After a company identifies the data privacy framework that works for them, the next step is to consider the right privacy strategy. In simple terms, a privacy strategy covers the company’s approach in communicating and obtaining support for the privacy program within the organisation.
Remember, to drive the privacy program is a team sport, and that requires a strategy. Any winning football team, for example, will have a specific winning system. In a similar vein, building a privacy strategy may mean a plethora of things. For example, it may mean changing the collective mindset and perspective of an entire organisation.
To protect personal information in any organisation, everyone—bottom-to-top or vice versa—has a function.
The most important part is the management support. Management must approve funding to equip the privacy team, privacy-enhancing technologies, support privacy initiatives like training and awareness, and create methodologies to hold staff within the organisation accountable for following company policies and procedures.
Imagine a company that claims that they have a clear desk policy and yet, staffs leave pieces of paper with personal information on their desk. That’s a strategic failure on many levels: leadership, monitoring and auditing. So, in essence, a privacy strategy will communicate company’s approach and punitive measures in cases like this.
There are no shortcuts. Every staff within an organisation contributes to the success and failure of any privacy program. A weak link in the organisation can break any vital privacy program. Research shows that human error accounts for fifty-two per cent of the root causes of data privacy breaches.
So, before any organisation begin their data privacy journey, the management team must understand that the criticality of their involvement in the project. The practical contribution of management drives every privacy program.
There are specific challenges in building a privacy program. The most important one is gaining consensus from the members of the organisation. In fieldwork, normal business-as-usual (BAU) activities limit the total contribution of specific stakeholders, and as such, slows the implementation of the privacy strategy. It is crucial, therefore, to have dedicated individuals that can drive the privacy program.
The one-on-one informal conversations with executives within the organisation who have accountability for information management and security, risk, compliance, or legal decisions are foundational steps in privacy strategy. Here, one can find the present state of the company’s data privacy strategy.
These conversations usually reveal a sense of which executive will or should be the program sponsor. For example, a particular company decided to use their Head of Information Technology Officer as the data privacy program sponsor because she understands the complexities of embedding technical steps in data privacy compliance. Influential program sponsors have experience with the organisation, respect their colleagues, and can access the budget or final budgetary decision-makers.
I mentioned above about teamwork. As such, companies must build the right privacy team to formalise the organisation’s approach to privacy. There are many factors companies must consider to create the right team. An important question to find out is the positioning of the privacy team and what authority it will receive. Also, where should privacy team be placed: Legal or IT umbrella?
Companies must integrate essential steps when creating the privacy team. First senior leadership involvement is critical. Second, identify various stakeholders within the organisation whose roles feed into the privacy structure. Third, company stakeholders must develop internal partnerships with different staff members to ensure that privacy controls are adequate. Lastly, collaboration is vital in making any privacy program work.
Defining the right privacy strategy and creating the right privacy team plays their role in ensuring that companies treat privacy as a business function. People make up companies, and their contribution will ensure that any organisation’s approach to privacy adequately meet regulatory requirements and broader business objectives.