To an extent, the processing of personal data is necessary to carry out business operations. But as the volumes of data collected and shared continue to increase, businesses need a robust data protection program to keep that information private and secure.
A data protection program supports your organization’s effort to comply with data protection regulations and increases collaboration across business functions. When done correctly, data protection increases the value and quality of the data you collect and store. It also plays a key role in your business’s consumer relationship.
To effectively build trust through a data protection program, a company must execute its promises when collecting people’s information. These promises are reflected in the privacy policy and the notice given to individuals when the information is collected. If these promises are broken, the brand’s reputation is negatively affected, taking years to mend.
Should a business build a data protection program if not required by a privacy law?
Even if your business doesn’t operate in one of the five states that will begin enforcing data privacy laws in 2023, other generally applicable state and federal privacy and security provisions will likely affect you.
For example, the Federal Trade Commission mandates that U.S. companies handling consumer information must implement reasonable and appropriate safeguards to protect personal data. Others include HIPAA, CAN-SPAM, state and federal “Do Not Call” laws, and various breach notification laws.
Furthermore, the odds that a data protection regulation doesn’t protect your consumers become smaller yearly. In Weaponizing Privacy, Nader Henein, Gartner Analyst, explains,
“By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organizations will have successfully weaponized privacy as a competitive advantage. By 2026, the fastest-growing organizations in each consumer-facing industry will have successfully weaponized privacy rather than simply adapted to regulatory mandates.”
If you want your organization to “weaponize privacy” in the next three years, you’ll want to watch out for these common data protection program pitfalls as you get started.
Five data protection program pitfalls to avoid
Given legal implications, building a data protection program can be intimidating. Here are five areas many companies miss the mark.
#1 Not giving data protection a seat at the executive table
No matter how much you spend on outside privacy counsel or the flashiest privacy technology, your data protection program will fall short without an executive champion. Simply checking the boxes won’t create a culture of privacy in your organization. And a culture of privacy is necessary for business success in a digitally powered world that thrives on data.
The notion that data protection and privacy are the responsibilities of legal or IT departments is a myth. Protecting the information a business collects is everyone’s job. After all, many functions collect and use data for business activities.
A privacy champion is willing to collaborate and empower internal business teams while ensuring data protection requirements are met. Even more, the privacy champion supports collaboration between functions to achieve company and data protection goals.
Building a culture of privacy takes time. More importantly, executives must prioritize it as an essential business function.
Organizations with a culture of privacy have embedded data protection into their company mission, values, and strategy. Consequently, employees consider privacy when products and services are built or enhanced and at any time decisions are made.
Not training all employees about data security and protection is another pitfall with an easy fix. Everyone in your organization should understand the basic data protection principles and always remember that real people are behind all those numbers.
The GDPR outlines seven key principles of data protection:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
As a privacy champion, if you can help your organization embed these seven principles into its company culture, you’ll avoid pitfall #1.
#2 Lack of legal privacy intelligence
Although foundational principles for data protection, privacy, and transfer guidelines have existed since the 1980s, the industry has a shortage of talented employees. As a result, privacy teams can be vastly understaffed or resourced, leaving the organization and the data it promises to protect open to risk.
While you don’t need all employees on your privacy team to be lawyers, you need people who understand the laws and regulations. Whether you hire inside or outside counsel, partnering with a legal resource is necessary.
The biggest trap within this pitfall is mistaking technology for privacy intelligence. Granted, technology can increase collaboration and reduce the time and effort spent building a privacy program, but it won’t replace the need for a privacy expert.
The cost of privacy talent and external counsel continues to increase. Don’t try to build a data protection program without a reliable, experienced solution for legal privacy intelligence.
#3 Reacting to data protection laws and regulations
A common reaction to the multitude of global data protection laws is to attempt compliance with each, one by one. Essentially, repeating the same process over and over to check off the boxes in a specific region.
Considering that at least 137 countries have data protection laws, this method feels endless. That’s because it’s reactive, and there’s always something to react to in privacy.
Avoid this pitfall by implementing a proactive approach to data protection. Select a data protection framework that can be applied to your program overall.
For example, some professionals prefer to apply the GDPR to all of their data protection processes. Then, when new laws are introduced, there are likely only small deviations from the GDPR standards required for compliance. The structure or framework you choose doesn’t need to be the GDPR, although it’s a great starting point.
Ultimately, a reactionary approach to privacy will always leave you chasing your tail. Good data protection programs are proactive and reduce your privacy team’s effort and stress.
#4 Treating data privacy as a burden rather than a way to add value
There are two ways you can look at privacy. One is that it’s a cost center without an important business function. And the other is that privacy is another way to create value, adding to the business’s bottom line.
If privacy is treated as a burden, the organization misses opportunities to build consumer trust and establish an advantage over competitors. Time and effort are spent on compliance rather than how to use privacy to enable innovation.
As we shift to explicit consent requirements, data the organization collects directly from the subject (first party data) quickly becomes the most valuable. Data collected with consent drive better customer experiences, services, and products. And just like a spinning wheel, this cycle repeats itself driving business momentum and customer loyalty.
Apple has become a notorious example of how a brand can use data protection and privacy to its advantage. They’ve made privacy part of the conversation and a primary marketing strategy. It’s not only a star feature of their products. It’s also a value embedded into their company culture.
One way to be more like Apple is to put privacy controls back into consumers’ hands. Tools are available to help provide your consumers and partners direct access to the data you collect and options to change what and how that information is used. It’s possible to include privacy policies, notices, data subject requests management, and communication preferences in the same interface. Consumers love transparency and the opportunity to control their information.
If you treat data privacy like a burden – that’s surely what it will become. Avoid this pitfall and change your mindset about privacy before your competitors beat you to it.
#5 Making compliance the only data protection priority
There’s more to data protection than compliance. Assessments, audits, and compliance with each regulation are all critical, but they’re not why we do data privacy. Protecting data is the right thing to do for everyone.
Like above, if you view data protection as merely a compliance must-do, you’re working harder and missing valuable opportunities. In contrast, successful privacy programs are created using a risk based approach.
Building a risk based privacy program requires a strategic approach to managing and protecting data aligned with business processes. To summarize, this approach requires four steps:
- Assess the current state and your privacy program requirements
- Identify your current compliance level and risk
- Prioritize and mitigate risk
- Establish response procedures and strategies for ongoing compliance monitoring
Establishing a culture of privacy is also helpful here, as you will need governance and agreed upon definitions for data ethics and data processing to align with company values and risk appetite.