Step one: don’t delegate it to the intern in the IT department.
Building a solid Privacy Team inside of your company can be challenging, particularly when no one understands why you are doing it. In this episode of “Are You DataSmart?”, the Ward brothers outline proven approaches to building a Data Privacy Team and how to ensure that your entire organization stays aligned.
Jay: “Are you DataSmart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.
Christian: And I’m Christian Ward. Today, we’re gonna discuss…well, building a privacy team, data privacy team within your organization. Jay, there’s a lot of materials out there on how to do this. I think in our experience, something pretty fascinating is every organization is quite different. And so, while there’s some great resources, and we’ll talk a little bit about the IAPPs, U.S. management program, which outlines a lot of the ways you can do this. We’ve also just found this is pretty different in every organization.
Jay: Yeah, I think a lot of this depends on the organic development of the team that’s in place already. You know, there’s always fiefdoms at any company and there’s always subject matter experts. And I think you have to be careful about having too rigid of an approach to developing a privacy team because in the end, the goal is to get as much buy in as possible. Because this is as much a philosophical and strategic question as it is an operational and pragmatic one.
Christian: Absolutely. And as we’ve worked with several companies that are looking at not just GDPR, but all of the potential items around privacy, one of the things that we always talk to the senior management about when meeting with them to set up a team like this is they really need to start with why. A lot of the…I love that book, it’s such a great, you know, initial thought process that companies need to do. But starting with why from just a general perspective of why are we even doing this? There’s a couple things that almost immediately happen, which is for senior management to really get down a few layers into the weeds of the actual systems that they use for their business, they need to align those people to an overall vision. And I love…you know, you’ve often said that the real goal of all these laws revolves around transparency and accountability. And that those are the two major things that each of these laws are going for. And I think it’s just a great way to organize one’s thoughts to present to a team or members of the team on hey, why are we doing this? Why is this particular company at this particular time setting up this particular team? I think, you know, transparency and accountability are a great way to start.
Jay: I think they in many ways are the why of what we’re doing. And from one perspective, the why is we need to be transparent and accountable, and in a similar way, the why is this is what consumers are going to expect. This is what our clients and our customers are gonna expect. And it’s also helpful because when you approach team members, you can come in with a non-adversarial approach when you’re building it out. I’m not coming to you saying, “Hey, we need to revamp some of our practices, because I think you’re, you know, siphoning off social security numbers and selling them on the dark web. If you are, give me a cut.” But it’s more like, look, we do some things well, we have some areas that we could do better. But the idea of sort of philosophical approach of why are we doing these things. There’s also the business case. And this is something that the IAPP really drills in on in some of their guides. And they’re worth reading. But the development of the business case is really the first step of this process.
Christian: Yeah, but you’re talking about ROI, really, right? So, you know, the business case, so let’s say it’s a marketing company that focuses on law firms, and they help them with their digital marketing. Those companies have a ton of data assets not only about their own customers, but eventually, about the customers’ customer, and so, they’re sitting on a lot of data. And so the ROI question has to be part of this. Because to take the time, the resources, the team members’ time, and to dig into all of your systems and how you manage and access your clients’ data and their clients’ data, it has to come back to making, you know, a return on the investment. And so when we think about the business case, and I think the IAPP like you said, they outline it. But the business case really comes back to, number one, how do we prevent the loss of the data, or a breach, or if we had a breach, how do we respond to it to maximize the shareholder value in the company itself? Because as we’ve seen, market cap losses, public and private companies is pretty amazing, given a breach, or at least a mishandling of data. But secondly, I think there’s an opportunity here where the ROI starts to be in that you actually market the fact that you as a company have put the time and investment into improving your people, your process, and your systems to be compliant and to help your customers be compliant.
Jay: Right. And what you can do is that’s part of the ROI is we’re expanding our appeal to new consumers, to new markets, to new partners. Because it may not be the case that right now, people put the security of my information, the transparency with which I’m tracked at the top of their list. It’s probably price, convenience, location, 17 down the line, you know, the layout of the website, and maybe below that, data security. But I don’t think it’s always gonna be that way, and in fact, I think it’s changing at a really rapid rate.
Christian: I feel it’s a lot of the way people rate their airlines these days, that they’re sort of like, “Well, the seats are a little too thin, less leg room, and the in-flight entertainment is terrible on this one.” I’m like, “Wait, does it fly? Does the plane fly?” So, I know we’re not talking about it, but number 17 is pretty important. We just sometimes forget that that’s the most important part.
Jay: Sure. It’s a perspective question and I think it’s one that’s shifting. I think the perspectives on this are shifting. So, when you frame the issue because that’s what you have to do at first with leadership say, look, we’re not just doing this, this isn’t a cost center. This is about developing a plan that will not only keep us compliant, but will also allow us to expand our footprint and appeal to people who really do care about these things.
