The privacy function remains relatively new at most organizations. While the implementation of major regulations such as GDPR and CCPA in recent years helped elevate privacy’s stature, many organizations are still in the mode of, “I have to do this thing, but I don’t really know what this thing is, or how it will impact my organization.”
That leads to a problematic game of hot potato as companies wrestle with where privacy fits in their organizational structure. Is privacy a standalone function? Should it be combined with security or compliance (or security and compliance!) Does it fall under legal?
There is much to consider, but first, it’s important to recognize there are multiple components to privacy. While security is predominantly rooted in technology, privacy has technical components, but also incorporates legal elements. That’s where some of the hot potato ambiguity come into play: does the company have an internal legal department, and does the legal team have knowledge of privacy principles? The answers to those questions are key variables in determining where privacy fits in the organization. I’m a technologist through and through who started my career as a developer. While I have a deep understanding of privacy regulations, I’m not a lawyer. When companies are closely scrutinizing whether a certain law – or aspect of that law – applies to them, it is best to defer to the legal team that has a deeper command of scope and jurisdiction. So, putting privacy into a compliance function that has both legal representation and technology representation probably is the best approach.
I’ve worked through these and other considerations in my relatively new role at Hudl, where I’ve had the chance to build a privacy program from scratch – which is a fantastic opportunity, albeit a bit overwhelming at times. At Hudl, privacy falls under compliance (which is often part of risk management). In my view, this makes the most sense for many organizations because privacy is a compliance obligation. Among all the rules and regulations that organizations have to adhere to, privacy is one of those key components. Oftentimes, though, privacy is layered onto the existing security function, and even can be further combined with compliance – many small and medium sized companies are just starting to address privacy. Smash together all three of those roles into what I call ComPriSec, the convergence of compliance privacy and security. Fortunately at Hudl we also have a legal department responsible for the legal aspects of privacy. Privacy is a team effort!
Ultimately, there’s no one right answer – having some sort of plan for privacy work is better than nothing, and where privacy fits best is largely dependent on the size and structure of the organization. We know that security can stand on its own, but privacy cannot – it needs the support of security and technology. When privacy is lumped together with security, that can work, provided the teams are collaborating effectively and privacy is a true consideration in the security team’s efforts, not an afterthought. If solid solutions are being implemented that meet both security and privacy needs, that’s a win for everybody.
Before arriving at their optimal state, organizations need to be willing to have these conversations to work through their unique variables and understand what challenges lie ahead. I recommend starting with a privacy inventory, which companies often fail to do – or do inadequately. There should be an inventory of data, vendors and applications – we have personally identifiable information (PII) all over the place in our organizations, often in places we don’t realize it exists. Companies should also have a Compliance Footprint – a list of all their legal, regulatory, contractual obligations, standards, and frameworks the organization follows. Once the organization understands the privacy obligations and the inventory, it can conduct an assessment. This was the focus of my dissertation research and the topic of my presentation at last month’s RSA conference. Companies can determine their needs, conduct the assessment, develop solutions to issues identified and monitor for changes.
Privacy Assessment Methodology
It’s important for organizations to start somewhere, even if they feel like they’re behind the curve. This relatively newfound enterprise focus on data privacy isn’t going away. Privacy imperatives did not end with the introduction of the GDPR or CCPA regulations – in the last year and a half, we’ve had several additional US states consider privacy laws, as well as proposals at the federal level, and these dynamics are playing out similarly around the world. Companies are beginning to realize that privacy is the foundation of the organization – without it, you can’t have trust and you won’t maintain customer loyalty (not to mention the potential to be walloped with hefty fines for breaches and compliance failures).
It’s exciting to see this fascinating field start to garner the attention and resources it deserves. It’s a great time to be in privacy because privacy professionals are in high demand and companies are ready to devote resources toward building privacy programs that, in many cases, they are only now learning they must build. But recognizing the importance of investing in a privacy program only goes so far. As this field matures, companies need to stop playing hot potato and take a strategic approach to integrating privacy into their operations.