Seven mistakes of modern privacy programs
From high-profile data breaches (think Facebook’s Cambridge Analytica scandal that resulted in millions of people’s data being shared without their consent) to the introduction of legislation like the General Data Protection Regulation (GDPR), the data privacy landscape has evolved considerably in the last few years.
Though more organizations recognize the necessity of implementing a data privacy program, many modern privacy programs are missing foundational components required for full compliance, and attorneys and authorities have little sympathy for these privacy gaps.
To improve your program’s efficacy and chances of success, steer clear of these seven common missteps.
- Ignoring the need for a privacy program
Your organization may regard a data privacy program as an unnecessary expense because it doesn’t immediately pay dividends. If you wait to prioritize until an authority issues a warning, you’re more likely to pay a hefty price for kicking that can down the road.
The "we’ll do it later" mindset can harm your organization because "later" may arrive sooner than you think, especially as lawmakers introduce more privacy legislation. Plus, not all regulations offer a "right to cure" period allowing your organization to address its noncompliance issues before facing enforcement actions. The California Consumer Privacy Act (CCPA) initially had a 30-day right-to-cure period, but that grace period ended on January 1, 2023.
Even when regulations offer right-to-cure period, the time may be too short for your organization to identify and mitigate any noncompliance, since building a strong privacy program can take up to 18 months. For example, when beauty retailer Sephora violated the CCPA in 2022 and failed to appropriately remedy its violations within 30 days, it paid a $1.2 million penalty. Ultimately, building a privacy program costs less than fines. Remember, your program doesn't have to be perfect overnight — shaping your program and successfully implementing it takes time. Taking gradual steps today, based on your organizational needs and risk priorities, will help you in the long run.
- Failing to get organizational buy-in
A data privacy program stretches far beyond just your legal or security team to touch all departments. Individuals worried about the program’s effect on their work may push back. However, gaining a few vocal advocates and buy-in across the most impacted departments should enable program implementation with minimal opposition. Those advocates can also help you develop your business-case for why privacy compliance is not just a privacy problem -- and how getting the privacy foundations right will support broader organizational needs.
- Approaching leadership before you’re fully prepared
While you need support from the C-suite to execute your data privacy program, start by talking to lower-level team leaders. Ask them to identify their pain points -- are they worried a data privacy program will be a drain on time and resources? Do they think it will distract from revenue-generating operations? Understanding concerns allows you to devise a plan to address them. Then, when you go to the top, you’ll be able to show the program’s impact on different individuals’ responsibilities and that you have team leaders’ support.
- Assuming a company-wide understanding without appropriate education
A successful data privacy program hinges on clear communication and education. An effective data privacy program needs the cooperation of everyone involved. And, you all need to be on the same page. With privacy front and center of many headlines, there are a lot of myths out there. You may need to think about how to get alignment by dispelling some of the rumors and focusing on what your teams need to know. Senior executives endorsing can influence others to see the importance of data privacy and encourage them to take it seriously. C-suite buy-in presents an opportunity to
- Justify the need for a data privacy program.
- Communicate its impact on various roles.
- Convey the changes people can anticipate in their routines.
- Champion collaboration as an effective approach to achieving compliance.
- Approaching your program as a finite project
Data privacy is not a one-and-done task, but a continuous process requiring constant monitoring and maintenance to ensure compliance with changing regulations. As your organization grows and scales, different laws may become pertinent, and the manner you process information may change. Launching a privacy program -- and considering it "done" after that initial investment -- risks obsolescence as your organization (and regulations) evolve. Creating a dedicated privacy steering team or set of champions can help to nurture and update your program and keep interest across the organization of privacy goals.
- Improper prioritization
The abundance of data privacy regulations creates challenges when you’re trying to identify which compliance regulations to prioritize. The best rule of thumb? Comply with the most comprehensive data privacy law pertaining to your organization. That way, if you violate or are weak in another law, you can highlight your compliance to show you’re willing to make changes to reduce your legal risk. Find your weaknesses within the nuances of the law and focus your efforts there to resolve issues and mitigate potential noncompliance penalties.
- Taking a DIY approach
Operationalizing data privacy compliance is a complicated process that becomes even more complex as your organization scales. As your business changes and the data privacy landscape evolves, those responsible for your data privacy program should:
- Know all applicable laws.
- Understand how to turn that knowledge into practical solutions.
- Have sufficient time and resources to maintain compliance.
To help aid compliance, consider investing in a data privacy platform designed to ease your privacy professionals’ burdens by giving them tools to manage website consent, evaluate vendor privacy practices and more.
A successful data privacy program sets your business up for success and fosters customer trust. Avoiding these seven common privacy program mistakes will help ensure your organization stays compliant and is in the best position to protect personal information. To prevent penalty fees and reputational damage, implement a robust data privacy program in your organization sooner rather than later.
Image credit: tashatuvango/depositphotos.com
Rachael Ormiston is the Head of Privacy at Osano. With over 15 years of professional experience, she has deep domain expertise in Global Privacy, Cybersecurity, and Crisis and Incident Response. Rachael is an IAPP FIP and has previously served on the IAPP CIPM Exam Development board. She has a personal interest in privacy risk issues associated with emerging technologies.