Christian: Right. So, let’s jump into them. So, how do you set up the team? So, the first thing we witness and this comes from a lot of different management texts, but as we said, I think the IAPP CIPPM is at the…
Jay: Yeah, the CIPM.
Christian: CIPM is the optimal one that goes through this, but you start with the initial kickoff of the senior leadership. Why? Well, we found that in most businesses, particularly ones that are focused on revenue and expenses in different organizational charts, there’s a lot of siloed data, and so you’ve got to get leadership buy in across the company. So that really starts with the CEO, and hopefully, the CDO and CIO. But it really does start to touch into the actual operations of a business. So getting the revenue heads or the CRO to really buy in. It will be a little disruptive for them to start, because some of the ways they may potentially handle customer data today, some ways, you know, that the seller scrapes their salesforce sheet into a Google Sheet, and it’s got all the private data of each customer.
Jay: He emails it to his own personal email account.
Christian: Yes. He emails it to his personal account and they’re like, “No, this is so much more, you know, helpful to my daily process.” We’re like, “Yeah, we get that.” You can’t do that. And if you need that, then let’s talk about how to get you a processor system that is compliant for that. So, there’s that part, right? So, getting the buy in across the organization. Where I think it’s pretty fascinating is sort of the next step down which is let’s say you have that group, the leadership team, and then you get into really a working group or, you know, you can name these a number of different things, but your data compliance or data privacy working group, and who do you pick to be in that? Because we found that’s where some of the best opportunity comes from, and some of the best knowledge resides within an organization.
Jay: And I think it’s because you’re talking about people who daily interact with the systems that are touching the data. You know, they’ve had to develop the competencies. If they didn’t have them when they started, they’ve now figured out how to be even better than what the manual will say, you know, lots of businesses have their salesforce guru who knows how to get everything that they need. But that level of leadership, I think it’s akin to saying the first step is talking to the CFO, but this step is talking to the VP finance. And I think that’s the type of, you know, still senior, still has a lot of responsibility, but it’s also really in the weeds, talking…you know, they have their hands on a lot of different things and ownership at this working group or the operations group level is really important because you not only bring…if you’re building this team yourself, or if you’re part of this team, you’re not only going to have your knowledge base, but when you collaborate together with people who can say, “You know what? I’ve actually seen this system do X or Y.” It will trigger, you know, your ability to recognize patterns or your ability to recognize opportunities.
Christian: I really enjoy the conversations with the senior leadership and then that one runged [SP] out at VP. But we’ve also, and I highly recommend this to anyone thinking about building your own data privacy team or a team focused on your data strategy across your organization, is actually go another rung or two lower. So, the person actually running the software and the system, so not even that sort of middle manager, but the person really on the front line managing it. As you said, their knowledge or expertise of how to make their platforms and our systems jump is really helpful. But also I found that these people tend to feel as though they have a lot of value to provide and this gives them visibility back up, you know, managing that leadership up. And we found, you know, again, very helpful, intuitive bright people, that couple layers down, to really drive the working group so much so where I think that sort of middle layer sometimes tries to direct you as to which of those people should be on the team. Sometimes that’s helpful, sometimes it’s not. But that’s really the group you wanna get to.
So, now, what we’re talking about is we have the top buy in from the executives across the board, including revenue. Again, can’t stress how important that buy in is from them. But then taking a step down, getting that middle management layer to almost get your people that are below them that know the systems’ cold. And by the way, I don’t just mean IT systems or corporate tech systems. That stuff is critical. It’s definitely part of the component, but you’re looking for a balanced team across the whole organization. And one other thing about organizing that working group down below is you really don’t wanna say this is set in stone. These are the people, it’s these 12. What you’re really looking to do is having a rotating schedule of, hey, this week, we’re doing this department, this week, we’re doing this department. Interview each one of them and then have them come to normal meetings. But they don’t all need to be pulled out of everything they’re doing every week.
Jay: And it saves on the stress on their time drawing their time.
Christian: Absolutely, absolutely. Because eventually, you know, you’re really asking these people to be part of the solution, which means documenting, explaining, getting process controls in place, understanding, you know, role-based access controls at each software practice. But that’s a different question in the finance department than it is in the marketing department. It’s a different question of scale. So, you may not need the finance person, you know, every week. You may need the marketing person or the ad sales buying person because they’re dealing with massive audience data sets, potentially, or customer data. That’s the type of thing that you have to make the call on. I think it’s good at least once a month for both teams to get together. But I think the working group has to be far more flexible.
Jay: I think the way to approach this is you’re talking about the operations of your company, your company doesn’t operate by running the IT department, it doesn’t operate by running the finance department. It’s in the business of doing business. So, the people who are touching your systems and responsible for oversight of how your business works, they need to be a part of this. And as you said, it’s a great opportunity for talent identification, and to sort of build expertise and privacy matters so that in 10 years, you’re like, “Wow, I know exactly who’s gonna be on our privacy leadership team this time.”
