How to Build a Nimble Privacy Program: 3 Cornerstones

Privacy laws in the United States are a bit like a wave pool at a water park—they’re constantly fluctuating and just when you think you’ve got your footing, another wave comes at you to knock everything from under you.

While that can be fun on a relaxing day off, it’s not at all when you’re trying to establish or maintain a functioning and scalable privacy program. In fact, given how in flux everything constantly is, the prospect can even seem unrealistic.

All too often, you’ll have finally inventoried your data, built-out your processes for assessing privacy risk, or settled on your approaches to any number of cornerstone privacy initiatives, and then—boom! Something major has changed, and now your privacy team is forced back to the drawing board.

As difficult a situation that is, it doesn’t diminish the importance of maintaining our customers’ and vendors’ privacy—people expect us to protect their information, and they don’t care about ever-changing regulations. They just trust us to get it done, and so we must.

As we close out Data Privacy Week, we at Schellman wanted to offer some tips to help you do your best to stay on your feet within this wave pool of privacy laws. In this article, we will provide you with three essential tactics to help grow and scale your privacy program in a rapidly evolving environment.

You’ll learn how to stay ahead of potential setbacks, and perhaps more importantly, how to avoid expensive, clunky, or ineffective process developments that will inevitably set you up to get knocked down by the latest privacy wave. 

1. Uncertainty: Expect it, and Plan for It.

Author Anthony Hincks once said, “if we wish to see where our future is headed, all we need to do is have a look at our past and that will tell us all the answers.”

This notion holds true in so many areas of life, but particularly for those in the trenches interpreting and managing the fragments of changing privacy law. We just said how we can’t predict the future state of privacy law, but there is one thing that we do know – the next “wave” will come.

And the good news is, we can plan for uncertainty.

Much like any other initiative, a privacy project cannot thoughtlessly follow a static set of project plans or criteria. Well, you could. But if you did, you might end up with a solid privacy solution but one that failed to recognize important variables that surfaced since you started the project.

 Consider this: a privacy team set out to build the best Consent Management System (CMS). But by the time the CMS solution went live, the Team quickly realized that China had released expanded scenarios pertaining to consent criteria in the middle of their build. Had they caught that early, they could have adjusted their direction. However, since they only demo’d the final solution, they were unable to plan for or re-prioritize to accommodate the scope change. Obviously, you do not want to be this hypothetical privacy team.

 There is, of course, no silver bullet to solve all problems associated with privacy-lead scope changes. There are, however, a few points of consideration that can help frame your generally legal intensive and cumbersome project delivery styles into something a bit more flexible. Here’s what you should do to avoid being blindsided:

  • Always schedule demos (e.g., weekly, monthly) with your privacy stakeholders. Constantly expect to put your work on display.
  • Demand Encourage and document feedback from key stakeholders.
  • Expect to reprioritize your project tasks regularly (e.g., new developments in privacy law, new personal data collected, new organizational changes, etc.)

Practicing for uncertainty when there is none better prepares you for its inevitable drop, and it’ll save you on some rework and lost time. 

2.  Don’t Forsake Progress for Perfection.

Every privacy office dreams about the best combination of technology and process to help address its privacy issues. But the simple truth is, no such utopic place exists. Even the biggest tech companies struggle with budget and resource constraints, but we all still have that privacy obligation to deliver.

We get it—it would be so much easier if we all had the tech and processes readily programmed to take care of all of this for us. But in lieu of “perfect” you do still have something to lean on that is arguably just as, or perhaps even more, valuable—a creative privacy team that are capable of solving privacy problems more immediately.

 Why is that important?

  • Imagine that your inspired privacy team is now overseeing the roll-out of a privacy-centric and extremely complicated vendor evaluation process.
  • While ideally, this project would include varying degrees of automation to help simplify those extreme privacy conditions, you must work with what you’ve got—your team, a limited set of resources, and a known compliance gap.
  • Rather than wait on “perfect tech,” your team focuses on delivering the initial iteration of a maturable privacy solution – something that may be more manual in nature, but delivers tangible value (e.g., mitigates a known privacy risk).
  • To better illustrate this with real-world context: Instead of waiting for customized software or purchasing an off-the-shelf service to mitigate an immediate risk, your privacy team launches an Excel-based tracking tool with manual questionnaires. Your privacy team plans to incrementally add automated functionality next, but are first focused on what can and must be achieved.

As said best by author and CEO of Scrum, Inc., Jeff Southerland, “doing half of something is, essentially, doing nothing.” We can’t just wait for technology to advance to a point that will simplify privacy. An initial release of a solution can still do something that a half-done project can’t – deliver immediate value.

What does this mean you should do regarding your privacy program?

  • Embrace a “crawl, walk, run” methodology – take steps towards your goal if you can’t leap there.
  • Recognize that the “current state” of your privacy solution doesn’t have to equal its “final state.” Each subsequent release offers an opportunity for enhancement.
  • Manual functioning privacy solutions are better than half-baked automated privacy solutions.

 3. Stay Ahead (or At Least Be Aware) of Privacy Trends.

We’ve just explained how we can’t expect stability in our space, nor can we wait for privacy law to catch up with the evolving technology space. We also emphasized the value of the knowledge of your privacy personnel, and that can be boosted by staying abreast of the latest privacy trends.

In fact, your people should be as in tune with these trends as Wall Street traders are with their stock market. To help expand their foresight—to help them “read the of privacy tea leaves,” if you will--consider pointing your people towards the following resources that will give them the best fighting chance:

Bonus: Invest in Privacy Compliance.

We understand that it takes a lot of effort to stay afloat in the privacy wave pool.

Even as things remain in flux, there are still ways to get yourself some validation on the things you’re doing internally, and like we said in our second point—something is always better than nothing when it comes to protecting information.

The same is true for compliance, and while there are a number of regulatory assessments out there, it’s also possible to get your privacy program evaluated as to whether it addresses the base set of principles found in most privacy laws. It could be a good launch point for your program and a way to discern a better direction going forward.

Schellman does perform many of these assessments, and we’d be happy to speak with you if you have any specific privacy questions or concerns—or, if you’d like to discuss your compliance options.

In the meantime, read our article on privacy in a pandemic—in it, our CEO, Avani Desai, discusses what important privacy elements you should not lose sight of during the extraordinary circumstances of the last few years.

About the Author

Kevin Kish

Kevin Kish is a Director of Privacy Compliance at Schellman. With 10 years of industry experience, Kevin has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield, and the General Data Protection Regulation (GDPR). As an industry advocate, he is passionate about researching and writing on the concepts of adaptable data privacy and providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy certifications from the International Association of Privacy Professionals (IAPP), including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish
Previous Article
Should You Include Privacy as a Trust Service Category In Your SOC 2?
Should You Include Privacy as a Trust Service Category In Your SOC 2?

Not sure if you need the privacy category in your SOC 2? Put that confusion to rest as we detail the advant...

Next Flipbook
Litmus Case Study
Litmus Case Study

Litmus Leverages Proactive Approach to Privacy to Protect Itself, Clients, & Vendors