Most people do not think about all the fine details of health insurance every day.

We think about it when something goes wrong. When a referral is needed. Or during open enrollment, when we are forced to choose between plans and consider risks we would rather not dwell on.

Or when a bill arrives (like mine from the hospital that coded it wrong 8 months ago, sends me a final notice saying I’m going to collections monthly, you have to call to hear it’s still in review, and STILL can’t correct it. I digress and a story for another day).

In between those moments, it fades into the background.

Unfortunately, inside many organizations, privacy functions much the same way.

When nothing is visibly broken, privacy can feel abstract. The consent banner is live. Privacy notice posted. Contracts contain data protection terms. Policies exist.  Assessments performed. Training has been completed. On the surface, the organization appears covered.

But coverage and health are not the same thing.

For privacy leaders, that distinction is critical.

Coverage Is Not the Same as Health

Health insurance is fundamentally about risk management. It does not prevent illness. It reduces financial exposure and provides access to care when something inevitably happens.

To prevent health issues, we need to be proactive. We’ve just ended the healthiest month of the year, January, when people eat healthy, exercise the most (and get the most related injuries), sleep more, drink less alcohol (and this is becoming a permanent trend), and are living out their new year’s resolutions.

Fun fact, if I didn’t go into privacy, I was going to focus on healthy and nontoxic living (I even bought Healthy Life Simplified). See the theme? I love to make things simple. Maybe one day I’ll bring it back.

Privacy programs also manage risk, like when the product team wants to launch a new product, a department wants to onboard new vendors, use new technology, gather more data, use existing data in new ways, and the list keeps going.

However, just as someone can have insurance and still neglect preventative care, an organization can have privacy artifacts in place and still carry significant unmanaged risk.

A policy is not the same as operational alignment.

A vendor clause is not the same as vendor oversight.

A data inventory completed three years ago is not the same as current visibility.

And these are ALL real situations I encounter all the time. We just finished a privacy program assessment, and that company isn’t aligned on if and how often security table top exercises are performed. (For such a small team this is a shocking finding).

Or another company where privacy needs marketing to do a quarterly update on all the tracking technologies it places on the site. Marketing thinks that’s the agency’s job. The agency thinks it’s the company’s job and wants to charge more. Marketing wants privacy to pay for the audit. Privacy doesn’t have the support or even have a budget. Meanwhile, everyone is just pointing to the other group, and nothing is getting done.

The Fragmented Care Model: Specialization and Coordination

Modern health care is highly specialized. A primary care physician looks at overall health, but specialists focus on specific areas. A cardiologist examines the heart. A dermatologist looks at the skin. An orthopedist addresses joints.

Each provider may do excellent work within their domain.

But without coordination, the patient experiences care in fragments.

And I recently had a firsthand experience of such a lack of coordination when a family member was in the hospital. The ICU nurse didn’t know about the prior history that would impact the current treatment (never mind it was the same hospital this patient had been in previously). How hospitals use data is truly a future newsletter. Or when the transition happens and one nurse doesn’t transfer ALL the knowledge to the next team. Patient care can be seriously impacted.

Privacy programs frequently evolve in a similar way.


Product or marketing may engage for months on new initiatives and don’t include the privacy team. This is the same fragmentation. Information in all those meetings could be valuable to a privacy pro, may have avoided privacy mishaps, and reduced delay in reviewing privacy risk (presuming privacy does get to do this!).


This is like the operator game, which never goes well (like these AI-generated kids trying to share info). When the right people aren’t in the room, or the information isn’t documented consistently, then information is missed, which can have drastic consequences as well as take up time needlessly.

From a functional perspective, companies are doing different things all over the place. Marketing is tasked with identifying cookies and tracking technologies. Security manages access controls and incident response. Legal and/or procurement negotiates contractual terms. HR focuses on employee data. Product designs new features.

Each function manages its own “body part.”

Meanwhile, the privacy team is expected to understand how all those parts interact. It’s like trying to be the octopus having its tentacles in so many different parts of the organization.

After writing this I went over to Canva to try out this image in my head … not bad except for the part where Privacy Legal should be separated … sharing so we can all see what happens with AI!

Privacy leaders are effectively the primary care physician.


Primary care physicians need to know A LOT and to rally all the right team members. With how fast privacy laws are passing and being introduced (heads up, Alabama just passed this week, Alabama HB161, the App Store Accountability Act), privacy pros are constantly having to stay on top of the regulation game.

Privacy teams literally can’t do anything without the business cooperating. We’ve seen firsthand what happens when “that” team is assigned a privacy task in a silo. It’s not done well or even quickly.

If those functions operate independently, risk accumulates quietly in the gaps between them.

Preventative Care vs. Symptom Response

In health care, preventative care is what keeps minor issues from becoming major ones. Annual physicals, screenings, and routine monitoring are designed to surface problems early.

