Why does every organization with a global footprint must have a proper privacy programme in place? It is because privacy regulations across the globe have developed more in the past couple of years than they have in the past century. Of course, this doesn’t suggest that organizations running business within boundaries of one country shouldn’t have one. Should organizations which are not consumer oriented, meaning – not processing personal data of their customers have the privacy programme? The answer is – they should. They all process their employees’ personal data and should comply with applicable laws. No matter how complex, big or small, every organization should aim to have a privacy programme in place.
Starting a privacy programme is not so different from starting other compliance programmes. Depending on the organization’s size, requirements, awareness and resources, it can be done in one go, or split into phases. Regardless of the approach, this article highlights the steps to consider at the very beginning.
1) Support from the top
Firstly, acquire the right support, i.e. senior management buy in. The best way to do that is to prepare a business case. This will help drive the programme and overcome many obstacles on the way. The question is how? Unfortunately, one-size-fits-all solution doesn’t exist. Obviously, the senior management should understand why it is important to have the privacy programme in the first place. If the gap analysis has been performed - great, but oftentimes the gap analysis will have to be done to know what to address with the programme. This can be a high level activity at this stage, because resources to do the full gap analysis may not be there yet.
What could make senior leaders interested into having the privacy programme? What should the business case contain?
A hint - privacy programme can lead to:protecting individuals rights and freedoms, proper data hygiene and lowering the cost of retaining data for long periods, good privacy practice to gain trust with customers. Not having a privacy programme can lead to: detriment to individuals, non-compliance with privacy laws, penalties (monetary and/or criminal), negative publicity, lawsuits and similar.
Privacy should be embedded across the organization to help facilitate the use of personal data ethically. The “bare-minimum” of compliance is not an option anymore; as privacy laws raise the bar on privacy compliance, organizations should adopt certain standards which will meet legal requirements and ensure that good privacy practices are employed across the company (even if they go beyond what the law says).
2) Privacy awareness
This is another key element to start the privacy programme.
Once the tone at the top is acquired, raising the privacy awareness across the company follows. Depending on the organization’s level of privacy culture the programme might have a good starting position, or an extra effort should be put in to educate people about the privacy, what does it mean for individuals(consumers/employees), how to handle personal data, what are the responsibilities of employees and how they can support the programme.
Of course, raising and maintaining awareness throughout the programme is vital, so when the time for more demanding pieces of the programme comes, the awareness will be in full swing.
3) Communication plan
There are different ways of raising awareness, but nothing can beat a good old strategic and targeted communication plan. Every organization is different, so the ways of communicating should be adapted to the people’s mindsets. Use emails, get creative with infographics, or visit different divisions' or departments' meetings to deliver a talk. Having a privacy day, booths, flyers, desktop wallpapers, quizzes etc., can also send a strong message.
A proper communication plan is a must. Programme goals, updates and milestones should be communicated regularly.
The rule is to keep senior management up-to-date when important milestones are achieved and when a project is completed (buy-in at the top!). But remember – less is more, so keep it relevant, short and effective. Other stakeholders may require more detailed information – keep in mind their roles and responsibilities, and how they could benefit from these updates. Keeping relevant stakeholders updated boils down to careful planning and the right information at the right time having in mind all of the above.
After the support from the top is obtained, the awareness is raised and maintained thanks to the carefully planned communications, the next step is a detailed gap analysis which will be addressed in the next article.
Ideas expressed in this article are personal views of the author and do not constitute legal advice.