CEB Blogs


Data Privacy

5 Steps to Introducing Proper Privacy Guidance

One to two employees and two to four months is all it takes to start providing useful privacy guidance to the whole firm

Despite the incessant media attention lavished on data breaches, the issue of data privacy does not always get considered during the discussion or – worse – the redesign of company processes. The healthy dose of fear about a data breach that exists in pretty much every firm these days hasn’t translated as quickly as it should into better business practices.

But in five steps, over eight to 16 weeks, data privacy teams can devise and implement a plan that will incorporate privacy into processes where it’s needed. And you can get it done with one to two full-time employees at no extra cost.

  1. Create a plan for providing privacy guidance: To get the ball rolling, make the business case. The project makes sense for your firm because it will:

    • Lower privacy risk by encouraging better decision making on privacy-related matters.

    • Allow privacy to spend less time reviewing business projects.

    • Give privacy greater visibility into business projects that involve privacy risk.

    When you have enlisted support from the appropriate stakeholders, come up with a plan to incorporate this advice into the relevant work of your colleagues. Generate a blueprint that articulates the steps, timelines, roles and responsibilities of the people involved in the adoption of privacy guidance, and use a project management tool to keep track of all the moving parts.

  2. Identify business processes that require guidance: Conduct a careful analysis to figure out which business processes really need privacy guidance. Start by requesting feedback from business process owners, privacy liaisons, and privacy staff to create a master list of practices that might benefit. You’ll need to whittle down from there.

    Trim the list by assessing the processes with risk-based criteria like impact, frequency, and velocity. Lastly, delineate all of the steps and decisions involved in the chosen business processes to find the best point at which to insert the support.

  3. Create self-service tools: Assess which processes require direct involvement of privacy staff and which don’t. Take stock of common tools — such as checklists and decision trees — and identify which would be most suitable to support a particular process.

    Use this as an opportunity to codify practices involving personal information so that company policies and legal requirements are applied consistently. To that end, you should create a “standard control matrix” for common projects. In this context, the term control refers to the subject or event requiring specific protocols, such as “consent” or the “dissemination of privacy program information.”  And then, armed with this information, get started on building these self-service tools.

  4. Make it easy for employees to follow privacy guidance: Without being used by your colleagues, these tools won’t amount to much. Make it easy for staff by incorporating them into existing checkpoints.

    Spread the word about these new resources with targeted emails for different employee groups and for business leaders. And finally, teach relevant employees how to use the privacy tools by getting them included in existing training curricula.

  5. Keep track of implementation: Now that you have the machine up and running, you need to find a way to measure its effectiveness. Gather feedback from stakeholders, quantify it, and use that knowledge to inform a discussion about ways to improve.

    The business changes often, so remember to monitor the company landscape, and tweak your privacy guidance accordingly. To stay on top of this, gather user feedback periodically so you know when changes are needed.


More On…

One Response

Leave a Reply



Recommended For You

Data Privacy: Why You Should Write a Strategic Plan

A majority of heads of data privacy are not happy with their firm's privacy efforts,...