This series by the team at Sentinel examines the rationale and benefits of building a culture of privacy in your organization by highlighting five organizational drivers that, in combination, can result in lasting change. In this final article, we’ll provide a look at how a culture of privacy can help organizations achieve their strategic goals. Find the first five articles in the series here.
New privacy and data protection laws and proposals pop up seemingly every day. Privacy stories make top headlines in the largest media outlets. Consumers are becoming more aware by the day of how their data is used and abused. Slowly but surely, the importance of data privacy is being brought into the light. And yet still today, many companies’ data privacy efforts revolve around chasing compliance with the latest law to take effect.
The result: Narrowly focused privacy programs that fail to address the foundational elements of good data stewardship and all the benefits it can bring.
What if there was a different way to approach this? We believe that breaking away from a purely compliance-focused program can deliver significant benefits if you’re able to make a case for a change in focus.
Designing your privacy program with an eye to your organization’s strategic goals allows you to respect the privacy of your customers while optimizing your data assets, providing a variety of benefits for the organization and its customers alike.
Unlocking value with strategic privacy
Teams that treat privacy as a compliance mission quickly become known for blocking the organization’s ability to generate revenue using data. We’re here to tell (or remind!) you that you can give your customers transparency and choice without compromising your bottom line — and, in many cases, helping to increase it. Some of the benefits you can realize from treating privacy as a strategic initiative are:
Increased customer retention and reduced churn
Study after study has shown consumers are willing to trade their data with organizations they trust. It’s not necessarily the case that consumers don’t want you to have their data; they just want to be told what you’re doing with their data and have some say over what happens to it. Gaining the trust of your customers will make them stick around and likely provide you with more data. And with that comes greater abilities to use and produce revenue from that data.
Reducing ‘reticence risk’
Having a greater awareness of the types of data you collect, appropriately managing that data and understanding the ways you may use that data in its various states can help ensure your information assets deliver business value. This can also help manage “reticence risk” in which people are scared to use data without understanding whether their plans even create privacy risk at all.
Trust as a competitive advantage
Privacy has become a true market differentiator. Consumers are more likely to do business with brands that have a good reputation for their data practices. Building a culture of privacy that respects consumer privacy and finding a way to leverage that to your advantage may put you at the top of the heap.
Legal defensibility
While we do not believe that legal compliance should be the end goal of a privacy program, it is obviously a very important element of one. Creating a culture of privacy in which you establish an organizational privacy posture, communicate it out to employees and reinforce it regularly will help to ensure you meet your current legal requirements and are prepared for whatever new laws or regulations come your way in a defensible manner.
Understanding your constraints
In creating a strategy around data use and privacy, it’s important to understand the boundaries of your playing field. Both internal and external factors work to create these boundaries. Here are some areas to investigate as you begin crafting your strategy.
Know your internal business practices and partners
It’s important to remember that “relationship” is a verb. It’s a doing word — not one and done, but an ongoing commitment. Because many parts of the organization use personal information, it’s important to have ongoing relationships with the groups that have the potential to create privacy risks and understand their strategies and priorities as you operate your program.
Within any organization, there are data users (e.g., marketing, sales, product) and data protectors (e.g., security, governance, privacy). Building and maintaining relationships with each of these teams and understanding what your business is doing in both areas will help inform you of your regulatory and contractual obligations as well as whether you’re meeting them.
Know your privacy notice
Your privacy notice is a legal commitment you make to your customers and others whose personal data you collect. It should outline the types of data you collect and what you do with that data. Reviewing your privacy notice will help you understand what you’re allowed to do with personal data and the kind of experience you’re providing for your customers. This is the face of your privacy program to the public, so make sure the experience is positive.
Know the true value of your data
If data is an asset, how much is it worth? Depending on the research you look at, between 73% and 97% of all data goes unused in organizations. Retaining all this data comes with costs and risks, retention and deletion decisions should be based on how valuable the data is to your organization. The true value of your data involves knowing:
- The cost to acquire, manage and use the data.
- The revenue that could be generated by the data.
- How long the data will be valuable to your business.
And remember, some data may be nearly as valuable to you in an aggregated data set as it is in its identified state, and deidentification reduces your risk significantly. Understanding the right balance and considerations requires privacy professionals to think beyond deletion as a binary choice.
Know your risk appetite
One hundred percent compliance with every data protection law that applies to your business is a herculean task, but is that really where your business wants to be? Because businesses think about risk in different ways, understanding and then prioritizing accordingly is a must. The risk tolerance at a tech startup will almost certainly be very different from a 100-year-old financial institution, and your program needs to reflect that.
Optimizing these constraints should be a key component of your privacy strategy, and maintaining a balance that feels right to your organization will drive your privacy operations. Conversely, if you don’t know the true value of your data and don’t have an understanding of the costs and constraints that come with processing it, your decision making will be fundamentally flawed, and you won’t be optimizing your data resources.
Now what?…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…