Digital Transformation for Incident Management: Lessons Learned from Live Q&A
In the latest session of The Privacy Collective, we discussed digital transformation for privacy incident management.
The privacy landscape is quickly changing and there’s only one way to keep up – leveraging technology that adapts with privacy trends.
We invited two very special privacy guests from American Specialty Health to discuss digital transformation for incident management: James Van Beek, VP of Regulatory and Program Compliance, and Katelyn Johnston, Privacy Office Manager of Regulatory Strategic Development.
In the thirty-minute discussion hosted by RadarFirst’s very own, Shari Kenney, Strategic Account Manager, we segmented the topic into three parts with multiple polls for audience participation:
What’d You Miss?
- Why mature privacy programs require advanced workflows
- What Privacy and Security need to increase collaboration
- Goal-setting for digital transformation and enterprise impact
Why Mature Privacy Programs Require Advanced Workflows
Privacy’s fingerprint has evolved quickly over the last twenty years – an observation James made during the session.
“Early in my career, I remember waiting for HIPAA regulations to be formulated– and what was going to happen with that. Nowadays, I long for those simplistic times where we just had HIPAA to be concerned about.”
James shared that the “complexity has just exploded.” Organizations today have to be compliant with comprehensive legislation and regulations that surround the data collected from consumers, employees, and the partners that they conduct business with.
What once could have been handled by simple homegrown solutions, must now be managed with intelligent tools.
With increasing complexities, comes increasing responsibilities for the privacy team. As our host, Shari said, “You need to be on your toes and able to pivot at any given moment.”
James commented on the increasing responsibilities that privacy professionals must fulfill:
“We really have to become product experts – we have to know how our products function… where data is going, how people anticipate using data, as well as what they’re using data for. So, it’s really forced us to become leaders. We have to be able to respond quickly… We have tight timeframes, and they keep getting tighter. There’s a lot of pressure to just be tapped into the business as well as the rules, and to have that confidence and leadership for the business owners… and that calm under pressure to deal with those tight timeframes.”
Maturing privacy programs recognize (and embrace) the need for digital transformation for incident management. Katelyn witnessed that within their own digital transformation journey the, “legal department, stakeholders and business owners were fully embracing past our privacy office.”
They just don’t know where to begin.
From James’ perspective, Security has typically led the path forward with new technologies and Privacy is just now catching up. His Privacy team, much like many other teams at different organizations, has doubled in size over the past few years.
6 in 10 privacy pros expect their budget to increase over the next 12 months. – IAPP-EY Annual Privacy Governance Report 2021
An increase in budget is expected with this exponential growth. However, James explained, “What we’re always up against is competing interests – everyone has needs. You need to hash out why your budget is a priority over another department or another corporate need. So, that return on investment is always very important. Having the support from other departments is very helpful.”
If you are able to find a tool that not only makes life easier for you and your team, but also the teams around you, then you’re going to receive much more support in winning that budget argument.
If your company’s budget is not increasing, you’re in a “worsening situation.” James commented, “You’re going to be in trouble down the line, because the comprehensive complexity that’s out there is really growing and so are the privacy needs that support it from a budget perspective.”
What Was Once Manual, Can Now Be Automated and Centralized
We had our guests elaborate on what a manual process without automation looks like and what are some of the nuances that come along with it.
Katelyn shared from her own experience:
“I found with the manual processes that there was a lot of front-load work at the beginning to even begin our investigation. The information was not standardized, we weren’t getting all of the things we needed to begin our investigation – and with these increasingly tight timeframes that we’re operating under, it really put our privacy office in a position that wasn’t fun to be in. It was hard to get all that information to start those investigations.”
Without automation, it’s a bottleneck right from the start. Often, you may find yourself already “behind the cuff” by the time you receive the right information.
“Every time I have to contact someone that’s not in the privacy office, I’m taking them away from their day-to-day job.” – Katelyn Johnston, Privacy Office Manager of Regulatory Strategic Development at American Specialty Health
James alluded to the manual process as a game of telephone – where the message gets translated a couple of times and lost entirely. The process is problematic – you’re making decisions too quickly in order to meet tight deadlines, and you’re using up time and resources circling back with internal stakeholders to get the information you need.
When you eliminate these pain points, you free up more time for training and enterprise advancements.
