Moving Beyond Compliance to Data Trust: A Practical Guide for CPOs
New data protection laws have created an opportunity to establish privacy as a critical element in how organizations both build brand trust and achieve key business objectives by extracting more value from their data.
Chief Privacy Officers (CPOs) and their teams must:
- grapple with updating public-facing privacy notices and internal policies
- demonstrate compliance with data subject rights
- define procedures for third party data sharing
- follow reporting obligations as the regulatory requirements and privacy mandates evolve
CPOs can leverage this window of opportunity to raise the profile of privacy as not just another compliance exercise, but as a critical component in the broader corporate objective to establish consumer trust and extract real data insights.
How privacy teams address compliance is pivotal
CPOs can face an uphill battle without the right strategy in place. Unfortunately, the CPO is often not the strongest voice or most valued stakeholder in broader discussions about enterprise data strategy, data governance, and data protection.
Extensive energy and focus go into preparing for and adjusting to new regulatory requirements – and privacy teams don’t have consistent homes within large enterprises. They may report into risk, compliance, legal, or operational functions, whereas CDOs, CISOs, or CIOs typically have clearer reporting lines.
David Ray, Director of Cybersecurity and Privacy at PWC, and Heather Federman, VP of Privacy and Strategy at BigID, explore this on a recent IAPP webinar, Why Privacy Protection Goes Beyond Compliance. One key takeaway from the discussion is that how privacy teams address compliance is pivotal.
If CPOs can effectively leverage budgets and corporate attention onto new sources of risk, they can establish a common framework and shared language for effective collaboration with stakeholders.
In order to do this, they need to prioritize understanding data and building data privacy intelligence over process, manual reporting, and workflows alone.
Improving corporate ability to realize trust in data
One example of effective collaboration is the intersection of data streaming and third party data sharing reporting requirements.
BigID’s approach to discovery and classification for data streaming technologies (increasingly used by development and analytics teams for both inbound and outbound transfers of personal information) bridges two objectives:
- For privacy professionals, data in motion classification and monitoring enables automation of third party data sharing reporting (as required under CCPA, for example)
- For data analytics teams, understanding what—and whose—personal information is moving through data streams makes it practical to apply privacy compliance policies to, and implement standards for, the ethical use of personal information.
Equally, the CPO and CDO can partner on a privacy-aware data governance program. CPOs can help define what constitutes “personal information” as represented in a business glossary (like Alation or Collibra) and then leverage BigID’s data inventorying to:
- Align business terms to ML data discovery and classification findings, enabling CDOs to easily determine which data can be utilized and which requires protection
- Automate application of data categories to personal information attributes as they are discovered across enterprise infrastructures
The outcome in both instances is an improved corporate ability to realize trust in data.
Taking the steps toward data trust
What practical steps can CPOs take to raise the privacy profile and play a stronger role in converting their companies to data trust pacesetters? Federman outlines the following steps:
- Define compliance processes that establish a baseline and underline the top corporate risks to the organization
- Align compliance obligations with corporate risk management by raising the profile of privacy through stakeholder engagement
- Underpin collaboration with IT, data, and security stakeholders by leveraging data mapping, data classification, and insight initiatives funded by compliance budgets
- Partner with the CDO to automate privacy compliance through continuous data inventorying, adding a privacy dimension and data risk perspective to data governance
- Extend and reinforce investments in data governance policies, business glossaries, and data quality with data insights from automated compliance programs
- Demonstrate the relevancy of privacy risk through automated data discovery that keep data maps “evergreen”
- Translate privacy risk into language that informs data analytics and app development strategies
- Leverage sensitive data insights, including personal information, to assist security teams to better identify data security risk hotspots
As PwC’s David Ray points out, “CPOs themselves must find ways to better communicate with their IT and technical counterparts—and articulate what value the privacy team can bring to the table through ultimately ensuring trust in data.”
Data understanding at scale
Privacy teams focused on integrating business context and data-driven privacy compliance can create a new foundation for their organization’s collection and use of personal data—one that supports and functions throughout the entire enterprise.
BigID helps build data understanding at scale, and enables organizations to generate sustainable privacy programs that adapt and respond to evolving regulatory changes. CPOs on this path can move beyond manual policies and processes toward meaningful collaboration with strategic functional areas like info security, data analytics, and data governance.
Watch the full webinar, Why Privacy Protection Goes Beyond Compliance, featuring David Ray, Director, Cybersecurity and Privacy at PwC and Heather Federman, VP of Privacy and Policy at BigID.