Privacy compliance is a critical priority for any organization, as it plays a crucial role in protecting the personal information of customers, clients, and employees. With the increasing amount of personal data being collected and stored by organizations, it is more important than ever to have robust privacy compliance policies and procedures in place to safeguard against data breaches, cyberattacks, and other forms of unauthorized use and access to personal information.
However, privacy compliance is not a goal that can be accomplished by one team or department alone. Instead, it requires a collaborative approach that involves partnerships with various functional departments within an organization. Privacy is not an ivory tower that broadcasts to a vacuum, it is a set of principles that should become part of an organization’s DNA.
I’d like to share some insights from my experience in privacy compliance in forming and maintaining these partnerships.
Privacy and Security
One of the most critical partnerships in the pursuit of privacy compliance is that between the security department and the privacy team. The security department is responsible for protecting the organization’s networks and systems from cyber threats, while the privacy team is responsible for ensuring that the organization is adhering to all relevant regulations and guidelines regarding data protection and privacy regulations that contain security obligations.
Together, these two teams must work to:
- identify and mitigate risks to personal information
- implement effective security measures
- conduct regular assessments to ensure that the organization is meeting its privacy compliance obligations
There are many areas of mutual support, for example, vendor management, internal systems access controls, business continuity and disaster recovery, data protection impact assessments, and staff training.
I have found that regular formal and informal meetings with my security colleagues is essential. These meetings are important because:
- the teams need to be aligned on training internal partners and speaking with clients
- privacy can help security stay up to date on regulatory changes and benefit from legal analysis and drafting for policies
- privacy can help security present its message to inquiring external attorneys and auditors
- security can help privacy understand the specific implementation of security measures like encryptions, SIEMs, permissions structures, obfuscation, and best practices
- the teams must be aligned and work smoothly together in assessing time-sensitive incidents
- the teams must cooperate on security and privacy audits and certifications
- privacy needs security’s help in implementing many forms of privacy protection
Privacy and Customer Service
Customer support teams interact with clients and customers daily and are often the first line of defense when it comes to safeguarding personal information or promptly providing information regarding incidents related to services.
When customer service and success elements are aligned and well trained by privacy, the groups can work together to provide privacy-aware services that not only build client trust, but also create an added layer of issue spotting to the mutual benefit of customers and service providers.
I’ve found that disagreements around data protection are resolved much faster when people involved in providing customer service understand the company’s privacy obligations. Customer service functions communicate heavily with clients. As a first line of contact, the attitude and sense of care of the customer service representatives can impact how a client reacts to difficult situations when they arise. Customer service can contribute heavily if they can answer basic client inquiries about the services like “do you process my personal data?”, “if so, which?”, “whose?”, “why?” Being able to answer these questions shows a customer that you not only understand privacy compliance, but that you also deeply understand the data flows of your own services.
Privacy compliance does not occur in a small room in the back of an organization. It happens every day with every action taken and every word spoken.
Privacy and Human Resources
Human resources teams have a critical role to play in privacy compliance, as they are responsible for collecting and managing personal information related to employees. The compliance team can work closely with HR to ensure that appropriate controls are in place to protect employee data. Depending upon where these roles sit in your organization, HR may be critical in ensuring that staff are well-trained in how to respond to privacy-related inquiries so that they are able to provide detailed information on the organization’s privacy policies and procedures.
When HR shows respect for personal information and treats private details of employees with respect, there is a significant positive impact on employee morale.
There are behaviors that we don’t necessarily think of as privacy compliance but that any skilled member of HR understands:
- don’t gossip about people – because this is not a legitimate business use of personal information
- don’t pass sensitive personal information to persons who do not have a strict need to know
- understand that information about employees belongs to the employees and the company holds it in trust
Privacy and Sales
Sales teams are often responsible for collecting and handling personal information as part of the sales process and must ensure that they are adhering to all relevant regulations and guidelines. They also set a customer’s first impressions of a company and may receive a wide range of privacy-related questions.
Privacy and sales need to develop and implement effective privacy controls, such as obtaining consent for data collection and ensuring that data is properly secured, which is not only critical for regulatory compliance, but also demonstrates the kind of respect that builds client trust.
One thing in my career that I’ve found ironic, and amusing is the behavior of privacy vendors. Some vendors will find my contact information online and send marketing to me without complying with privacy laws that should permit me to opt-out of the marketing. Others have invited me to demos and attempted to record me without my consent – thus destroying my trust for their brand before we have even discussed the product.
I believe that we don’t just buy services that we (a) need (b) can afford, and (c) believe can be properly performed, but that we also (d) trust that the a, b, and c information that we’ve been told is true.
When a person who wants my business violates my trust regarding my phone number, email address, name, or other personal details, everything else they’ve said to me is called into question. Suddenly, I recall that time the contractor charged me twice as much – or was unable to do the job.
This is why it’s important that the sales team knows that the privacy team is on their side. We are here to help sales communicate trust to the client so that the foundation of the deal remains solid. We can do that by showing the sales team how to:
- accurately relay information to the client about how personal data is used in the services
- spot a data privacy issue and know who to call
- explain our role in supporting a client’s own privacy compliance
Conclusion
While there is no one-size-fits-all approach to privacy compliance, I have found that the programs that implement this effectively do so by proactively reaching out to those other functions and then listening carefully to the needs of that organization. A different approach to communication may make sense for different functions and groups. While one team may want to master the material and happily self-serve from guidance documents, other groups will make specific requests.
Since the most efficient use of privacy compliance resources is when the organization understands what you are saying, it is important to find the medium and method that communicates best for the recipient. Understanding how your partner organizations communicate and work draws the map for how a cross-functional partnership can thrive in the long term.
You may also like:
- Read: CISO’s Guide to Enterprise Software Security
- Solution: Software Supported
Looking for thought-provoking, educational content? Check out Street Wise, your one-stop shop for authoritative articles, interviews, blogs, and more from industry leaders on today’s hottest topics.