Jay: So, what about some of the challenges? I mean, that all sounds great. But what if you’re in a position where you have, you know, a segmented approach, the data that controls, or you have people who don’t really believe in what you’re talking about? What are some of the challenges that you identify?
Christian: Yeah, what does the famous quote, “No plan survives first contact with the enemy,” something of that nature where, you know, you get going with, “Hey, we’re gonna have this great committee and this is how we’re gonna solve this problem.” I think generally, the biggest challenges comes in where you have different divisions that feel that they’re operating fine, and they don’t really need to do this. They feel like they have decent controls. And it can be hard sometimes to get them to unlock or to open up. So, that’s step one. That really can only be solved from the top down, really getting them to either comply or be excited about the ROI potential down the road that, once again, gets back to that starting with the Y. Making sure the company understands that eventually, this is something that can be marketed to future customers as a reason to do business with the company. So, really a marketing benefit.
But the other real big problems that we see generally is there’s just so much out there. There’s so many different platforms and systems that people have access to. And as we’ve said, you know, in the DataSmart Method, we always talk about identify value structure, protect the four steps of getting through and building a cohesive data strategy. It’s what the book is all about. But ultimately, the difficult part can be, well, as you’re identifying all the potential systems is, you know, where do you start? How do you prioritize? And really, we cover that in the value section. But I’ve always found the people that are in the working group tend to have a very different opinion as to what’s really important than what senior leadership might. So, sometimes, getting the two of them together is what we’re finding, you know, can be a real challenge.
Jay: Well, and the interesting thing is, this is not something that typically happens in those companies. You’re not seeing these sort of working collaborative groups from top management and from the people who are really day-to-day upside. And so it doesn’t really fit in with the corporate model. You know, there’s…I don’t know if there’s a leverageable synergy there to use the appropriate language because it’s corp speak, but it’s so important to do it. Because if you don’t, what you’re gonna get are siloed data streams and with one person on charge of them, no ability to communicate across data sets, or across walk data sets. You’re gonna find that there’s a lot more resistance to implementing controls and change because it’s perceived as a threat to the control over the way the systems work. And you’ll see fragmented approaches to systems and operations. You know, this is the way that we do things in my department, and that’s why we do it. Well, you know, that’s understandable. That is organizational nature. But when it comes to management of data, not only from the compliance side, but just from the pure business case, like, how are we going to make the most of our data and do it well? You have to avoid those things and you need to be on your guard for them from the very beginning.
Christian: Another issue that I know we’ve seen, particularly a couple of the clients that we work with is, the third data, third-party data contracts and relationships. So, something else to really keep in mind is in the identification phase, you’re not just looking for your own data sets and your own systems, but you’re really trying to identify where is all of your data going or potentially being mixed or mingled with by third parties? It’s kind of astonishing at this stage of the game, it is so easy to just test out various systems to take a look at your audience or improve your data quality. Lots of reasons to do these partnerships or do these contracts with third-party vendors.
Jay: But as soon as you do this, they have your data.
Christian: And you have shared it and they have…you know, that has its own ramifications of what can they now do with your data? And did you really read that contract? Because a lot of data quality or append platforms, when you give them your data, they can kind of take a sneak peek at your data and improve their own, so they’re now using your data. So, that is something else that we see across an organization which is fascinating is division A, division B, and division C don’t realize they all do the same thing. They just happen to choose five different vendors in each one and so that can also lead to quite not a difficult discussion, it’s an opportunity really. But streamlining that process through one or two vendors versus, you know, 20 vendors, not only do you get better control of your data, which is a compliance privacy issue, but you really usually can get a better scale operation with better terms and better access through just a couple vendors.
Jay: Well, now, your spend on each vendor has increased substantially and so, they’re gonna proportionally love you more.
Christian: Yes, and one last thing I’d say as we wrap up building our privacy team is, one great thing we’ve also seen is allowing the team, really, the working group to come back and do the presentations to the greater company. Explaining here’s where we started, here’s what we found. So, letting them know early on that they’ll be part of the key presentation because as I said, not only is it an identification of talent, but it’s also showing the company that this is not just a management-led, or a legal, or a compliance which can sometimes have the aroma of complete boring. This is really about the operators taking control out for having transparency and accountability as part of their everyday jobs.
Jay: That’s actually the cologne that I buy.
Christian: That’s terrible.
Jay: So, I think what we are pointing at here is the idea that this is an opportunity. It’s something that needs to be done, but don’t treat this as, you know, a trip for a root canal. This is really an opportunity to achieve savings, to grow your revenue, to be compliant, but also to find ways to improve your operations and to do it in a way that’s data smart.
Christian: Excellent. Well, thank you for joining us. We look forward to speak to you next week. I guess we should mention also we’ve taken a few weeks off for the summer. Hope everyone’s had a great summer and we’ll get back to the regular weekly podcast. Thank you for listening to “Are you DataSmart?”
Jay: Thanks again.