Written by Laura Koulet, originally published in Bloomberg Law on May 19, 2020
Organizations of all shapes and sizes are placing a renewed focus on privacy.
As data protection regulations evolve, legal teams around the world have been hard at work complying with new privacy laws and developing flexible, holistic privacy frameworks that allow them to adjust to new regulations and forthcoming browser-based data restrictions.
In today’s climate, it seems to be more important than ever to assure consumers that consumer data protection is a company priority.
Like many efforts, it takes a dedicated team across many functions to innovate and execute, particularly with quickly evolving compliance requirements. Today’s reality of social distancing and working from home creates management challenges, and executive teams need a strategy to effectively work across all different departments to activate a cohesive privacy program.
When product development teams work in complete isolation from compliance or risk management teams, inefficiencies and gaps in efforts to remain compliant are sure to emerge. Siloed workflows frequently prevent legal teams from identifying key privacy risks until product investments have already been made and development has commenced.
To successfully evolve in a continuously shifting regulatory landscape, it takes a cohesive approach where legal teams and other c-suite executives work together to ensure trust, transparency, and compliance across the entire organization.
Siloed Privacy Efforts Are Risky
Companies may consider a customer data breach or regulatory fine a worst case scenario of lack of oversight by siloed teams, but the potential risks of a siloed privacy approach can pose other unintended consequences.
In the model where product and engineering teams spend months working on products that require significant investment, only for the legal team to be included just prior to launch can result in delays, and feedback that requires re-working key elements of the approach.
The best way businesses can protect themselves is by implementing privacy review early in the product development cycle, and creating an active and engaged stakeholder group through regular discussions, and ensuring processes to function that allow for a seamless, companywide response to changing circumstances.
Prioritization, Education and Coordination: Building an Integrated Privacy Program
There are three key facets to implementing a successful, fully integrated privacy program: prioritization, coordination, and education.
By placing a consistent focus on privacy best practices, executive leadership teams can encourage employees to make data protection a priority throughout day-to-day business. Like any risk management, this means allocating resources and time to adequately review and analyze issues with the lens of privacy considerations, and allowing adequate opportunity for discussion. This may also require investing in specialized expertise for particularly nuanced, or developing issues.
Additionally, incorporating language that reflects this priority in internal and external communications helps to build its profile of priority among clients, vendors, and employees. Whether communicating in an internal email, a sales pitch, or an interview with the press, organizations should take special care to develop messaging around privacy whenever they articulate their ideals and value propositions.
Over time, maintaining a steady stream of ‘privacy as priority’ efforts creates a virtuous cycle, where external stakeholders come to expect that the entire company will deliver on its privacy promise, and internal stakeholders are driven to meet those expectations.
2. Coordinated Execution
Coordinated execution is necessary to turn a stated privacy priority into a robust, companywide operation that detects and effectively addresses privacy challenges.
A key way to ensure coordination is to hold regular and frequent meetings devoted exclusively to new initiatives in the company, reviewing products, and evaluating how new rules and regulations apply to the company’s efforts in data privacy. This ensures that the legal and product teams can meet with stakeholders from across all major departments to ensure alignment.
This practice also provides a forum for teams to regularly raise questions about issues they recognize as needing additional input, and carve out time for evaluation apart from the sole business initiative.
Organizations can firm up these efforts by providing continuing privacy education for all employees. For instance, an all-hands privacy training once or twice a year can be a great way to set an organizational foundation. Some of the material can be repetitive for people whose tenure is longer, but if you want something to stick, you need to repeat and promote these important best practices throughout the entire organization.
The goal is to create a company where every key stakeholder knows the basics of data and privacy management—and how to flag risks for further review.
There’s Never Been a Better Time to Act
With Google Chrome announcing it will phase out third-party cookies within two years, companies are re-thinking about how they collect and use consumer data—not just in the legal department, but across every aspect of the business.
Executive teams can capitalize on these changes by bringing departments together to discuss what it means for their organization, and how their companies can navigate a multi-faceted approach to data protection.
By taking action now to develop a coordinated, flexible, and integrated privacy structure, companies will be better positioned for whatever comes next.