Privacy and operational alignment

Standing in line at a restaurant a few weeks ago I overheard a teenager tell a friend about a parking ticket they had received. The teenager’s complaint was that they didn’t know they couldn’t park where they did. Whether they missed a no parking sign, were too close to a hydrant, or some other violation doesn’t really matter. As the old saying goes, ignorance of the law is no excuse.

A few days later I was discussing privacy accountability and responsibilities with a client. Within their organization, the privacy officer was expecting the operational areas to perform certain activities. These tasks allowed the business to remain compliant with both regulatory requirements and the organization’s privacy policy. Unfortunately, the activities were not being executed. The operational department did not understand that they had a responsibility, so ignorance was the excuse. The privacy and operational areas were just not aligned.

Privacy and operations

Most discussions surrounding a privacy program and business alignment revolve around the goals and objectives of an organization. Naturally a privacy program should support (and influence) what an organization is focused on achieving. How a business is going to achieve these goals is left to the operational areas.

Privacy is often pigeon-holed into an oversight role. The privacy team frequently finds itself in the reactive role of policing the activities of the various operational areas of a business.  It is true that a privacy program should have policies and standards defined to provide guidance to the operational areas for their activities, but often these are high level and somewhat vague leaving the operational areas to figure out how to comply with the policy on their own. If an operational area gets it wrong, then the privacy police swoop in.

This approach wastes valuable organizational resources. Time, labor, and money have all been wasted defining a process or product that cannot be used and more time, labor, and money will be spent fixing the issues.

Achieving alignment between a privacy program and the operational areas of a business can stop the issues before they happen.

Delegating operational responsibilities

There are two steps to consider to achieve operational alignment. The first is to identify the activities for which the privacy program is being held accountable. The responsibility for each of these activities may be delegated to an operational area to execute. Most importantly, the responsibilities must be clearly communicated to the operational areas by the privacy team.

One approach to achieving this is to start with one of the many free privacy frameworks that are available. By using an industry accepted framework you get an independent view of what activities should be included in a comprehensive privacy program. You can quickly identify which activities from the framework are included in your privacy program. If there are activities in the framework that are not part of your program, you now have a chance to decide if that activity is applicable and should be brought into the program at some future time.

The next step is to identify the responsible operational area within your organization for executing each activity you have selected. Often more than one operational area has responsibility albeit with a different scope.

For example, an activity such as “Define procedures for protecting personal information when transferring data outside your organization” may involve IT for electronic transfers, but may also involve individual business units for the transportation of hardcopy documents. Of course the privacy team may also be involved in defining the minimum standards to be met by the defined procedures.

With the activities identified and responsibilities assigned, a comprehensive list of activities to execute may be created for each operational area. I would recommend that the activities be presented in a meeting so that any clarification of the activities may be provided to the operational team. A meeting will also provide an opportunity for the operational team to raise any concerns they have with some of the assigned responsibilities. Ultimately, you will want to get an acceptance of the assigned responsibilities from the operational team.

Ongoing alignment

The second step is to define a mechanism by which operational alignment is maintained as your organization evolves. New processes, technologies, and products and services will be introduced. Mergers, acquisitions, and divestitures will occur. As the business changes operations will change, but the operational alignment the privacy team has achieved must be maintained.

One approach is to establish a Privacy Impact Assessment, or PIA, process that reviews the effect of changes to the collection, processing, and protection of personal information by an organization.

For example, let’s assume that a new project is being undertaken to create a mobile application for your business. A PIA would identify what personal information is planned to be collected by that new app and how it is going to be used. The PIA process would assure that all collection and processing is compliant with the organization’s privacy policy as well as regulatory requirements.

As the project evolves, the development team may decide to collect location information. Since this has never been collected by the company before, there is no policy covering the collection and processing of this type of information. A second PIA would alert the privacy team that a new type of information is being collected and guidelines may need to be established.

While a PIA is reactive, a more proactive approach is Privacy by Design. PdB is an approach to embedding privacy into the design of new products, services, and business practices. It identifies privacy requirements early on in the development process just as any other business or functional requirement would be included. PdB encourages keeping the user in mind during the design phases of the project including making the protection of personal information the default.

Using PIAs and PdB together within your organization will help assure that the privacy / operational alignment is maintained.

The privacy team is in a unique position

Through the process of achieving operational alignment, the privacy team has the opportunity to see all phases of a business and to understand how personal information is used in each area. As new business initiatives are undertaken, the privacy team will assure an organization remains in regulatory and policy compliance, but the team’s breath of knowledge can be used to harmonize operations and potentially increase efficiency in the operations themselves.