Every business involved in collecting and processing people’s personal information must manage data privacy effectively. Not just because there are several protected personal information laws across the U.S. – but because your customers, colleagues, and partners demand it.
Data privacy laws in the U.S. and other jurisdictions regulate how organizations are allowed to collect, handle, and share/sell personal information. Complying with all applicable laws can be very challenging if your people don’t understand the significance of data privacy.
I recently spoke about this issue with Enterprise Management 360’s Head of Content, in an August 1, 2023, EM360 Podcast episode called “Why a Company-Wide Privacy Culture is Important”.
I believe most people in any organization, of any size, can grasp the concepts of privacy law compliance when the human risks are explained to them.
In my role as Chief Assurance Officer at TrustArc I help organizations successfully participate in privacy assurance programs so they can demonstrate their compliance with various privacy regulations and frameworks.
Typically these programs give them certifications or verifications they can show customers, partners and other third parties as reassurance the business takes data privacy seriously and is committed to addressing risks.
The business benefits of a privacy culture
Your privacy program shouldn’t be seen as something that mostly concerns the privacy office (if your organization is large enough to have a dedicated team) or privacy officer (in a new or smaller business).
Privacy should be the concern of every person and team using personal data day-to-day.
Encourage every person who collects, processes, analyzes, and/or shares personal information to keep the following in mind: behind every data ‘insight’ you’ll find one or more real people whose privacy rights must be respected.
How would they feel if their personal data was put at risk? Now, ask them to apply that stance every time they handle other people’s data – this approach will help make privacy both a company-wide and personal responsibility.
A deeply embedded privacy culture can help a business:
- Reduce risk – We know the number one cause of data breaches is human error. A strong privacy culture will ensure people understand and follow best practices for cybersecurity to reduce risk.
- Build trust – Trust can be earned by showing customers, partners, and colleagues you respect privacy and will continuously demonstrate how you protect privacy in every interaction and transaction. Nobody wants to feel taken advantage of when they initially trust an organization with their data, so it’s important businesses can show they won’t misuse – let alone expose – personal information.
- Demonstrate compliance with privacy regulations – Businesses can build trust by acknowledging – and meeting – their obligations for compliance with privacy regulations in every interaction. Assurance programs and certifications can certainly help, though equally important: every public facing member of your organization needs to actively show they’re operating within the correct privacy protocols.
Why SMBs and new businesses (might) create a privacy culture faster
Frankly, any company collecting personal data needs to educate and train its people on privacy protocols to develop a privacy-first culture – even small businesses.
In fact, small- and medium-sized businesses and newer companies might have a bit of an advantage thanks to their size and newness:
- You can embed a privacy culture from the very start – every process can be designed with privacy-first best practices up front, and every new hire can be trained up on your privacy stance early.
- You don’t have the baggage of old data – because you’re starting fresh, you can ensure data management procedures are designed from the ground up to support compliance with the latest privacy laws; and with smaller data sets to start with, there’s less work to be done initially.
- You have clearer lines of communication – as everybody wears multiple hats it may seem like privacy is just another hat to wear. But there are advantages to everyone having their privacy culture hat on: because they know what’s expected, they’ll have good communication about privacy when interacting with different people and teams. Another benefit of more concentrated lines of communication and decision-making is that new privacy protocols can flow more quickly through the organization.
Benchmarking the strength of your privacy culture
One way to examine how well an organization manages privacy compliance is through a safety lens: how well has the organization trained its teams on safety procedures for handling personal information? What does the data say about how well these safety practices prevent issues?
While some factories and workshops measure the number of days since the last physical ‘accident’, there are risks in this approach. If you only track and report errors or accidents, you could potentially create a culture that discourages people from wanting to report issues (to avoid blame) – and demotivate innovation.
I think it’s also important to highlight ‘incident-free’ days, so you can reinforce the business benefits of positive privacy actions. Look for lessons across your business on how individuals and teams with a positive privacy stance helped build trust with customers, partners and within teams.
