With CCPA going into effect recently and 19 more regulations pending in various states, many companies are grappling with the necessity to establish and maintain a privacy program within the organization. However, implementing a privacy program is no piece of cake.
With exponential growth in data over the last decade or two, most organizations are faced with very complex IT environments with massive and distributed systems containing structured, semi structured, and unstructured data. Among the many practical challenges in implementing a privacy program within an organization, here are a few common ones:
Slow pace of change within the organizations,
Technical challenges in implementing the program and
Sheer size of what needs to be handled
But it is important to keep in mind that with the bigger picture and focus on building the foundational blocks you can build an effective program overtime even with these constraints. However, if a good foundation is not laid, the expansion of the program will pose difficulties. Here are some common pitfalls to watch out for as you plan your program.
a) Moving Metrics- Legal, Privacy, IT and Business all have stakes in the process and need to come together for a successful implementation of the program. I often find these departments working in silos. This results in duplicated effort and a lot of misinformation and inefficiency. This is especially true with the “business”, there is a lack of interest in engaging the business in these compliance efforts. The business users are the real stewards of this data and one cannot bring fundamental change or sustain the compliance efforts without engaging with the business.
It is important to fully understand all that is being tracked and measured within these functions and how it relates to other metrics measured within the organization. Any gaps or inconsistencies in the metrics between these functions need to be resolved upfront. For example, privacy teams typically look at the impact of a business processes within the organization. It is important to understand the underlying systems that are part of this process. Doing so will fundamentally help to leverage other information captured around third-party vendor review or contract management to obtain deeper insight at an organizational level. Fundamentally, if a little bit of thought is to be put into how these things come together the impact from these disparate smaller initiatives could be much higher. It would otherwise lead to data and program silos.
b) Technology - Given the magnitude of what needs to tackle within these programs, Technology, needs to be leveraged the right way can help scale the program. And there are a number of great tools in the market.
While the traditional definition of PII would only include Social Security Numbers, Driver’s License, Credit Card Information etc. the current definition of PI is much broader and includes IP address, Geo location data, Behavioral information etc. Search algorithms and regular expression pattern matching will not very effective in identifying these types of PI. It might be necessary for the tools to have AI or Machine learning capabilities to be effective at identifying the PI. Some thought on the right algorithm and how to train these systems would go long way in ensuring successful implementation of these technologies.
c) OnPrem Data vs Cloud and Third-Party Providers
It’s important to also understand the various data sources within the company. One must rely on careful planning and might have a deploy several methodologies to get a comprehensive view of all the sources of data, how the data gets created, flows both inside and outside the organization. Most companies have data within the Cloud and with a number of third-party service providers and partners. This part of the equation is usually forgotten and often overlooked. It is important to document these providers and have a clear understanding of the type of sensitive and confidential providers in possession with these service providers. It is important to also have some perspectives on how these systems that’s the outside the scope will be covered within the overall program.
Organizational Silos, Politics and Lack of Appetite for change sometimes forces us to make short term decisions that might not be ideal. It is imperative to be practical since that is the only way to move forward. But it is also important to make sure we don't make decisions that would cripple the organization’s ability to build a sustainable program in the long run. As we embark on this long and important journey, it is essential to keep these fundamental thoughts as our north star. It’s a Marathon and not a Race
There is no way to achieve perfection when it comes to compliance with these privacy regulations. It’s about adopting best practices and becoming better stewards of PI that’s been entrusted with these companies While it’s important for all project to have start and end dates and for a completion criterion the end goal here is changing business process for a sustainable future. Keeping that long term in mind is very important.