In 2014 there seemed to be a new data breach every week. Be it credit card data, student information, social security numbers, or corporate intellectual property, the personal information of any business’s clients, employees, or of the business itself were exposed. Here are 5 priorities that you should consider for your business as we embark on 2015.
Appoint a “C” level owner for privacy
It is a simple task to assign the responsibility for the success of your privacy program to someone. In fact, you may have already done it. Let me ask a couple of questions though.
- Is the privacy program owner senior enough in the organization to make things happen?
- Is the owner visible enough to get momentum going for your program?
- Is the owner able to facilitate change within your organizational culture?
- Is the owner willing to take the risk of changing the way things are done?
- Is the owner passionate about protecting personal information?
If the answer to any of these questions is “no” you may want to consider assisting the privacy program owner with an executive sponsor who is part of your C suite. Someone who is successful enough to be a member of the C suite should be able to answer “yes” to the first four questions. If they can answer “yes” to being passionate about privacy, you have someone who can become the “face of privacy” for your organization. They will provide the necessary support and endorsement for your privacy program to make it successful in 2015 by helping your privacy team get the resources, prioritization, and mind-share that they need.
Train senior leadership
The most successful privacy programs I have seen are the ones where senior leadership understand what privacy is all about. I am not suggesting that these people become trained in how your program works, but that they understand, at a high level, the privacy landscape, the emerging trends in privacy, and what the future might hold.
When I have provided this training in a setting that encourages discussion, the conversation always comes around to the implications for their business, a very healthy and enlightening conversation. Also, midway through these sessions one participant always seems to ask something like “Am I supposed to be as nervous about this as I am now?”
Of everything I have seen, this is one of the most effective awareness tool in your arsenal. The leaders, now understanding the importance of a privacy initiative, will then get their managers to become more privacy aware which will drive the managers to raise the awareness of their teams.
Do a privacy assessment
How good is your privacy program? How do you decide where to make investments for your privacy initiatives? Unless you do an assessment of your privacy program using an industry standard framework, I suggest you really do not have a good understanding of how good you really are and where you can make improvements.
Using the results of an unbiased assessment, a business can then perform a risk assessment on the areas for improvement. This will enable the business to invest in initiatives that will yield the largest benefit for their operation.
Create a privacy community
A privacy community is a cross-functional team that spans your organization with members who have an interest in protecting personal information. The members, I refer to them as Privacy Champions, become an informal team supporting your privacy program by being the eyes, ears, and hands within individual departments.
Privacy Champions can provide your privacy program with insight into what is happening within their organization, they can help drive the privacy initiative, they can provide creative ideas on how to improve awareness, and they can help implement awareness and other privacy initiatives. Most important, the Privacy Champions help improve compliance by becoming the “privacy conscience” of their department.
Participate in an IAPP event
People who have met me recognize how personally invested I am in the International Association of Privacy Professionals. The IAPP has the publications, resouce library, training, and certifications that you would expect of any professional organization (and they do an outstanding job of all these things). However, it is the events that I find most valuable.
In addition to the expected sessions on privacy topics, any IAPP, event, such as the annual Summit, Academy, Data Protection Intensive, Practical Privacy Series, Data Protection Congress, or a local KnowledgeNet, encourages and facilitates networking with your peers. During “Speed Networking” sessions I have met chief privacy officers from all sorts of organizations, government officials, and some of the prominent privacy players in the profession. The most valuable thing you take away from an IAPP event is a new set of contacts with whom you can discuss privacy concepts, bounce program ideas against, discover what has worked for (and not worked)for them in their programs, or simply to commiserate with.
If you are interested in discussing any of these items in more depth, please feel free to contact me via email at firstname.lastname@example.org or by phone at (888) 470-1528 x801.