Many laws and requirements affect businesses today and the topic of privacy is receiving extra attention from auditors and regulators. However, it is not just about laws and compliance. There are many motivators driving businesses to be more responsible with a consumer’s personal data such as:
Enhance the company brand
Meet regulatory compliance obligations
Enable global operations and entry into new markets
Reduce the risk of data breach
Increase revenues from cross-selling and direct marketing
Comply with GDPR
Provide a competitive differentiator
Increase value and quality of data
Reduce risk of employee and consumer lawsuits
Be a good corporate citizen
Consumer trust is a big motivator. Fines and fees from regulators are usually clearly defined and have a finite value to them. However, consumer trust can be broad and have much more severe repercussions. Loss of consumer trust can be fatal to organizations. It’s hard to obtain and even harder to gain back if lost. Because of this, many organizations are motivated to have a mature privacy program to ensure they do not lose consumer trust. A few ways organizations can mature a privacy program:
Employees must understand data minimization and be able to place it in operation. Using internal identifiers, for example, instead of government identification numbers like Social Security numbers, reduces risk if the data is lost. Truncating, masking or scrambling information is another way to lower risk.
Appoint privacy leads in major business units, responsible for handling and processing personal information. Privacy leads should be a mid- or senior-level manager, with sufficient authority and oversight of controls within their area. Privacy leads can be the privacy program’s advocates to ensure controls are kept current and privacy incidents are elevated.
Implement change control
A privacy impact assessment, or other change control process, must be implemented to ensure it meets an acceptable level of risk and impacts to other processes are considered. Control changes must also be documented in a central repository for future auditing.
Know the “why”; Over-collection of data
In conclusion, mitigating risk is an ongoing process and requires the privacy office to establish a network of champions. Privacy program managers are accountable for the safekeeping and responsible use of personal information. Privacy managers should be ready to demonstrate compliance with applicable data privacy laws, reduce risk, build trust and confidence in the brand, and enhance competitive and reputational advantages for the organization. This starts with a mature privacy program.