Originally published in our Privacy by Compliance Market Report. Download full report here.
The concept of privacy by design has evolved far beyond its engineering origins. Data has become nothing short of a currency with which brands win or lose, and new business models have emerged. The regulatory environment in which firms operate, by way of response, has increased in both scope and complexity.
Instill an organisation-wide commitment to privacy as a first principle, in any organisational decision
For businesses, these changes over the last decade present a two-sided coin. On the one hand, increased risk, cost and vulnerability. But on the other, the opportunity to increase corporate transparency, to forge stronger and more meaningful relationships with customers, and to provide a form of insurance for an organisation’s growth ambitions.
Privacy by design can prevent businesses from falling foul of customer, employee, regulatory and societal expectations, and can go some way to reducing cost and complexity, rather than adding to it. But it calls for compliance leaders, as an organisation’s most independent arbiters of standards, to take the mantle of nurturing an ethical approach to data. Not just settling for the bare minimum, but instilling an organisation-wide commitment to privacy as a first principle, in any organisational decision.
“Privacy by design too quickly becomes a conversation about GDPR or a marketing opt-in choice,” says Adreas Klug, chief privacy officer at Ladbrokes Coral. “In reality, countries all around the world are creating laws that make collecting, managing and transferring data more difficult. This goes beyond communications choices to where you put your data centres and how you navigate increasingly complex regulatory burdens. Putting these ethical choices and responsibilities firmly at the top of the agenda of business leaders: that’s true privacy by design.”
It All Starts with People
Arguably, revised company policies, internal communication and enhanced data privacy training alone are not a silver bullet for ethics and compliance professionals. But it’s a good place to start.
Raising internal awareness, comprehension and commitment to privacy can provide an essential foundation for improved data governance.
This begins at the top. Executive engagement is crucial to securing the mandate, resources and visible leadership that will send a signal to the wider workforce, as well as partners and vendors, that privacy is an organisational imperative, not a nice to have or afterthought.
“Boards are chiefly concerned with the ‘three Rs’: revenue, risk and reputation,” says Shon Ramey, chief legal officer at NAVEX Global. “In the face of widespread consumer attention and a progressive regulatory environment, privacy ticks all three boxes. It’s essential to start a conversation with leadership teams about the benefits of privacy in building customer and employee trust, as well as the reputational, commercial and financial risks of breach or misuse. Once this is understood, you’re pushing at an open door.”
Internal communication and education programmes are essential tools in supporting data governance and compliance. Yes, it’s important to translate privacy into what it means for different departments, teams and roles, but it’s even more impactful when we start the story with what this is really all about: protecting people.
Process Gives Structure
Communication and education provides a solid foundation, but they must also be translated into new ways of working, by providing a framework to guide employees on how to put policy into practice. And that first requires robust policies to be in place, which is a task not to be underestimated, given the myriad of instances in everyday working life that can lead to honest mistakes with unintended consequences. Given its scale, this challenge can seem overwhelming, but starting small is better than not starting at all, prioritising risks in a simple and actionable way.
Embedding privacy by design and an ethical approach to data will involve different processes and nuances from one organisation to the next. But two common priorities emerge.
Firstly, analysing and evolving the countless organisational processes and decisions that involve customer or employee data must address both legacy and future data. Initial audits will help ensure data capture, storage and access decisions are both legally compliant, as well as consistent with the ethical standards an organisation aspires to. But this then needs to be overlaid with appropriate governance and ongoing iteration, best done in partnership with compliance and legal teams, to ensure future data decisions meet the standards you’re aiming for.
Secondly, collaboration is key. Privacy and compliance professionals alone cannot hope to address the burden and opportunities presented by data. It requires a shift from being seen as a gatekeeper or final check and balance in decision-making, to playing the role of business partner. Compliance leaders can help to actively shape decision-making processes and organisational choices, constantly reinforcing the ethical standards that will help individuals to do the right thing. This will encourage organisations to go beyond the regulatory requirements to gain agility and innovation from having the appropriate data controls in place, increase operational efficiencies, reduce delays to sales processes and achieve a real and valuable competitive advantage.
Technology Is Only an Enabler
The final consideration is technology, but it carries a caveat. It would be easy to assume that smart systems can somehow liberate compliance professionals from the burdens of complex regulation, and that the promise of technology can automate or alleviate the heavy lifting.
If you look at most data breaches, beyond the bad actors lurking in dark corners of the web, it comes down to human error.
“If you look at most data breaches, beyond the bad actors lurking in dark corners of the web, it comes down to human error. The wrong thing being shared with the wrong party, even if for the right reason,” says Simon Owens, data protection officer, Europe, at Chevron. “We’re tackling privacy by design by systematically identifying these pinch-points where innocent mistakes can be made and either adapting or leveraging technology to eliminate or mitigate the risk.”
Privacy is complex and nuanced. Compliance must establish the ethical foundations to ensure people consider the implications of their actions across the thousands of decisions that both employees and leadership make. It isn’t an overnight endeavour. It requires a commitment for the long run, but with this comes greater protection for the organisation, as well as its customers, employees and stakeholders.