Digitalization is shifting all aspects of the business model — its value proposition, customer base, business capabilities and profit components — and, in turn, requires companies to hone their strategies for managing privacy risk exposure. Privacy is now a critical capability for all organizations, and privacy professionals have become important strategic advisors as a result.
“As the privacy-risk landscape shifts, the role of the privacy executive is expanding to cover not only managing risk, but also serving as a strategic advisor to senior leaders to help unlock the value of information,” says Stephanie Quaranta, Director, Team Manager, Gartner.
Organizations innovating at the cutting edge of new technologies are likely operating in gray areas without legal precedent
“Information is becoming the most valuable asset organizations hold, but that value can be trapped if organizations don’t understand how they should use that information. Privacy executives can help navigate not only the regulatory environment, but increasingly, also questions about customer, board and other external expectations.”
There is already an urgent regulatory need for modern data security strategies, but as organizations undergo digital transformation, their initiatives generate — and are driven by — enormous amounts of data. With this information comes increased privacy risk exposure. Privacy professionals accordingly need a proactive approach to managing these risks.
Read more: How Legal Stays Ahead of Data Privacy Risk
Know your customers’ privacy appetite
The information organizations have on customers — past purchases, preferences, buying habits, and so on — is arguably the most valuable data they hold. But given recent high-profile data breaches, customers are no longer sure they should trust companies with their information.
Customers often have different expectations of privacy for different companies and products. For example, users of a music streaming service may be open to a broader use of their data than users of a virtual doctor’s app.
It’s important to know and cater to your customers’ privacy appetite. In the process, make sure:
- Customer-facing policies and communications clearly explain what information is collected and why, as well as any applicable customer rights.
- Policies are readily accessible and understandable for customers — and are reinforced internally. Managers and senior leaders should echo the standards in small team discussions, all-company meetings and other forms of messaging.
- There is a coherent approach to working with third parties. Codify what third parties can and can’t do with user data, and define consequences for failure to comply. Make sure to follow through and monitor compliance.
- To compare your customers’ privacy appetite to your organization’s overall risk appetite — and be prepared to manage any gaps between the two.
Treat information as a strategic enterprise asset
To leverage the full value of your information assets, you must know what information you have, where you have it and how you can use it. In most organizations, different departments make information management and governance decisions in relative isolation.
This decentralized approach may help organizations meet their legal obligations, but it won’t help them to increase business efficiency. Instead:
- Create a centralized classification system, inventory, data map and processes to ensure data integrity and give clear guidelines for data use.
- Institute a formal set of appropriate guiding principles to govern decisions about how data can and should be used, in both existing and emerging arenas.
- Codify your organization’s approach to managing trade-offs between information risk and reward, and help business leaders understand and navigate these complex trade-offs.
Stay alert to new risks
Organizations innovating at the cutting edge of new technologies are likely operating in gray areas without legal precedent. For example, AI tools such as intelligent assistants and autonomous vehicles are not governed by the same type of robust regulatory standards as traditional products and services.
But they create data governance issues nonetheless. Additional challenges have sprouted up due to the growing use of technology in all industries, which is increasing the number of identities for people, services and things.
Some actions to consider to keep track of emerging risks:
- Formalize a process for privacy impact assessments (PIAs) to identify and evaluate privacy risks being created by new projects and workflows.
- Tap sources in business operations, such as engineering or different groups within IT, to learn explicitly how risk is created in new digital products or processes.
- If the company is building a new product, service or strategy, ask leadership how well the business is pressure-testing the associated data collection and use.
- Make sure your risk assessment and mitigation plans and controls account for these new products and services — and the new ways that people work and interact with information.
- Test and audit controls regularly, especially controls in highest-risk areas, to make sure they can stand-up to a dynamic privacy risk environment.