Think you need a ‘standard’ approach or set of ‘ best practices’ in dealing with data privacy at your company?
Typically, companies address data privacy by performing a gap analysis and then doing one or more implementations…often hiring outside firms. This approach often fraught with stoppages, lots of context-switching, unnecessarily high costs and tragically, lack of follow through getting important sh*t done that deepens customer trust while reducing business risk.
Here’s an example of the typical process:
Initial Assessment and Gap Analysis: 4- 8 weeks @ $35k – $75k
Then comes implementation: 3-month chunks @ $50k to $75k each (not including any software for which the pricing has become outrageous)
Who benefits most from this? Sadly, it is often not the company. Consulting firms love to insist on their over-complicated and labor-intensive approaches. Many privacy and security frameworks are a good starting point but are not created to be workable processes for companies. They are based on legal “defense-ability”. While this is important, it should not be the primary driver. And software companies have often solved for legal compliance – again important but insufficient – stopping short of lasting business value.
Let’s reThink this!
Doesn’t take rocket science to figure out that many companies:
- Don’t yet have a privacy program embedded into their business. Rather, they have responded to legal requirements on an as-needed basis (important though often insufficient and not sustainable)
- Don’t have or have incomplete personal data inventories
- Do have some effective practices to protect data and manage risk; and,
- Would benefit from dedicating a chunk of time to address the highest risk / most pay-off business processes and staying agile to adjust based on the results.
If the goal is to build enduring trust with customers, employees and other stakeholders, then,
Take a two-year time horizon, fund and resource it and take actions to get there.
Identify at least one internal dedicated person, along with an interdisciplinary team that will build, deliver and teach staff and an investment of say, $10k per month for two years from outside privacy advisory (practitioner and legal) and operations. Create your processes manually to test them, scour your company for applications you can use and only after that, look for specific privacy management technology.
Here are 3 examples to consider:
Example 1:
- Map out your most important (highest risk) business processes. Often this starts with customer acquisition and success
- Identify the personal information collected and processed
- Build out personal data maps that will be used for your privacy notices, fulfilling data privacy rights, hire service companies, perform data risk assessments and create effective customer journey
- Build your operations, especially on making your customer-facing processes as badass as possible, assess how well it meets your goal of trust-building (along with being efficient) and adjust accordingly
Example 2:
- Get rid of personal data per your data retention policy and schedule (you do have those, right?)
- Tighten up your collection of personal data and what you say to your prospective and current customers…in plain language. Make sure you do what you claim.
- Build your operations, assess how well it meets your goal of trust-building (along with being efficient) and adjust accordingly
Example 3:
- Create a meaningful learning program for your employees on data handling, security and privacy. Notice the focus is on actual people learning actual helpful actions, not on the checkbox of completing a privacy awareness training.
- Build your operations, especially focusing on building data privacy and protection by design, assess how well it meets your goal of trust-building (along with being efficient) and adjust accordingly
How have you dealt with trust-building through data privacy and protection?
When you are ready, let’s connect and learn from each other – book a call here.