Building a privacy program requires more than hiring attorneys or engineers. In this video, learn how to change your culture and practices to respect user privacy and manage your risks.
- Based on everything we've seen so far, a privacy program has four key goals. The first is to create a privacy-aware culture, the second is to prepare for a challenging and changing legal playing field, the third is to win customer trust, and the fourth is to support your board of directors. Let's examine how your program can help achieve these goals one by one. What does it mean to have a privacy-aware culture? First, we must all realize that the world has changed. Collecting what you want to collect and saying, "trust me, this no longer works." For too long, for far too long, the business world has been careless at best when it comes to privacy. Mobile computing, social media, and ubiquitous connectivity has meant that a flood of data was available to collect. Cloud storage meant it was easy to process and access that data. We will look at this in detail in a later chapter, but we can already tell this has led to several bad habits. Your program will need to change this culture within your company. There are those who will tell you that we have too much data, this is how we have always done things, it will take too long to clean things up. I've heard all of these before. Your response should be, the best time to do the right thing is yesterday, the second best time is today. Changing the culture will not happen overnight, or automatically. Innovation is bottom-up, but culture is top-down, which is why you will want bine from years across the company. One way to do this is by creating a strategic privacy working group. This group will represent the breadth and depth of the company. This group will also set first principles to ensure that the business balances the need for growth against possible privacy risks. You will also create a culture of accountability. These leaders will represent teams that will impact your company's privacy posture. Having these leaders in the program will ensure that they will hold their teams and each other accountable. They will commit to continuous improvement, as they discover new weaknesses in tools and processes. When it comes to privacy, the journey to the destination is the destination. And then finally enable execution. Without execution, all you have are words. These leaders are in the PWG for a reason. Driving outcomes is the price of entry. Later in this course, we will look at the privacy working group, or the PWG in detail, and see how it fits into your overall privacy program strategy. As part of the privacy-aware culture that I've been discussing, you will also want to ensure that your work force is privacy-aware. This is why privacy training is essential. The International Association of Privacy Professionals, or the IAPP, surveyed 500 privacy pros, most of whom work in the U.S. and the E.U. According to these experts, the number one action item to mitigate compliance risk was investment in training. Training employees on data protection and privacy will help address ten out of eleven compliance risks, according to the IAPP. Now, I know what you're thinking. Privacy training is like one of those many training courses employees go through when they are new. They will click on the training while multitasking and checking their cell phones, and then move onto the next training module, which is why you will need to be creative, and we will look at some creative privacy techniques later on towards the end of this course. A privacy-aware culture will also require investing in technology. Your program will need technical solutions to ensure that privacy is respected. Here's one example. Automated tools like authentication and authorization can help protect privacy by controlling access to user data. Let me make this even simpler. Let's say you set up a Google Doc with important information about your family. You probably control access to it by sharing it with only specific people, that is, for example, a spouse or your kids. This is an example of privacy. You want that information to be private, so you have chosen who to give access to. Things get more complicated in the case of a company with large volumes of customer data. In such instances, you will want to use tools to provide or deny access to employees and vendors at scale. Automating privacy can also help reduce human labor and costs. Example, data access requests or automated data deletion. Additionally, these tools will help provide a paper trail. For example, you can set up your tools to create logs with information on when you deleted data, or how data was accessed. So, when you get audited, only to prove your compliance, this tooling will provide you with the artifacts you will need so as to prove that you made a best-case effort to maintain compliance. It is important for your senior leadership to realize that investing in technology is more that building tools. How are you really changing the business as usual when you automate privacy? Here's some food for thought. In many cases, you will need to abstract away the privacy mechanisms away from the engineers who don't work on privacy. So for example, if you have engineers building amazing-looking websites, they probably don't need to worry about privacy every single day. So, you will need to abstract away the privacy layer from them, while also training them about privacy on an ongoing basis. These engineers can then focus on doing what they do best, which is building the tools that grow your business by delighting your customers, without worrying about privacy. What lesson do we take away from all of this? A privacy-aware culture will cost money. However, this investment is vital, since the problems around data and privacy often become more apparent when you are about to hit your stride, and are then forced to choose between building products and cleaning up mistakes. Which is why having these technical investments early will reduce your privacy debt and help you grow faster. Like president Kennedy said, "The time to repair the roof is while the sun is shining."
- What does privacy mean?
- Regulations, standards, and compliance
- Changing your company culture with respect to user privacy
- Winning customer trust
- Staffing your privacy program
- Building your program from the ground up
- The role of data science in your privacy working group
- The operational privacy team
- Measuring and scaling your privacy program