To explore this concept further, in a recent Privacy Collective session we talked to Kim Genobles, Chief Privacy Officer and HIPAA Privacy officer at Ally Financial. In a wide-ranging discussion, we examined the cost of inaction and how potential holes in compliance can impact an organization in the near and long term. We also discussed how operational efficiency plays a role in mitigating privacy debt, helping privacy teams to move forward amid a multitude of challenges.
The Impact of Privacy Debt
In his article, Cline points out that privacy debt—unaddressed risk —arises from both internal and external factors, including:
- Expansion into new sectors or regions that have different privacy regulations
- Deployment of new privacy-impacting technologies
- Acquisition of new companies that have existing privacy debt
- Passage of new privacy laws
Or, when customers, consumers, or competitors raise the privacy bar.
Without proactive privacy measures, unaddressed privacy risks can lead to not just financial damage and regulatory penalties, but also to damaged customer relationships and reputational damage that can affect a business for years to come.
“When you impact your customer and you impact your brand reputation, that’s really hard to recover. Organizations need to understand the cost of a ‘wait and see’ approach, when a large event that could impact your company so severely. It’s easy to see the cost of privacy problems once you’ve been impacted. But by that time, whatever you do will be too little, too late. That’s the benefit of taking action up front. You might not see the cost benefit now, but you will see it eventually.”
Become a Partner and Storyteller
Genobles’ guiding principle in approaching her programs is that privacy is an organization-wide responsibility:
“People like to say that ‘It takes a village.’ Well, with privacy, it really, really takes a village”
One of the critical functions of a privacy team is to help the organization as a whole to identify, assess and avoid privacy risks. In a survey conducted during the session, 70% of attendees said their organizations needed at least some improvement in understanding the value of addressing privacy risks proactively.
According to Genobles, building that understanding depends on strong relationships and a compelling story:
“One of the most important parts of leading a privacy program is about relationships. That means creating allies, and to do that you have to explain what you do, what benefit it brings to the customer and the company. Lines of business are focused on their staffing and resources, while the scope of privacy risk is more at an enterprise level. So, you have to be able to articulate the impact of privacy risks to business managers at a level where they will recognize possible risks within their own systems and processes and escalate those to you.”
Privacy Metrics Matter
Genobles says privacy metrics can be a key asset in storytelling:
“As a privacy leader, you always have to figure out how to measure your success because that’s part of the compelling story you have to tell. When there’s potential for privacy debt, you want to be able to pull up a plan and say, ‘This is what happens if we go down this road and we don’t address these issues ahead of time.’”
Have a Seat at the Table
Once new privacy risks are elevated to the privacy team, its members need to get involved in business planning. Genobles says:
“You need to know what data you have, where it is, what it’s being used for. It’s a little more granular than privacy teams are used to being involved in. We have typically relied on our partners to watch for issues and tell us, but privacy today is extremely complex and people don’t always make the connection.
It’s also increasingly important that we keep our organizations flexible to navigate the expanding patchwork of data privacy laws. So, we need to be at the table to understand and provide guidance when they’re talking about data movement, new technology, and anything that can affect our ability to be flexible and stay compliant. It’s cheaper to do things right in the first place than to try to fix them after the fact.”
Privacy teams also need to be involved in business planning because much of the budget needed for privacy protection isn’t controlled by the privacy office. Genobles points out that you may be leaning a lot on other teams for help.
“When I think of tools, specifically, and some other operational aspects of privacy, they may be outside of your area. But as a privacy leader, you need to acknowledge what those expenses could be and communicate with partners to make sure that they’re prepared.”
Be Your Own Best Advocate
While privacy debt often arises from other areas of the organization, privacy leaders still need to be strong advocates for their own budgets. An interactive poll conducted during the session revealed an encouraging trend:
45% of participants said their organizations planned to increase spending for privacy tools and/or personnel in 2021
However, Genobles speculates that planned spending increases may be mostly a response to requirements from the California Consumer Privacy Act (CCPA) and the newly passed California Privacy Rights and Enforcement Act (CPRA). Additional people and technology will be needed to handle privacy requests from California residents, in addition to changes to data flows and data protection.
Mitigate Operational Costs
Operational efficiency can be a compelling argument for tools. Genobles recommends looking for the operational tasks that are day-to-day and repetitive – event management, recording, or data center access requests – then automate those processes with tools wherever possible.
But, she cautions, you still need a compelling argument about the benefits:
“Otherwise, the questions are:
- Why do we need the tool?
- Why can’t we do it in-house?
- Why can’t we do it with the people we have?
You have to be able to articulate the pros and cons: do we want to spend a lot of our time with the routine operational things versus building a visionary privacy strategy and a flexible data management program? Because these are the things that fall by the wayside when you’re bogged down with the operational stuff.”
Genobles also recommends building operational efficiencies in other areas. Two tips:
- Benchmark: The right benchmarks will show where your organization has potential to streamline processes. (*download the Privacy Incident Benchmarking Report >)
- Cross-Train: Genobles’s team trains privacy advocates in other business departments, so that they can handle routine privacy questions. Cross-training within the privacy team also helps to balance the workload.
Privacy Works When the Village Works Together
In fact, training was the number one need identified by the webinar participants. In a poll, 40% said that what their privacy teams need most in 2021 is more organization-wide training.
“The more people you can educate about privacy, the more they can be advocates, and the more they know when to raise the flag, when to escalate, what questions to ask. Having more people thinking about privacy and being advocates may mean that the privacy team has more time to be strategic and focus on mitigating the risks.”
She also points out that, for privacy professionals, peers in other organizations are an important resource for ideas and support.
Ultimately, she says, it takes the whole village to stay out of privacy debt.
“Lean on peers. Understand where you’re going. Make sure your company buys in and understands the plan. Make sure you’re including your partners—legal, compliance, risk, information security—to help build that. That’s how you’ll tackle the challenges we’re seeing now and the changes in privacy laws and risks that we’ll continue to see in future.”