Read "Optimizing Privacy Management through Data Governance – Part II: Building Alignment".

During the 20+ years of my data management career, I have found that most organizations are operating blind when governing data. Many do not have a clear view of what data assets they have, let alone manage them appropriately. To succeed in data governance and, more specifically, as data privacy managers, we need to have sufficient awareness of our data processing ecosystem and the related regulatory requirements.

This blog, the third in a series on optimizing privacy management through data governance, focuses on the concept of awareness and why it is so crucial for improving your organization's privacy management program.

Let us start with two fundamental truths: first, you cannot manage something when you don't know it exists, and second, ignorance is a form of neglect. Understanding this is imperative considering changes we have seen in data and privacy laws over the past few years. On the one hand, we have the exponential growth of data and personal data processing, and on the other, we have rapidly evolving data privacy requirements. In the last three years, we have seen a title wave of changes in privacy law around the globe, including:

• the implementation of the EU's General Data Protection Regulations (GDPR) in 2018

• the California Consumer Protection Act (CCPA) of 2018 

• the California Privacy Rights Act (CPRA) announced November 2020 

• the Schrems II court decision to invalidate the US-Privacy Shield July 2020

• New privacy laws implemented or proposed for Canada, Australia, New Zealand, India, China, and others

I prefer to use the term "maintaining awareness" because the phase "managing ignorance" is too harsh. "Managing knowledge" might also work, although the term "knowledge" does not convey the importance of actively monitoring an environment, such as when you drive. It is essential to be aware of what is going on to react appropriately, based on available knowledge. 

Personal Example

It may be easier to comprehend the concept of "awareness" if we change the context from data management to something more common, such as coaching a sports team. When my kids were younger, I volunteered to coach my son's ball hockey team, although I had very little knowledge or experience with ball hockey. The prior coach could not continue in the role, and I reluctantly stepped up since no one else volunteered. To prepare for the role and hope of not looking like an idiot, I made a list of things I needed to know. First, I needed to learn about my team and the game.

If I had proceeded without taking the time to build knowledge and manage awareness, we would have had chaos.

Once I had learned my players' names, strengths, and weaknesses, along with the rules for the game and how I intended to manage the team, I had to make sure everyone on the team had the information they needed to succeed in their role. I had to eliminate misunderstandings related to positions, rules, and procedures for the team to work as smoothly as possible. Throughout the season, we had to continually adjust and validate the players' understanding as the conditions changed. In the end, it was a lot of fun, and my team and their parents respected me as a coach. If I had proceeded without taking the time to build knowledge and manage awareness, we would have had chaos, resulting in a stressed-out team, upset parents, and me looking like an idiot.

You need to ensure that your staff has the information they need to their job and can apply the knowledge when needed.

Professional Awareness

Whether you run a global company with 30,000 employees or a small not-for-profit with 20, you need to ensure that your staff not only have the information they need for their job, but they can apply the knowledge when needed. You may be wondering, "How is this different from knowledge management (KM)"? Great question; there are overlaps. In my experience, KM initiatives go as far as collecting and classifying information, then publishing it in a way that staff can access when they need it. The responsibility for ensuring that staff review and understand the information is usually the responsibility of each functional area. 

Proof of understanding. For example, many organizations have health and safety programs that require individuals to prove they understand the safety concepts taught in the program. These organizations test staff regularly to ensure that the appropriate level of awareness is maintained and reduce workplace injury or security breaches. To successfully manage privacy, organizations need to achieve this rigor level where they educate staff and then confirm their understanding.

Two Keys

Ultimately, there are two main aspects of awareness that organizations need to address to manage privacy adequately. These are:

1. Awareness of the data ecosystem, including personal data lifecycle 

2. Awareness of privacy regulations and related requirements

Data governance should own the first of these responsibilities: mapping and monitoring the data ecosystem, including personal data. Ecosystem documentation contains details on all data assets, including source systems, lifecycle, ownership, and consumption. Personal data exists within the data ecosystem and is often distributed across many data assets. Privacy managers provide the taxonomy and classification standards for personal data for use in a data catalog. The data governance team oversees the data catalog, including the quality of content, access, and usage.

Data stewards can act as the eyes and ears of the privacy program.

Organizations should engage data stewards in managing privacy awareness. Data stewards constitute a primary communication channel with data consumers and, if trained, help educate data consumers on the appropriate handling of personal data. Stewards act as the privacy program's eyes and ears to flag new processing activities and privacy risks; however, stewards will be more effective if they have adequate knowledge of privacy regulations and requirements.

Privacy managers monitor trends in privacy regulations and track changes in requirements. Communicating this information to stewards and other staff consistently will improve your organization's ability to identify and address privacy risk. To close the loop, staff should be aware of the process for reporting a privacy risk, so stewards and other staff can initiate it needed.

There are many categories of information we need to consider when optimizing privacy management.

Building and maintaining an awareness of the ecosystem and requirements is the minimal requirement for privacy management. There are many other categories of information we need to consider when optimizing privacy management. Figure 1 provides examples of different awareness categories and their relationship to data governance and data management.

Figure 1: Awareness Categories

Data governance acts as a broker to exchange critical information between the data management teams and the privacy team. The privacy team provides the data governance team with information related to compliance requirements, data handling best practices, data classifications, and other guidelines. The governance team's role is to ensure that all data management teams, such as architecture and operations, receive and adhere to the privacy requirements.  The data management team provides information on data quality levels, security, and usage to the data governance team. The governance team consolidates the information and shares it with stakeholders, including the privacy team.

Summary

You cannot manage privacy without managing your awareness of your organization's data and the related protection requirements. Building a sustainable framework to collect this information and educate your staff should be a fundamental part of your privacy program. Integrating privacy management into data governance by arming data stewards with increased awareness of privacy knowledge will help address resource challenges in privacy management and optimize communication channels.

Read "Optimizing Privacy Management through Data Governance – Part IV: Supporting with Technology".