In privacy, a working and functioning privacy program plays a similar role.

Being proactive in privacy involves periodically reassessing whether documented data flows still reflect reality. It includes reviewing whether vendors originally classified as low risk have expanded their scope. It means examining whether new AI tools are using data in ways that were not contemplated when earlier risk assessments were conducted.

Without preventative mechanisms, privacy becomes a series of constant fires and urgent appointments rather than coordinated health/program management.

Shared Responsibility and “Cost-Sharing”

Health insurance systems distribute responsibility. Patients share some costs through deductibles and co-pays. Providers deliver care. Insurers manage catastrophic exposure.

The system is designed so that one party does not carry the entire burden.

Privacy programs require similar shared accountability.

When every privacy-impacting decision flows through one individual or the privacy team, the program becomes fragile. The privacy team becomes the bottleneck and the safety net.

That model may work temporarily, especially in smaller organizations. But as complexity increases, it does not scale.

Shared accountability does not mean every team must become privacy experts. It means each function understands when its decisions carry privacy implications and what to do at that point.

The privacy team remains accountable for program design and oversight. The business shares responsibility for execution.

Practical Steps to Move from Fragmented to Coordinated Care

Let’s review what it takes to make a successful coordinated privacy program in your organization.

🌟 DISCLAIMER: This is definitely not ALL the steps, but a really good short list! Oh and you might ask why are Privacy Risk Assessments in bold? Well, I opted to use ChatGPT, and it won’t change it – clearly it’s a hint that these are really important!

1. Define Clear “Preventative Checkups”

In health care, preventative visits allow a specialist to review how the body is functioning. There’s a checklist and baseline for what “healthy” is, and finding something early increases the chances for a better outcome.

In privacy, creating a sustainable compliance program involves performing audits and assessments on the privacy program. Examples include:

  • A website audit to ensure privacy notice links are working, cookie consent settings function, and opt-out links are where they should be
  • Testing the privacy rights forms and workflows
  • An annual or biannual refresh of the data inventory focused specifically on material changes rather than a full rebuild.
  • A periodic review of high-risk vendors to confirm that services and data categories have not expanded.
  • Privacy program assessments to ensure compliance with applicable laws (or new ones if expanding)

To be successful, each of these types of reviews should be structured and time-bound. Our clients find a website audit, testing processes, and assessments so valuable. It helps set the strategy, identify gaps, prioritize the budget, and allows the company to fix any issues before a regulator or customer sees them.

2. Establish Clear Engagement Triggers

Many privacy breakdowns occur because business teams do not recognize when to involve privacy.

Create and socialize a short list of concrete triggers that require engagement. For example:

  • Introduction of a new vendor that processes personal data.
  • Collection of a new category of personal or sensitive data.
  • A change in the purpose for which existing data is used.
  • Deployment of AI or automated decision-making tools.
  • Expansion into a new geographic market with different regulatory requirements.

3. Simplify Intake and Documentation

If the process for engaging privacy is unclear or overly burdensome, teams will avoid it.

A short privacy intake form with clear, practical questions can significantly improve visibility. This form should provide just enough information for a privacy team to determine if a deeper dive is required. Too many questions and the business gets annoyed and won’t complete it.

This should then trigger applicable privacy risk assessments, data inventory updates, and potential downstream impacts to the privacy notice, privacy rights process, and vendor assessments or contractual updates.

4. Measure System Health, Not Just Activity

It is easy to report on activity metrics: number of assessments completed, number of requests processed, and number of trainings delivered.

Consider adding indicators that reflect the privacy program’s health. For example:

  • Percentage of relevant projects that engage privacy before launch
  • Time and money saved through streamlining or automating
  • Speed of integration of privacy requirements into tech
  • Number of late-stage escalations over time.
  • Reduction in privacy incidents
  • Time from intake to guidance
  • Trust can be measured with unsubscribes and subject access requests

It’s also important to celebrate the success when business teams are working on privacy-related projects. I had a client who would use her fairy wand each time a business unit completed their data inventory work. If you used a fairy wand, what would you celebrate?

Designing for Resilience

No one purchases health insurance expecting a perfect year. It exists because uncertainty is inevitable.

Privacy programs should be designed with the same realism. There will be new unexpected product launches, new amendments, laws, enforcement advisories and actions that will all come on top of the existing prioritized work. The business might need this answer yesterday (they always do, right?)

Privacy teams who are building a structured program with policy, process, people, and technology will be able to zig and zag what comes at them.

Privacy, like health, is not maintained through isolated appointments. It is maintained through coordinated, ongoing care.

What’s your best preventative privacy tip you’d share with a fellow peer?

And on the topic of health, what’s one preventative step you can take for yourself today? I encourage you to do it this week (might it be to schedule that Dr. appt?). Privacy programs need its managers to be healthy too.

Jodi

💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.