4 Oft-Overlooked Ways to Tighten Up Your Privacy Program

Given the upcoming GDPR, privacy and compliance are top of mind for organizations around the world. We’ve been posting quite a bit these past weeks about Microsoft’s approach to setting up data governance. Now, here’s a complementary take, this time from Gartner. They suggest four tactical ways to improve your overall privacy management program.

GDPR | Binary Tree

Common challenges

When it comes to privacy, organizations tend to face these challenges:

  • Ownership: IT leaders often shoulder the burden for the program. But really, it should be a collaborative approach that touches every area of the business.
  • Bolted-on solutions: Leaders often choose third-party solutions to help with privacy after the fact. This means that privacy solutions are often bolted on as an afterthought, rather than smoothly integrated with an existing workflow.
  • Employee privacy: Organizations can find it hard to enforce privacy controls internally. With all the focus on customer-facing privacy, it’s easy to overlook the risk of employee privacy issues.
  • Communication: Organizations tend to update the privacy messages on their websites and apps before their people, processes, and internal controls are ready to fully support the policy.

Here are the ways Gartner suggests you can tackle these challenges.

Assign business owners

In many organizations, IT often becomes the default owner of data privacy. After all, they often source or create the software that can help make privacy happen. But the key word there is help. Software alone isn’t enough to ensure data privacy. You also need people and processes in place throughout your business to make sure that privacy stays top of mind at every step.

To address this, put accountability where it belongs by assigning specific owners from your business units, particularly any teams who handle customer or employee data. This way, IT becomes more of a neutral guide to privacy. They’re no longer on the hook to make it happen on their own.

Set privacy requirements for vendors

IT should put together a list of “must-have” privacy requirements for any internal software, third-party software, or vendors, either new or already in use. That way, when business units are choosing software or vendors, they have guidelines to follow. These guidelines should include things like security controls, privacy management, certification, and audit rules.

Expand your scope to include employee data

Keeping data private is not just about customer data. It’s about keeping employee data safe, too. This includes all your human resources data and more. Gartner has found that when employees are worried about privacy, their productivity can go down by as much as 50%.

As an example, take a look at how your organization logs employee actions. Do you log every action an employee takes on their devices? Have you told them that you do this? And how long do you keep this information? Does it linger in your systems long after an employee has left the company? These are the types of things to think through—and communicate about.

Know that you’re doing what you say

As Gartner so pithily put it: “A privacy policy should never be window dressing.” This is sure to come up often with the GDPR, which requires companies to be more transparent about how they store and use personal data. But communicating is only half the battle. It’s easy to publish a new privacy policy on your website. It’s a lot harder to be confident that your organization is living it out in practice every day.

So you should control first and communicate after. Wait to update your privacy policy until you’ve set up your people, process, and tools for success. Then, after your privacy policy is in place, don’t let it sit there collecting dust. Make sure to review both your internal and external privacy policies at least every 12 months. And certainly when you’ve changed something that could affect your privacy risk.

Get a better platform for data privacy

We at Binary Tree are doing our part to help our clients protect the privacy of their customers and employees. If you’re not there already, we can help you move to Office 365, which helps you:

  • Find and catalog the personal data in your systems
  • Build a more secure environment
  • Simplify how you manage and monitor personal data
  • Get tools and resources to meet reporting and assessment requirements

 

Source: Gartner. Include Four Key Components to Complete Your Privacy Management Program. December 2017