personal data.

Security teams have the authority, resources, and thus, responsibility to lead the management of change when it comes to privacy. If security leaders are successful, they enable their counterparts (compliance, customer support, marketing, finance, etc.) to deliver privacy that exceeds customer and regulatory expectations while lightening the operational load of fulfilling privacy requirements.

Assembling the Privacy Dream Team

Given the far-reaching implications of the privacy issue, the most prepared organizations will develop cross-functional teams to lead change and ongoing operations.

In many such organizations, security teams will possess the authority, resources, and requisite expertise to serve as the catalyst for such transformation. Security leaders must enlist their counterparts from across different functional groups to help identify requirements and evaluate solutions for the challenges that privacy presents their organization.

Moving away from transformation to managing ongoing privacy operations, legal and customer team leaders must share the responsibility for continuous compliance and fulfillment. For legal teams specifically, this means ensuring that operations are compliant with the law. For customer teams, it means that such operations at the very least meet (and ideally exceed) customers’ heightened expectations of transparency for how personal information is used as well as for control over personal data access, deletion, rectification, and more.

An organization’s #privacy dream team will require a cross-functional collaboration between legal, customer and #security teams. #respectdataClick to Post

Operational silos between the three functional groups (legal, customer, and security) must dissolve the lines that separate them to create the Privacy Dream Team. They must function in the following ways:

  1. Legal will need to consider the technology and human processes that underpin privacy request fulfillment when updating corporate privacy policies.
  2. Customer teams need to be trained in compliance and possibly technology as new tooling is put in place to support new processes.
  3. Security will need to solicit the participation of all to drive the change required to deliver sustainable privacy operations.

The opportunity, as with any organizational change, is to foster new cross-functional collaboration between these teams to better service customers — and ultimately the organization itself.