The Webs We Weave: Building Stronger Cross-Functional Privacy Practices
In February 2023, a hacker used an SMS phishing scheme on a HR employee in the US to gain access to Activision (the company behind the Call of Duty video game franchise) records, including employee emails, salaries, and work locations, as well as confidential corporate information – like the company’s 2023 release schedule. Privacy must be considered an organisation-wide responsibility for breaches like this to be (first) avoided or (second) less impactful when they do occur. Yet, many organisations don’t have plans to improve cross-functional privacy.
Building Stronger Cross-Functional Privacy Practices
Cross-functional privacy practices come with many benefits. They increase the likelihood of win-win outcomes during product or service development and reduce leakage caused by last-minute compliance checks and ‘bolt-on’ privacy fixes. It can also improve your company culture by integrating privacy and legal compliance into the practices early, so these team members become collaborators, not the team that comes in at the end and says ‘you can’t do that’.
Implement Privacy by Design
Developing and implementing a ‘privacy by design approach’ is one of the best ways to build cross-functional privacy practices.
We’ve written before about Privacy by Design and how it can be implemented including:
- ISO 31700 New ISO Standard for Privacy by Design
- Privacy by design approach
- 5 Tips for successfully implementing privacy by design
- Privacy by Design: How to bake in privacy early
- Worried about data breaches: How privacy by design can help
The following are other things you can do – which should be part of your Privacy by Design approach.
Set Regular Meetings Between Technical and Legal/Compliance Professionals
The IASCA Privacy in Practice Report for 2023 revealed that 17% of technical privacy professionals only met with legal or compliance professionals when new privacy laws go into effect. The same report noted that more than half of respondents met quarterly or less often.
Given the extremely rapid pace of change in the privacy legal and compliance landscape, teams that are meeting quarterly or less are likely running a privacy program that is reactive, not proactive. This is risky from both a legal perspective and through the business lens.
The main arguments in the business case for implementing proactive privacy programs are:
- Reducing the likelihood of resource strain because of periods of non-compliance – where you’re playing catch up.
- Being proactive instead of reactive reduces the likelihood of operational inefficiencies, poor spending decisions, and higher costs.
- More opportunities for innovation and the creation of ‘win-win’ scenarios where both business outcomes and privacy outcomes improve.
So, teams looking to improve cross-functional privacy performance and outcomes should schedule regular meetings at intervals that make sense. For many teams, this will be monthly meetings for key team members.
Document & Share ‘Triggers’ for Privacy Team Involvement
Your team can’t know what they don’t know. To help them overcome these ‘blind spots’ in their privacy knowledge, you should document and share common activities that should trigger them to reach out to the privacy team for collaboration.
Common triggers include:
- New Marketing Campaigns or Channels: When launching new campaigns, especially those involving data analytics or targeting specific demographics.
- Data Collection Changes: If the marketing team decides to collect new types of customer data, or change how they collect, store, or use existing data.
- Third-Party Partnerships: Engaging with third-party vendors for marketing activities, such as data analytics services or advertising platforms.
Human Resources (HR)
- Employee Data Handling: Changes in how employee data gets collected, processed, or stored, especially sensitive information.
- New HR Technologies: Implementing new HR software or systems that involve employee data, especially anything that involves monitoring of employee performance or the use of biometrics.
- International Operations: If the company expands or starts operations in other countries, impacting how employee data gets managed across borders.
- New Reporting: New requests for information about employees to be included in reports.
- New Products or Features: Introducing products or features that collect, process, or store user data.
- User Data Utilization Changes: Any significant change in how user data gets used within the product.
- Compliance with Standards: When products need to comply with specific industry standards or certifications that involve privacy considerations.
- New Service Models: Developing new service offerings that involve customer data processing or storage.
- Data-Driven Services: When services rely heavily on customer data analytics for personalization or improvement.
- Cross-Border Services: Offering services in new jurisdictions, which might have different privacy laws and regulations.
- Customer Data Access: Changes in how customer service representatives access or use customer data.
- Feedback and Data Collection: When collecting feedback or additional data from customers for service improvement.
- Technology Adoption: Using new tools or platforms for customer service, which may involve different types of data processing or storage.
- Supply Chain Data Management: Changes in how supplier or logistics partner data gets handled, especially if personal data gets involved.
- Operational Process Changes: Introduction of new processes or changes to existing ones that involve the collection, storage, or processing of personal data.
- Facility Management: Implementing new security systems (like CCTV) or access controls that involve collecting data from employees or visitors.
- Technology Upgrades: Introduction of new operational technologies that might collect, process, or store personal data.
- Financial Transaction Processing: Changes in how customer or employee financial data gets processed, such as introducing new payment methods or systems.
- Auditing and Reporting: Situations where personal data might be involved in auditing processes or financial reporting, especially if shared with external parties.
- Mergers, Divestitures and Investments: During mergers, acquisitions, divestitures or investments where due diligence involves accessing sensitive personal data.
- Vendor Management: Changes in relationships with vendors or service providers that handle financial data, necessitating a review of privacy and data security measures.
Implement an Organisational Privacy Dashboard
Privacy dashboards provide an overview of an organisation’s privacy activities on a single page. It would include information like:
- Customer requests to manage their data;
- Data mapping and inventory;
- Compliance monitoring;
- Access control monitoring and information;
- Privacy Impact Assessment requests, status, and results;
- Reporting and analytics.
These dashboards can help organisations make better decisions about privacy, increase awareness of privacy and privacy risk, and more efficiently allocate and deploy privacy resources.
Eliminate Data Siloes
Organisations often collect the same or similar information at multiple touchpoints and then hold this information in multiple locations. For instance, a sales department may hold a customer’s personal information and transaction history in one system, while the marketing department is aggregating information about their browsing habits and collecting their birth date for a loyalty program in another.
When this occurs, the information is siloed – and this comes with risks, including increased risk of a breach. It also decreases the quality, reliability, and accuracy of data your organisation holds, which can result in poorer business performance and increased redundancies in your processes.
By implementing organisation-wide processes to collect, store, and manage data, you can eliminate or significantly reduce data siloes while also increasing the quality of the data you collect and store and decreasing your privacy risk.
Privacy Management Programs with Privacy 108
Our privacy management programs empower organisations to champion privacy through policies, processes, education, awareness, and accountability. We will work with you to:
- Assess the maturity of your current program management program;
- Identify gaps between your current maturity and your target level of maturity;
- Design a strategic roadmap to create a privacy management program or improve the maturity of your existing program.
Reach out to learn more: