Read "Optimizing Privacy Management through Data Governance – Part I: Understanding Personal Data".

Building and maintaining alignment is one of the most challenging and critical aspects of privacy management programs. To be successful there needs to be strong alignment in leadership, goals, roles and responsibilities, policies, methods, and priorities. Deficiencies in any of these areas will result in confusion, misunderstandings, conflicting effort, redundancy, and errors that significantly undermine the organization’s effectiveness. Rigorous communication and collaboration are key success factors to building and maintaining alignment, so they must be integrated into the alignment strategy. Leveraging data governance channels to strengthen support and alignment for privacy programs will reduce the effort needed and improve outcomes.

In this blog, Part 2 of “Optimizing Privacy Management through Data Governance,” we will outline the critical components of an alignment strategy and discuss the nuances of aligning your organization to ensure success in privacy management by enlisting the help of data governance. The alignment strategy consists of four areas of focus:

1. Align and engage leadership
2. Align priorities
3. Align methods
4. Engage and align staff

Figure 1: Alignment Strategy

1. Engage and align leadership

Aligning executive decision makers is a prerequisite to aligning the rest of the organization. Alignment gaps at this level will result in conflicting goals, priorities, and responsibilities. For example, it will be difficult to get stewards allocated from other groups if there is not executive support across all functions. Ensuring executive alignment as early as possible will help eliminate roadblocks that prevent information sharing and resource allocation. To secure adequate leadership support, three primary areas in the strategy must be engaged: C-suite leaders and the board of directors, the data council, and the data governance policy itself.

To achieve this alignment you must first communicate the privacy management vision and articulate how it benefits the organization and supports the overall strategic plan

The board of directors and the chiefs are ultimately accountable for privacy management, so you need to ensure that they fully support the plan and are willing to provide funding and resources necessary to achieve the vision. To achieve this alignment you must first communicate the privacy management vision and articulate how it benefits the organization and supports the overall strategic plan. Second, confirm that the leadership understands and supports the guiding principles for privacy management and the authority of the data council to deliberate on how privacy is incorporated into data management. You will find it effective to present concrete examples of data issues and the decisions that need to be made as well as the consequences of not having the right people involved.

Privacy program alignment is improved when there is privacy management representation on the data council. A data council is responsible for deliberating on data management topics, including guidelines, standards, policies, authority, and priorities. Privacy controls must be incorporated into every aspect of the data lifecycle, from collection to consumption and sharing, so it is important that the data council be aware of privacy requirements as they evolve. Including a privacy management leader in the data council will facilitate bi-directional communication, thereby minimizing assumptions and misconceptions.

A data governance policy should be used to document the vision, guiding principles, and allocation of authority for the organization. Formalizing the policy with leadership approval and review by the board will help strengthen alignment and make it clear to outside audiences that privacy management and governance are taken seriously and are knit into the culture of the organization. Some organizations have gone as far as having a board policy mandating the creation of a data governance policy and the existence of a data council.

The data governance policy does not replace a data privacy policy; however, the intent is to provide guiding principles for applying data privacy within data management and clarify responsibilities specific to data management. Separate privacy policies should exist to provide clarity on overall privacy management and appropriate handling of personal information.

2. Align priorities

The resolution of privacy issues requires engagement from data management staff, who are normally overloaded with projects and support tasks. If program activities are prioritized in silos, the staff will become frustrated and overwhelmed with the constant pressure to switch focus and seek confirmation of what the current priorities are.

As circumstances change, the priorities must be reevaluated and communicated to ensure everyone stays informed and to minimize confusion when the organization needs to shift focus

The prioritization of data management, governance, and privacy activities should be consolidated and conducted by your data council or equivalent group. Once the priorities are set, they should be blessed by the leadership and communicated to the staff. As circumstances change, the priorities must be reevaluated and communicated to ensure everyone stays informed and to minimize confusion when the organization needs to shift focus. Don’t be caught in the situation where the heading has changed from North North East (NNE) to South East (SE), but half the staff are still trying to move NNE as fast as possible and don't understand why others are asking them to do things that will take them off course.

3. Align methods

Processes and procedures that are not standardized across functions will inhibit the success of data governance and privacy management. Standardizing methods will greatly improve the ability of staff to achieve their goals. Issues/risk management and knowledge management in particular are two critical functions that should be standardized to optimize program effectiveness.

Align Issue/Risk Management

A standard approach to issue and risk management will ensure that your organization has a clear understanding of what the critical issues and risks are across all functions, thus reducing resource allocation conflicts. Many of the staff required to address privacy risks are the same individuals required to resolve other data management risks; having conflicting priorities will frustrate and confuse these valuable employees and delay resolution. Standardizing the methods used to log, assess, and track issues and risks will facilitate consolidated reporting and prioritization.

Align Knowledge Management

Maintaining awareness is a dependency of both privacy management and data governance. Ultimately, you cannot manage something you are not aware of. We will discuss this more in our next blog; however, alignment is easier if staff have a standard way of finding the information they need to perform their job. This information could be accessed via a data catalog, business glossary, risk log, training video, policy document, or other source of information published to staff. If these valuable information resources are not managed consistently across functional teams, they will undermine program success. Staff will waste time searching for information and resolving conflicting information instead of executing.

Implementing a standard method for managing specific types of knowledge, then training staff on how to access and use the information will improve overall efficiency, not just in privacy and data governance

4. Engage and align staff

Everyone has a role in privacy management and data governance. Understanding this and applying it strategically will help address the resource challenges of both programs. This requirement may be perceived as additional bureaucratic work by staff; however, in many cases you will be simply standardizing activities they are already doing and giving them tools, support, and training to perform these activities better and avoid privacy breaches due to a lack of awareness.

Data stewards can become the eyes and ears of the privacy management program

Data stewardship is a common practice in data governance programs that should be leveraged to help address the resource constraints facing many privacy programs. Data stewards can become the eyes and ears of the privacy management program to help monitor data collection, processing, and sharing. If the stewards are trained well, they can identify privacy issues and risks for the privacy program and assist in mitigation efforts.

Having a change management strategy and leveraging change management best practices is important to achieving alignment of staff. Communication needs to be consistent and concise to eliminate confusion and anxiety. You must market the privacy vision and the benefits for the organization as well as for staff, respective to their roles. Celebrate successes and be transparent about your mistakes so everyone can learn from them.

Internal personal data handling guidelines should be defined clearly in order to set expectations of what staff can and cannot do with personal data

Most organizations have a privacy policy that acts as an external facing privacy statement, explaining what data is collected, why, and how data is processed. This type of policy does not provide guidance to staff on acceptable personal data handling; so, internal personal data handling guidelines should be defined clearly in order to set expectations of what staff can and cannot do with personal data. It should also clarify what staff should do if they are unsure or have questions related to personal data. When the level of privacy risk is higher due to the sensitivity of personal data or the nature of the processing, then the guidelines should be formalized in a policy. The creation of these guidelines and/or policy should be accompanied by a training plan and a record of training completion.

Building alignment for a privacy management program is not easy, but success can be achieved when it is supported by an alignment strategy and facilitated by data governance. In the next blog in this five-part series, we will discuss the concept of awareness, what it means for privacy management, and how it can be managed through data governance.