We wish we could say that all organizations can achieve an amazing privacy program with the click of a button. We would love for there to be one magic solution. But privacy—just like most things in business and in life—is a little more complicated than a single product or person.
Here’s the truth: privacy is a collaborative, ongoing project for any organization.
It requires employee buy-in from multiple departments, a well-thought-out program and practices, and long-term collaboration between stakeholders across your organization. (And even then, you may still choose to bring in third-party experts to help build your privacy program and ensure compliance with all of the countries that are building privacy regulations).
We get it. It’s hard. Thankfully, you don’t have to go it alone. If you’re wondering how to get your privacy program on track and adaptable to future regulations, you’ve come to the right place.
Quick check: what is a privacy program?
A privacy program is a set of operational policies and documentation that detail the practices, requirements, and other measures that an organization takes regarding data collection, as well as how they manage, store, and protect personal data.
A privacy program should be built on applicable privacy laws and regulations at the state, federal, sectoral, and global levels, as well as privacy best practices. And because these elements aren’t static, it’s important to build your privacy program with a changing landscape in mind.
Why privacy programs aren’t a “set it and forget it” policy
Ever since the EU’s General Data Protection Regulation (GDPR) came into effect in 2018, countries around the world, as well as individual states within the U.S., have adapted and refined their privacy regulations.
Because the United States does not have a federal privacy program, regulations vary. There are privacy laws on both sectoral level (i.e., finance, communications, healthcare, etc.) and on a state-by-state basis.
When it comes to geographical jurisdiction, businesses aren’t only beholden to the laws where they’re headquartered. Privacy policies apply to businesses anywhere they collect data. So if your business collects data from citizens of the EU, Brazil, and/or Utah, for example, your business is responsible for following the laws of all respective governments.
Here’s where it gets even trickier.
Even as new countries and states adopt new regulations each year, established data privacy laws are also subject to change. This means that to maintain its impact, your privacy program needs to be adaptable.
For example, California’s CPRA instated updates that came into effect on January 1, 2023 to expand individual rights and create new requirements for data belonging to minors. It also created a new enforcement agency designed to ensure accountability.
Meanwhile, in Europe, the EU Data Governance Act (DGA) will come into effect in September 2023. While the DGA isn’t exclusively concerned with personal data, it will have a significant impact on the GDPR.
Broadly speaking, the EU Data Governance Act is intended to increase data transparency and accountability in data processing, which aligns with the mission of GDPR. More concretely, it will create new rules for how data can be shared and used. The intention is to build a new legal framework for data intermediaries that collect, process, and distribute data.
What does this mean for businesses and their privacy programs?
If your organization is found to be non-compliant with applicable regulations, it may be liable to significant fines and other risks. So as much as businesses would love an out-of-the-box privacy program that will set them up for the next decade, it’s just not a realistic ask in this legislative climate.
But it’s not all doom and gloom. It is absolutely possible to create and maintain a strong privacy program that benefits you and your consumers while maintaining compliance with varying regulations.
Because organizations can be liable for so many different regulations, the best data privacy policies are flexible, agile, and informed by industry-wide best practices—not just individual mandates.
Here’s how to set your team up for long-term success.
Start with a clean house
When construction companies start building a skyscraper’s foundations, they don’t just pour concrete into the ground. They excavate, remove what they don’t need, evaluate the ground for risks, and adjust their strategy based on what they find.
Building a strong foundation for your privacy program follows many of the same practices. If you want to build a strong, long-term program, you need to start with a clean house and solid foundations.
Take some time to excavate and evaluate your current privacy program with a thorough data inventory. Your data inventory should identify:
- What data you collect
- How it is used
- Where it is stored
- Who has access to it
By creating a data inventory, companies gain a big-picture view of their data collection activities and where they need to focus efforts for compliance. This can help you build a system that applies best practices and works for your business.
Some companies can complete a data inventory on their own, but it can be a strenuous process for even seasoned privacy and IT professionals. You may want to consider third-party consultants to prevent significant disruptions to other critical operational projects.
Establish ongoing internal accountability
Privacy programs may often need a project manager to take charge, but privacy program maintenance and execution cannot depend on one individual, especially when privacy policies require buy-in from all employees and contractors.
Create an ongoing list of what departments, positions, individuals, and teams are accountable for your data collection practices, and ask yourself:
- Which teams are responsible for managing each bullet point in your privacy program?
- Who has the authority to make decisions?
- Who ensures third-party and vendor compliance with your privacy program?
- What type of risk management procedures do you have in place?
- What processes can you put in place to hold your company accountable year after year?
Answering these questions now will help your company maintain compliance amidst changing privacy laws, as well as any staff turnover.
Get everyone on board
Every data privacy or security expert knows that human error is the number one source of a data breach. But while preventing costly and damaging data breaches is a good motivator, perhaps a more compelling one is the impact of privacy on consumer trust.
Digital trust has decreased from 77% to 68% since 2012, in large part because of seemingly endless data breaches. But it’s not just data breaches that are impacting trust. It can be as simple as misusing data. Consider that 39% of consumers have lost trust in companies due to a breach or data misuse.
However, businesses that navigate changing regulatory requirements and consumer expectations can reap the benefits of consumer trust. For example:
- 73% of consumers are more inclined to share personal data with companies they trust
- 80% of customers are more loyal to companies they see as having “good ethics”
To make this work in your favor, though, you have to get buy-in.
Work with your HR team to integrate privacy program training as part of the onboarding process for every new hire, and consider annual training or refresher courses for seasoned employees. You can also create a culture of privacy at your workplace from the top down by coordinating with department heads and internal leadership.
Emphasize that this isn’t a throwaway task for team members. After all, everyone plays a role in safeguarding data.
Prepare for possible data breaches
When it comes to data security, an ounce of prevention is worth a pound of cure. The Identity Theft Resource Center found that almost half of U.S. companies were hit by a data breach in 2021.
No organization expects to experience a data breach, but companies that prepare for potential data breaches will be much more effective at minimizing the damage.
In the event of a data breach, the data security team will be the first line of defense, but your data privacy team will also be a central part of the process. When you create your privacy program, have both teams work together to create a standard operating procedure in the event of a data breach. Think of it as your emergency action plan.
Write out exactly:
- Which internal company stakeholders need to be notified, and in what order
- What external organizations will need to be notified and when
- How your team would respond under a variety of circumstances or sources of the data breach
Once you’ve documented your plans, consider reviewing and updating the plan each year in response to any changes in policies or potential risks.
When in doubt, call in the experts
Building a sustainable privacy program—and then maintaining that program for years to come—can feel like an overwhelming prospect for even the most successful and tech-savvy businesses out there. Thankfully, you don’t have to build a long-term privacy program all on your own from scratch. Instead, partner with a trusted data privacy expert to build the solution that’s right for your team.
Red Clover Advisors simplify data privacy practices to help businesses build data governance solutions that stand the test of time (and changing regulations). Drop us a line to start on your sustainable privacy program today.