Today I find myself in Louisville, KY performing a privacy assessment for a client. When visiting clients to perform an assessment, I meet with team members from all parts of the organization. Usually, I am accompanied by someone from the privacy office or legal team. Frequently, my escorts learn something new about the business and just as often are are surprised by what they hear.
Who is accompanying me
When doing an assessment, I encounter two types of individuals from an organization’s privacy and legal teams. There are those who are very confident that their organization is following policies and procedures. They are absolutely 100% legally compliant. These individuals assure me that personal information is being properly handled and protected. These individuals cannot see any reason that when the Generally Accepted Privacy Principles (GAPP) model is applied, that the maturity level will not be Optimized.
The other type, the more frequently encountered of the two, is disappointed by the lack of adoption of policies and procedures within their organization. There may not have been any notable data breaches, but that is just luck. They often feel the business units just don’t take privacy as seriously as they should.
Of course, reality is somewhere in the middle. Maybe the people sponsoring the assessment and accompanying me to meetings are posturing. They are certainly trying to set my expectations. In actuality, .
Pleasant discoveries in meetings
Walking into a room, with my escort, to discuss privacy with members of a business or operational area often finds the other attendees nervous. They picture my team and me breaking out the bright, hot lights and subjecting them to an interrogation about their departmental practices. The story they tell, naturally, must meet my escort’s expectations and how that person set mine.
By taking a conversational approach to these meetings we tend to dis-spell the nervousness of all of the attendees. We ask the attendees to tell us the story of their jobs, how they use personal information and how they protect it. This approach allows us to learn a lot in a very short period of time.
As the discussion progresses something surprising always comes up. Some process has been defined, some practice has been put in place, or some training activity has taken place that my escort never heard about. I love watching the facial expressions turn from surprise to pride. At the end of the day, even those escorts that thought things were on top of everything admit they learned something new.
The fact is that your organization’s employee’s do care about privacy. They have undertaken some initiatives that you have not heard about. They may be doing a better job processing and protecting personal information than you can imagine.
Every privacy team should take the time to assess how their business is performing relative to their privacy program’s expectations. Regardless of whether the assessment is done by a third party or you do it yourself, you will learn more about the business and those surprises, those hidden gems, will pop out.