In a recent blog post, we discussed the importance of a privacy program lifecycle in order to achieve a meaningful privacy program – and how strategic context and cross-team collaboration is essential for this. In this piece, we further explore what a business integrated privacy program means and how it can be achieved.
When we talk about integration, we think of it as more than technical integrations. More importantly, it’s a question of alignment; strategic, process, ownership, culture, and technology alignment. If we succeed, the reward is a more efficient program that better manages risk and generates more business value.
Yes, a privacy program should identify and manage gaps and challenges, reduce risk and lead to compliance. But it is also about seizing opportunities, and reality is that not all risks can be managed at the same time. Understanding what opportunities, and what risks, are most important from a business perspective will help the privacy team not only generate more business value, but also to make more friends. If management and other stakeholders trust that you understand them, and understand how your efforts align with theirs, you are more likely to get their support and buy-in when you really need it.
How the privacy team thinks about data processing must be aligned with how those responsible for departments, assets and business processes think about data processing. Efficient collaboration results in more effective risk identification, records of processing management and handling of incidents – and you can make the collaboration seamless by sharing perspectives and terminology. Essential is understanding everyone’s point of view, but even better is sharing it.
As noted above, aligning on how the business operates in terms of data processing is important for better collaboration and privacy management, and so is being clear on responsibility and expertise. Who is responsible for a system, a project or a data asset? Who is responsible for reporting, escalation, decision making? And who knows the exact details you need in case of a request from a customer, business partner or supervisory authority, or in case of a breach?
Why do data protection and privacy matter and how does it affect the business? If there is no alignment on this internally, your privacy program will never work as well as it should and could. Not all have to agree, but everyone should understand what is expected of them, which is why this is a question of both requirements (regulatory and other external) and management’s position.
For seamless collaboration and efficiency, you also want to make sure that tools and technologies used internally work together. To minimise doublework and make use of already existing and well functioning processes and governance structures. Don’t build separate work streams for data protection and privacy, instead strive to weave it into already existing ones.
The role of privacy management technology (like DPOrganizer)
While technology can’t do all the work for you, it can certainly help you get where you want to go faster. Helping privacy professionals build sustainable and business integrated privacy programs is what we do, and we’re proud to be working close to some of the most innovative privacy teams in the world. Together we are surfacing hidden risks, cutting DSR response times, and generating useful reports in minutes. Below are a few features in DPOrganizer that they say are key to their success.
Data mapping is a core element of a privacy program, and our tool is built for collaboration, and to make sense for everyone involved. Make it easy to involve and assign ownership to those responsible for a business process, a system, a third party relationship or a legal entity.
Training and risk management
Our e-learning tool with customisable courses is used to train, engage and align. And the risk assessment features are used to collect information, evaluate risk and plan for next steps in case of new relationships, new systems, new projects or otherwise changed data processing.
Integrations and APIs
Integrating the privacy program with other tools used internally to communicate, share information and coordinate activities is a must, especially in this age where we’ve been forced to quickly adapt to a remote working environment.
Do more than tick a box
Four years ago, most organisations saw data protection and privacy as a “tick-the-box”, one-off project. While many have grown wiser since then, it’s obvious that proving business value beyond bare minimum compliance remains a challenge. That’s why aligning on all points above is vital if you want to move beyond yearly RoPA updates and barebones privacy notices.