5 ways to embed privacy compliance into your culture

Ensuring privacy compliance throughout the organization is essential for business success. Consider this expert advice to create a privacy-first culture
47 readers like this.
CIO_Security_computers_database

After more than five years of leading Red Hat’s Global Privacy Program and overseeing its creation, growth, and maturity, I know what it takes to cultivate a culture of trust. Our associates, customers, and others are confident that we take privacy seriously, their information is safe, and we’re doing the right things.

Here are a few universal truths and tips I’ve learned.

1. Recognize that everyone plays an important role in a privacy-first culture

Every staff member works with personal information in some capacity. Privacy compliance is strengthened when everyone is aware of how to identify personal information, does their part to keep it safe and secure, and knows where to go if they ever have questions or concerns. A sustained focus on training, enablement, and best practices is important – not just during annual compliance training activities.

2. Get creative – use the tools you have to make improvements

Privacy compliance is a fast-growing area. Good privacy tech is available to help companies meet their obligations. However, I’ve had great success leveraging existing tools and adapting them for privacy processes.

[ Also read Data privacy: 5 mistakes you are probably making. ]

For example, my team used an existing database of applications and assets to begin tracking privacy-specific information to improve our data processing records. We also recently launched a compliance tracking dashboard using systems already in use and widely adopted. If you already have something that does (or could) work, give that a try before looking outside.

3. Build strategic partnerships

Privacy is just one aspect of an enterprise compliance framework, albeit a very important one. Over the last few years, our privacy program has cultivated strong partnerships with Information Security, Legal, Product Security, Third-Party Risk Management, and Procurement. Taking a holistic approach to compliance and the work we do when assessing new initiatives helps ensure that nothing is missed and we are delivering even greater value to the company. Implementing this integrated model can be challenging, but the benefits are tremendous.

4. Recruit privacy champions and deputies

Reframing compliance work as an opportunity to demonstrate to current and prospective customers that your company takes privacy seriously can be a competitive advantage.

It’s important to have centralized management and governance to ensure that privacy best practices are followed and the framework is properly executed. However, embedding privacy in every organization (Finance, Sales, Engineering, Marketing, IT) helps scale the work of the Privacy program and drives greater awareness of how to follow sound privacy practices. It can also help with the adoption and enforcement of company rules, policies, and procedures. The compliance tracking dashboard we developed has a breakdown by organization. Each privacy champion can work with colleagues to address issues, close gaps, and improve compliance, further strengthening our compliance posture.

5. Make privacy a strategic imperative

Let's face it: Compliance work can often be seen as a nuisance or an impediment to moving fast. But reframing it as an opportunity to demonstrate to current and prospective customers that your company takes privacy seriously can be a competitive advantage and help win business – especially for companies subject to those obligations.

Having your house in order and affirmatively responding to inquiries about how your organization deals with privacy means you don’t have to scramble or get creative when those questions arise. If you take these steps, you will already be living in a privacy-first culture and positioned for greater success and keeping the trust of internal and external stakeholders.

Organizations at every level of privacy maturity can use these to enhance their privacy compliance strategy. Each vector of the “people, process, technology” triple constraint is addressed, leading to a more holistic approach to being a privacy-centric organization. It doesn’t happen overnight, so I encourage you to enjoy the journey.

[ Leading CIOs are reimagining the nature of work while strengthening organizational resilience. Learn 4 key digital transformation leadership priorities in a new report from Harvard Business Review Analytic Services. ]

Clarence Clayton is Senior Manager of the Global Privacy Team at Red Hat, an open-source software and services company headquartered in Raleigh, NC. He has been with Red Hat since 2013 and leads a team responsible for the management, implementation, maintenance, and growth of Red Hat’s data protection and privacy program and ensuring the organization complies with global data privacy laws.