Elements of Right-Sized Privacy Program: Customized
As mentioned in the prior post in this series, a strategically developed privacy program can help support companies in a rapidly changing legislative and enforcement environment. As part of taking a strategic approach, companies attempting to create a right-sized privacy program will want to customize their program to their company. Privacy and data security laws place bespoke obligations on companies. Privacy notices need to describe the company’s practices. Data security laws anticipate policies that are designed for the risks that the company faces.
To customize a program, the start is not taking an off-the-shelf policy or copying the approach of a competitor. Instead, privacy professionals will look at their organization’s strategic needs, and weigh those against its strengths, weaknesses, opportunities and threats. (Yes, a SWOT analysis!) From there, a company could borrow from strategic management tools and take a “scorecard” approach, along the lines developed by Robert Kaplan and David Norton. Using this approach, the privacy office can think through what personnel and infrastructure it needs to reach the strategic goals it has set out. To help underscore the need for those resources, it can then reflect on what the impact will be on its “consumers” (i.e., the internal stakeholders whom it supports). Similarly, how having those resources will support the company’s financial goals.
Putting it Into Practice: Change management tools can help privacy professionals customize their approach and develop a truly right-sized approach for privacy compliance. This one-sheet can help your organization think through developing a strategic privacy approach.