With CCPA having gone into effect and 19 more regulations pending in various states, many companies are grappling with the necessity to establish and maintain a privacy program within the organization. However, implementing a privacy program is no piece of cake.

With exponential growth in data over the last decade or two, most organizations are faced with very complex IT environments with massive and distributed systems containing structured, semi-structured, and unstructured data. Among the many practical challenges in implementing a privacy program within an organization, here are a few common ones:

1. Constrained budget,

2. The slow pace of change within the organizations,

3. Technical challenges in implementing the program and

4. The sheer size of what needs to be handled

But it is important to keep in mind that with the bigger picture and focus on building the foundational blocks you can build effective programs over time even with these constraints. However, if a good foundation is not laid, the expansion of the program will pose difficulties. Here are some common pitfalls to watch out for as you plan your program.

a) Moving Metrics- Legal, Privacy, IT and Business all have stakes in the process and need to come together for a successful implementation of the program. I often find these departments working in silos. This results in duplicated effort and a lot of misinformation and inefficiency. This is especially true with the “business”, there is a lack of interest in engaging the business in these compliance efforts. The business users are the real stewards of this data and one cannot bring fundamental change or sustain the compliance efforts without engaging with the business.

It is important to fully understand all that is being tracked and measured within these functions and how it relates to other metrics measured within the organization. Any gaps or inconsistencies in the metrics between these functions need to be resolved up front. For example, privacy teams typically look at the impact of business processes within the organization. It is important to understand the underlying systems that are part of this process. Doing so will fundamentally help to leverage other information captured around third-party vendor review or contract management to obtain deeper insight at an organizational level. Fundamentally, if a little bit of thought is to be put into how these things come together the impact from these disparate smaller initiatives could be much higher. It would otherwise lead to data and program silos.

b) Technology - Given the magnitude of the needs within these programs, Technology, leveraged the right way can help scale the program. And there are a number of great tools in the market. While the traditional definition of PII would only include Social Security Numbers, Driver’s License, Credit Card Information, etc. the current definition of PI is much broader and includes IP address, Geo-location data, Behavioral information, etc. Search algorithms and regular expression pattern matching will not be very effective in identifying these types of PI. It might be necessary for the tools to have AI or Machine learning capabilities to be effective at identifying the PI. Some thought on the right algorithm and how to train these systems would go a long way in ensuring the successful implementation of these technologies.

c) OnPrem Data vs Cloud and Third-Party Providers

It’s important to also understand the various data sources within the company. One must rely on careful planning and might have a deploy several methodologies to get a comprehensive view of all the sources of data, how the data gets created, flows both inside and outside the organization. Most companies have data within the Cloud and with a number of third-party service providers and partners. This part of the equation is usually forgotten and often overlooked. It is important to document these providers and have a clear understanding of the type of sensitive and confidential providers in possession of these service providers. It is important to also have some perspectives on how these systems that are outside the scope will be covered within the overall program.

Organizational Silos, Politics, and Lack of Appetite for change sometimes force us to make short-term decisions that might not be ideal. It is imperative to be practical since that is the only way to move forward. But it is also important to make sure we don't make decisions that would cripple the organization’s ability to build a sustainable program in the long run. As we embark on this long and important journey, it is essential to keep these fundamental thoughts as our north star. It’s a Marathon and not a Race.

There is no way to achieve perfection when it comes to compliance with these privacy regulations. It’s about adopting best practices and becoming better stewards of PI that have been entrusted with these companies While it’s important for all projects to have start and end dates and for a completion criterion the end goal here is changing the business process for a sustainable future. Keeping that long-term in mind is very important.