When it comes to driving privacy awareness at your organisation, we understand the objectives you have in mind, and what you are up against if you face challenges realising these.
You probably have one or more of the following goals in mind:
- Increase buy-in from internal stakeholders for more efficient inventory personal data processing,
- Make individuals in your organisation more mindful of how they work with personal data on a daily basis,
- Discuss privacy at the managerial level to fuel prioritisation of privacy tasks, and decide on the right actions to minimise data protection risks.
Regardless of the end goals, you might face roadblocks on your way to generate stronger organisational awareness for privacy issues.
Chief among these roadblocks are basic lack of buy-in from stakeholders, and a lack of time or resources.
Let’s take a closer look at lack of buy-in.
Recall that each business function often works with different categories of personal data, on different legal grounds, in different IT systems. You, the privacy professional, are charged with gathering all this information effectively and efficiently.
Many DPOs will meet resistance here. Departments aren’t incentivised to provide the kind of information necessary to complete records of processing.
Even if the information is provided on processing activities, there can be little to no momentum as regards taking action on any gaps or risks found.
In essence, the first roadblock to awareness revolves around lack of incentive to assist in the work required to document specific data processing activities.
This brings us to roadblock number two.
More often than not, privacy responsibilities – including records of processing and inventory creation – get passed either to department heads or to the individuals with direct control over the systems processing personal data.
We’ve seen this in a variety of organisations.
Unfortunately, these individuals will always have more pressing work to complete.
In the absence of guidance, they may consider privacy work an added, perhaps even irritating task. They may insist they simply don’t have time.
What’s a DPO to do?
Building privacy awareness and generating support for your privacy program involves communicating that privacy success can only happen with organisation-wide effort. Each department needs to know that its activities have actual lasting impacts on data protection.
In practice, consider implementing one or more of the following steps to raise awareness.
1. Build Inventory and Awareness (in tandem)
As you map or review personal data processing activities, sit with stakeholders in each department. You’ll need to develop a positive working relationship with each of these stakeholders. Their input is vital to maintain accurate records of processing in the future.
In these meetings, be sure to clarify the big picture of data protection at your organisation.
Share your vision of your organisation’s privacy program.
Ask about their understanding of the goals of privacy regulations. These are simple ways to spread awareness and include stakeholders in privacy, rather than making them victims of processing inventory requests.
2. Tailor specific privacy tasks to each department
When training individual departments in data protection strategies, or even when requesting or reviewing processing activities, be sure to contextualise privacy tasks for the stakeholder.
In customer facing roles for example, stress the positive effects that transparency efforts can have on client relationships.
When speaking with system administrators and managers, highlight how incisive records of processing can help organisations better structure and make use of existing data.
Even in the absence of a large, organisation-wide campaign aimed at raising awareness for privacy, privacy professionals like you can aid awareness by helping each department understand its impact on data protection.
3. Assist Your Efforts with a Tool
Managing your privacy program with a flexible, collaborative data mapping tool makes your job easier. Especially as you seek to involve more internal stakeholders and accurately inventory processing activities.
Why you ask?
Two main reasons:
Centralised record keeping right out of the box
A core system provides structure, a way to maintain compliance and align on a method of storing your processing activities. You need a flexible, intuitive system where you can store meta-data on company wide data-processing.
Better collaboration potential
If you’re the DPO then you already know, if not, then you do now. Privacy professionals won’t have access to every single personal data processing activity, nor will they be close enough to each process to document it efficiently. This is where a centralised tool to assign reviews is invaluable to continue to raise awareness and increase involvement.
Curious about how DPOrganizer can help you drive awareness, and get you out of spreadsheets? Book a demo today.