What Privacy and Security Need to Increase Collaboration
At this point, I think we all agree that spreadsheets and manual processes are bad. But, what is considered good? How do you select the right tool that will enable collaboration and accelerate incident response?
While going through the digital transformation process, James recalled his team’s thought process and wish list:
“It’s got to be something that’s fluid. [It has to be] something that works very intuitively with your own office, as well as stakeholders that might be feeding into it. It really needs to provide a seamless solution. I think also having a tool that allows you to have a lot of resources at your fingertips that support the process that you’re using the tool for is critical.”
James and Katelyn were fortunate enough to have a really good working relationship with their Security team. However, it’s common to see siloed teams at many organizations.
James offered advice to Privacy teams looking to strengthen relationships and collaboration with Security:
“Being territorial doesn’t solve the issue. Your obligation is to your consumers that you’re protecting their information, your company – then that territorial aspect doesn’t matter. In fact, it’s counterproductive, because when you have 24-hours to crunch down something, you need open, direct communication, and I think really breaking down that sense of who owns what, what are the facts, and how can we all solve it.”
“All roads lead to trust.” – Shari Kenney, Strategic Account Manager at RadarFirst
It’s critical to have open communication across teams. Selecting a tool that can enable this promotes trust across the organization, and also builds trust with regulators and your consumers.
James continued, “The more information we can convey to our business owners that we support – the better off they are in making decisions on their own and on the fly. They can be guided by privacy principles, and better protect consumers’ information – that’s just a win-win for everyone.”
Finding Efficiency, Simplicity, and Elegance in a Tool
James described ideal qualifications for the perfect tool. He shared:
“The intuitiveness of a tool is a part of that simplicity. Can they pick it up and use it and feel invited in by it? If something is off-putting or just seems complex, people are not going to want to participate with it.”
In the discussion, our guests emphasized that the right tool will be a complete solution – so you’re not patching it into other parts of your program.
When you have the right incident management solution in place, you’re able to establish consistency and trust with regulators. There’s no uncertainty around how you arrived at your decision – everything is well-documented and defensible.
James added, the right solution should, “help provide objectivity and reinforcement of what could be really subjective otherwise.”
Goal-Setting for Digital Transformation and Enterprise Impact
It’s important to set goals for digital transformation and measure your return on investment.
Measuring ROI on Privacy Solutions
For James and Katelyn, the effects of digital transformation were seen immediately.
James also shared that a good way to measure ROI is comparing the cost of the tool to the time it would take someone to do those functions otherwise:
“How does it save for FTE (full time equivalents) expenses, in terms of staffing? If you improve workflows and reduce time in other departments, it may not be your own FTE, but it has a collateral effect on other departments as well if they have a more efficient process. [The right tool] increases goodwill, [leading to] better reporting and more accurate information [preventing] further follow ups.”
Katelyn closed out our discuss with an invaluable reflection:
“One of the biggest things I’ve learned, and that has also really resonated throughout our company, is that these solutions are so much bigger than yourself. They’re so much bigger than the privacy office, they are really impacting our enterprise. That has been such a big sigh of relief with our business owners. It’s been such a wonderful opportunity to stop, pause, and improve relationships with business owners… It’s not only given us an opportunity to provide a digital solution company-wide for those business owners that we work with on a day-to-day basis, but it’s also improved our relationship along the way going through this digital transformation [journey] together.”
Accelerating Privacy Program Maturity
Having access to unique insights and reporting metrics helps privacy teams identify areas for improvement.
James shared that benchmarking data is helpful when he presents to the board:
“When I’m presenting to the board, which I do every quarter, they’re going to ask questions. They love being able to look at how we are stacking up compared to an industry, or a related functional concern for particularly privacy. Only recently have we been able to do that effectively. Before with our Excel spreadsheets and without a tool or access to benchmarking information, we couldn’t confidently give that kind of information. And now with the tool, we can do that. We can start to see where we’re performing against others and how we can improve that performance with additional tools, or additional changes or buy-in from the company and that is very effective.”
Digital Transformation for Incident Management Resources
Looking to start your digital transformation journey?
Read our free guide on digital transformation for incident management. You’ll learn how to:
→ Identify the four key elements of digital transformation
→ Build a technology ecosystem designed for trust
→ Give your teams the data they need to make decisions
→ Free up employees to focus on strengths by automating processes
→ Strengthen your organizational change capability by creating connections across departments
Watch The Privacy Collective On-Demand!