Although you may not have a regulatory or legal obligation to establish a privacy program for your organization, it is in your best interest to consider how good data practices and privacy will need to be addressed to add value to your organization. These steps will help you establish a privacy program that can be easily implemented, is cost effective, and can scale as your organization grows.
Using John Kotter’s eight steps in “Leading Change” (Kotter, 1996) as guide for this initiative you can proceed knowing that you are using established best practices for implementing an organizational change. Privacy is an organizational concern not just a technical concern.
Create a Sense of Urgency
Ensure that senior leadership understands the changing privacy regulatory landscape and that it will impact your organization. Ensure you have buy-in from the top and that senior leadership is willing to support the privacy program initiative.
Form a Guiding Coalition
Bring together a team of key stakeholders (leaders, sponsors, partners) who have a vested interest in supporting and improving your organization’s privacy practices. This team will include representatives from the various business functions so that they have an opportunity for their voices to be heard. This will demonstrate to your staff, the public, and partners your commitment to privacy and good data stewardship.
Develop a Vision and Strategy Formalize the organization’s strategic privacy policies which will convey the high-level requirements of your privacy program and data governance. Identify your short-, medium-, and long-term goals of the privacy program.
Communicate the Vision
You must communicate as soon as possible and through appropriate means the establishment of the privacy program and its vision and strategy, with everyone in your organization. Communications must not just be through email. Create a communication plan that will bring the message to your entire organization that is readily available and unambiguous. A few examples of this are, include signage around the office, brown bag sessions, or all-hands meetings.
Empower everyone in your organization to initiate positive change. Conduct an organization-wide privacy training and awareness campaign to ensure everyone understands the importance of privacy and good data practices, how their role impacts or is impacted by the need for these, and how they can contribute to the initiative.
Generate Short-Term Wins
Demonstrate success in the early stages of the initiative. A few examples of actions you can take are:
- Create a data inventory
- Create data flow diagrams
- Create a Records of Processing document
- Assess your organization current data practices against a baseline
- Ensure you are collecting only data that is necessary for your purposes and dispose of any unnecessary data (data minimization).
Build on the Change
Continue to identify and achieve short-term wins. Prioritize your medium- and long-term privacy goals and formalize a plan of action to achieve these goals. Keep the momentum going.
Anchor the New Approaches in the Culture
Institutionalize privacy practices and good data stewardship into your organization’s culture. Continue to evaluate your processes to ensure they are in-line with your strategic policies.
Involving key stakeholders, communicating the vision, identifying the storage locations, creating data flows and a Records of Processing document will put your organization on a path towards an effective and efficient privacy program which at its core is based on good data stewardship and good privacy practices.
Taking these steps now will save you cost down the road.