Tracking and reporting privacy incidents
Yes, you must develop procedures for tracking and reporting privacy incidents. Though to strengthen your organization’s privacy culture I recommend it’s just as important to focus on the incident response and how effectively an issue was remedied.
The common types of privacy incidents and responses you need to measure include:
- Data security issues – unusual or unauthorized access or behavior that risked or caused data leaks/exposure, including malicious activities (attacks on systems) and unintentional security errors (sometimes caused by not having effective cybersecurity measures, though also due to human error).
Responses: reinforce data security rules with education and training; and repair/replace technologies for both cybersecurity and access control. - Privacy concerns – complaints from customers about misuse of their personal information or the types/amount of personal data collected by the organization or concerns about tracking/processing activities; and any increase in data subject access requests.
Responses: review privacy compliance practices; re-configure data collection/processing settings to be compliant; and improve speed and effectiveness of responses to customer complaints/concerns. - Reports/discovery of non-compliance with privacy laws – non-compliant data collection and processing activities including unjustified (excessive) collection of personal information; illegal tracking or targeting activities; mishandling or failing to respond to data subject access requests; and slow or ineffective responses to reported privacy breaches/enforcement notices.
Responses: again, review privacy compliance practices and update training and education across your organization; re-configure/repair/replace systems used for collecting and processing data; and strengthen your organization’s privacy stance with expert privacy management solutions.
Measuring privacy culture
By measuring the number and frequency of each type of privacy incident over time you will gain insights into how you can improve your privacy culture.
It’s also useful to measure and report on proactive activities aimed at strengthening your organization’s privacy stance, including:
- Training programs – track the number and focus areas of privacy training sessions offered; record each team member’s participation (including identifying updated training needs) and identify knowledge gaps by assessing new/updated knowledge.
- Privacy champions – identify the privacy leaders and influencers across your organization; keep updated records of their specialist privacy knowledge such as data security best practices or understanding of privacy regulations; and acknowledge/positively reinforce their contribution to embedding privacy compliance.
- Risk assessments – track the frequency and outcomes of Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs); report on identified errors and acknowledge contributions by team members that made assessments go through smoothly.
- Responsiveness to customer requests – measure the number of data subject access requests per time period and report on how quickly and effectively they were responded to.
Get TrustArc’s help to embed privacy culture in your organization
TrustArc Privacy Assessment Manager streamlines the end-to-end privacy assessment process by identifying gaps in your organization’s privacy culture and helping you effectively remedy them, recording risks, managing day-to-day privacy tasks, maintaining comprehensive audit trails and:
- Privacy workflow management – quickly identify and organize privacy resources across your organization with advanced workflow and automated processes for managing day-to-day privacy tasks.
- Compliance review and gap analysis – streamline the discovery of privacy risks and address gaps in compliance with automated reviews, risk scoring, revalidation, notifications and action plans with follow up tasks.
- Assessment automation – access a robust library of pre-built assessment templates (also fully customizable) to address compliance with privacy regulations including General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA); manage and report on Privacy Impact Assessments (PIAs) and Data DPIAs; maintain comprehensive audit trails and create privacy regulation compliance reports.
TRUSTe privacy certification program standards
TRUSTe Privacy Certification Program Standards are developed using the TrustArc Privacy and Accountability Framework standard and the unique regulatory requirements for your organization’s privacy program.
TrustArc’s Privacy and Accountability Framework is based upon globally recognized laws and regulatory standards including:
- European Union GDPR
- ISO 27001 (international standard for information security, cybersecurity and privacy protection)
- United States Health Insurance Portability and Accountability Act (HIPAA)
- OECD Privacy Guidelines
- APEC Privacy Framework
- Data Privacy Framework.
Our privacy verification standards help your organization demonstrate compliance with internationally recognized best practices and apply those approaches to ensure your privacy program aligns with current and emerging international frameworks.
Once your organization has completed certification you will have evidence of your privacy efforts and you can display our trusted privacy seal on your website to communicate your organization’s dedication to data privacy protection.