3 Important Habits for Effective Privacy Professionals

It’s safe to say that today, privacy is more important to organizations than ever before. Consumer awareness of privacy rights has increased, and they expect organizations to take their rights seriously. In part fueled by this consumer support, data protection authorities in Europe, the Federal Trade Commission in the US, and state-level regulators are all enforcing regulations more vigorously than they have in the past.

In turn, Chief Privacy Officers (CPOs)--and the rest of their teams--have more responsibilities and more authority in their organizations. Of course, they are obliged to develop and implement policies and procedures that comply with privacy laws like GDPR, CCPA, VCDPA, HIPAA, COPPA, and the rest of the alphabet soup of regulations. More importantly, they are responsible for creating a privacy-conscious culture within their organizations, educating employees, and ensuring that future products, services, and processes embrace privacy by design principles.

These goals are challenging goal, but achievable. The best way for privacy to lead their organizations to a proactive, privacy-first mindset is by embodying the key principles in their actions and the programs they implement. Whether you’re a CPO or a contributor to your organization’s privacy team, these habits CPOs can help you be the change necessary to ensure privacy compliance today and tomorrow.

Important Privacy Habit #1: Stay Informed

The landscape of privacy is in a constant state of flux, with laws and regulations regularly updated and revised. New technologies arise that can make compliance simpler—or they may endanger consumers’ personally identifying information (PII) by exploiting it in a novel way. Consumer expectations and best practices will continue to evolve. Privacy professionals need to stay up to date on all of these topics to fulfill the obligations of their roles.

Last year, the New York Department of Financial Services updated its cybersecurity regulation, imposing new requirements on financial institutions. And with Congress considering the draft American Privacy Rights Act, major changes in privacy compliance in the US may be afoot.

They can rely on a variety of sources for education on topics relevant to them as their organization’s privacy guardian and advocate. They include:

• Attending conferences
• Following privacy topics in the news
• Setting Google alerts on key privacy terms
• Attending educational webinars
• Staying up-to-date with emerging privacy technology

Visit Exterro's collection of Data Privacy Alerts to catch up!

Important Privacy Habit #2: Embrace a Risk-Based Approach

A risk-based approach identifies the areas that have the highest compliance risks to your organization and then takes measures to mitigate those risks first, before subsequently moving on to remediate areas with lower risks. These areas may concern how the organization acquires, processes, manages, secures, or even disposes of data. 

Build your approach by starting with a privacy risk assessment to identify the types of data collected, processed, and stored, as well as potential vulnerabilities to that data. Evaluate the likelihood and impact of threats to data throughout the process and identify the most severe and most likely threats. Implement measures to mitigate those threats, then move on to less severe and less immediate threats. 

Regulations like GDPR require organizations to implement measures to secure the personal data they hold and use it in accordance with the wishes of the data subjects; a risk-based approach helps organizations demonstrate good-will efforts to comply in an efficient manner. Organizations struggle with the constant proliferation of threats to data, and risk-based approaches allow them to achieve the best results within the limits of their human and financial resources. Leading organizations adopting a holistic data risk management strategy achieve benefits in other, associated disciplines, such as cybersecurity risk management and civil litigation.

Important Privacy Habit #3: Continuously Evaluate and Improve

The notion of continuous improvement, also known as kaizen from the Japanese, is associated with the lean method and principles. It came about in post-World War II Japanese manufacturing at Toyota, but has sense been broadly adopted as a way for teams to make ongoing, incremental improvements in business processes with the goal of ensuring and delivering high quality goods and services.

Continuous evaluation and improvement goes hand-in-hand with a risk-based approach to privacy compliance. Both mindsets recognize that it is difficult, if not impossible, to achieve optimal outcomes with broad, sweeping efforts that try to accomplish a lot at once. Rather than embrace an ongoing journey, take a step-by-step approach to achieving long-term privacy compliance.

Privacy compliance is a journey, not a race. Dramatic gestures are flashy, but they frequently fall by the wayside and yield minimal results. Over time, slow and steady progress can add up to real benefits and build long-term “muscle memory” across an organization--habits that persist far beyond the initial privacy compliance effort.

For more habits to help build a strong privacy program in your organization, download the Exterro whitepaper 7 Habits of Highly Effective CPOs.