Reducing data privacy risks by adopting a service-mentality

In today’s technology-driven world; privacy professionals – particularly in regulated industries – have a unique and difficult challenge.  Data, of all sorts, is the basis for much of the economy today and data use is evolving as new technologies are continuously introduced to the market.  It is more than daunting to determine the best approach for reducing data-exposure risks while maintaining a competitive market advantage.  It’s a precarious balancing act.  By taking a pro-active, service-oriented approach that provides perceived value to your business partners, you can increase your professional reputation and your influence within your organization.  The plan is simple and easy to execute because it is developed and implemented in bite-size phases.

Phase 1 – Assessment:

Take time to assess so you can develop a plan that aligns with the business.  If your organization has multiple lines of business, target a small, defined business group with which you have a trusted relationship and use them as a pilot group to define, “road-test” and refine your process.  Starting with a small pilot is more affordable and takes fewer resources – so it is less demanding on your team and easier to justify the budget expense.

Total estimated time for assessment: 30 – 60 days

Assessment steps Resources/Strategic Partners
Current social media or collaboration tool use:

  • Tools utilized
  • Business purpose
  • Associated data
  • Internal or external
Business partnersIT security

Internal Audit

Legal

Compliance

HR

Social Media/Collaboration Subject Matter experts (SMEs)

Level of use

  • Level 1: static presence, no activity
  • Level 2: some activity, but limited exposure
  • Level 3: high level activity, high exposure
Business partnersSMEs
Current security practices

  • System access (gaining it/losing it)
  • Password protections
  • System administration
  • Data ownership
  • Data management
  • Data sharing
  • Data exposure
Business partnersSMEs
Current reporting practices

  • What reporting exists now
  • Who prepares reports
  • How are the reports used
  • What data sources are included
Business partnersInternal Audit

Legal

Compliance

SMEs

User background

  • Knowledge of the tool
  • Knowledge of the regulatory environment
Business PartnersSMEs
Process

  • Documentation
  • Record keeping
  • Monitoring
  • Governance
  • Policies
Business partnersIT security

Internal Audit

Legal

Compliance

HR

SMEs

Phase 2 – Pilot Planning and Execution: Once you have identified your pilot group and gathered assessment data; build your pilot plan based on priority rankings determined during your assessment phase.  Address the highest identified risk areas first.  Include components that address the people, process and technology.

Total estimated time for pilot: 90 days

Pilot Planning Resources/Strategic Partners
People:

  • Training needs for users in Level 2 or Level 3 categories.
  • Develop certification criteria for users (yearly certification process)
  • Change management plan for driving adoption and educating the user base
Training professionalsLegal

Compliance

Audit

SMEs

Process:

  • Governance
  • User policies
  • Communication plan for messaging beyond the pilot
  • Crisis planning (roles and responsibilities)
  • Reporting requirements
  • Recordkeeping requirements
  • Data management
  • Monitoring
Business partnersIT security

Internal Audit

Legal

Compliance

HR

SMEs

Technology:

  • System review
    • Architectural integrity
    • Security
    • Shareability
    • Disaster recovery plan
    • Tool review
      • Data exposure
      • Administration
      • Functionality vs. business need
Business partnersIT security

Internal Audit

Legal

Compliance

HR

SMEs

Phase 3 – Pilot Project De-brief and Pilot expansion: Once you complete your pilot group project, analyze the data and integrate the lessons learned – it’s time to expand the pilot to the next identified critical risk area on your list.  Develop a comprehensive communication plan to share the results from the initial pilot with a broad audience within your organization.  Make sure to include influential, well-respected individuals who will endorse your work, help you spread your message and garner executive support.  Also make sure you give your pilot group plenty of public recognition for their participation.

By taking the approach of working with strategic partners who trust you – while simultaneously communicating early wins – you are better positioned to make a stronger business case for additional resources as you need them. As you expand your efforts and gain credibility, the momentum you generate will help you to silence detractors.  In addition, publicizing the positive outcomes will attract the attention of other business areas that may then approach you directly for assistance.  This is a side benefit that helps accelerate the adoption process for your project and quickly increases executive support for your efforts.  And if your organization experiences data privacy challenges during this time – this pilot prepares you to manage the crisis in a professional and timely manner.

Photo by Meriç Dağlı