Who Is Responsible For Data Privacy?
Famed basketball coach Phil Jackson once said, “The strength of the team is each individual member. The strength of each member is the team.”
Jackson has more NBA titles than any other NBA coach, the highest winning percentage of any Hall of Fame Coach, and is the only coach in any professional American sport to win more than ten titles.
The dynasties he built in Chicago and LA were founded on the principle that each person on the team, whether Michael Jordan or Trent Tucker, had a key job. Even if a player only got two minutes of playing time, they had better be ready to do that job when the team needed it done.
If you want a world-class data privacy program, you should build it on the same foundation.
Privacy is a team sport
“Good teams become great ones when the members trust each other enough to surrender the Me for the We.” —Phil Jackson
Historically, companies have left it to their IT departments to protect company data and users’ sensitive personal information from hacks. After all, data is stored on servers, accessed through networks, and analyzed on computers—and that’s technical IT stuff.
But with 156 million sensitive records in the US exposed by hackers in 2020 alone, governments worldwide are protecting citizens by passing increasingly robust data privacy laws.
The General Data Protection Regulation (GDPR), passed by the European Union (EU) in 2016, and the California Consumer Privacy Act (CCPA), passed in 2018, dramatically changed how businesses collect and process personal data by giving consumers more control over their information. Other governments quickly followed, with laws being proposed and passed every year in countries across the world.
These new laws are complex regulations that touch every aspect of business, from marketing to operations to customer service. To protect against data breaches and maintain compliance with data protection law, all your employees need to understand and execute their job in the privacy game.
Wondering who should be on your team?
A cybersecurity team may have different key players than the Chicago Bulls, but in both cases, it’s important to have the right person in the right position.
Your cybersecurity team should touch every aspect of your business—from your leadership team to marketing to customer service.
Build your team
According to Security Magazine, “cybersecurity is a shared responsibility across every function and level of an organization.” Data privacy and cybersecurity aren’t quite the same thing, but the same idea applies to both specialties.
A great privacy team will have input from people in multiple roles. This might include:
- Executive Leadership
- Information Technology
- Human Resources
- Customer Service
Sometimes these teams have a job specific to their skillset, and sometimes the responsibilities overlap between functions.
“As a leader, your job is to do everything in your power to create the perfect conditions for success.” —Phil Jackson
If your management team doesn’t take privacy seriously, you can’t expect anyone else in your organization to either. As an executive leader, it’s up to you to build a culture of privacy across your company.
This means, at a minimum, you:
- Understand the basics of whatever data privacy law(s) apply to your business
- Organize your executives and/or their representatives in a cross-functional team responsible for completing a thorough risk assessment and developing a plan to achieve compliance
- Oversee your data privacy team as they execute their plan, fully funding and supporting them as they take steps to protect data
- Ensure adequate training to ensure all employees understand expectations and responsibilities related to data privacy
- Make sure privacy best practices are built into as many business processes as possible
“Our offense empowered the players, offering each one a vital role to play as well as a high level of creativity within a clear, well-defined structure.”—Phil Jackson
There’s no question that IT/IS teams do the heavy lifting when it comes to the technical solutions and processes used to secure data. But if those solutions and processes don’t have support from outside IT, they will fail as soon as they are turned over to employees.
IBM did a study and found that human error was a major contributing factor in 95% of data breaches. Your IT department can implement a state-of-the-art cybersecurity program, but it only takes one employee clicking a bad link in a suspicious email to expose your entire system to a hack.
To be successful, IT’s data security efforts must be backed up by risk management, employee education, and audience engagement initiatives from HR, legal, marketing, and operations that emphasize both the personal and collective responsibility employees have to protect consumer and company data.
“The more I tried to exert power directly, the less powerful I became. [Changing] this approach strengthened my effectiveness because it freed me to focus on my job as keeper of the team's vision.”—Phil Jackson
Most of the laws being passed are inspired by and focused on how companies collect, process, use, and share consumer data. Because your marketing team bridges the gap between what can be collected (legal), how it’s collected (IT), and how employees use the data (HR and operations), they act as the lynchpin holding your data privacy program together.
Marketers’ involvement is critical throughout every aspect of developing a privacy program. But since every unnecessary piece of data is a serious liability, they also have a specific responsibility to identify the minimal amount of data needed to uphold a vigorous marketing operation.
Once marketing teams collaborate with IT on how and what types of data to collect, they can work with legal, HR, and operations to build compliant workflows.
“Selflessness is the soul of teamwork…teams that are less talented but more selfless and group-oriented can have more success’. —Phil Jackson
Legal departments have a clear mandate for building a privacy program—to make sure all data processing notifications, policies, and practices comply with regulatory requirements. For large corporations, this could mean collaborating with teams in other countries to maintain compliance with laws in multiple jurisdictions.
It’s easy for legal to be seen as a program killer, since statutes rarely leave much room for creative interpretation. But a good legal team will work with their counterparts, particularly marketing, to make sure everyone understands the law and then join forces to come up with solutions that work for everyone.
“A coach’s main job is to reawaken a spirit in which the players can blend together effortlessly.” —Phil Jackson
We know we sound like a broken record, but we keep saying this because it’s important: your privacy program is only as good as your employees’ understanding of and commitment to it.
You need HR to give input on protecting employee privacy, but they are the key to making privacy an intrinsic part of your company culture. Through regular training, email reminders, policy spotlights in staff meetings, and compliance tracking measures, HR is as important to the implementation of your data privacy program as IT is to building it.
“I think people forgot that there are still ways you can get the ball inside rather than just standing there and throwing the ball in. You have to have a system that makes all things work.” —Phil Jackson
Customer service is always important, but now that consumers can file data subject access requests (DSARs) to find out what personal data you’ve collected and how you’re using it, you won’t be able to maintain compliance without implementing new training programs and workflows for your CRM team.
Hackers most often gain access to well-protected data through low-level accounts like those used by your frontline CSRs. A two-pronged approach that educates customer service teams about the part they play in protecting company data and the processes for giving consumers transparency into that same data is a must-have for this new era of consumer privacy protection. This way, if a customer calls to file an individual rights request, your customer services representative will be prepared.
Team on three…
“No one plays this or any game perfectly. It’s the guy who recovers from his mistakes who wins.” —Phil Jackson
Listen, we know data privacy is complicated, partially because it’s constantly changing. This article is geared toward larger companies with separate departments for each of these functions, but your company may be smaller with one or two people doing everything.
The good news is that because privacy laws are here to stay, there are a lot of affordable, functional tools out there that are scalable and designed for businesses of all sizes.
Whether you’ve already tried to start a data privacy program and failed, or your existing program needs updates, Red Clover Advisors has a killer privacy compliance program that can help you build strong, agile processes that get you where you need to be. Drop us a line to get your team on the path to victory.