At Morse and Hewitsons’ privacy event on October 24, a diverse panel dispelled fears associated with an ever-changing patchwork of privacy rules and regulations. The panel, led by Morse Associate Ryan Perry, CIPP/US, shared several strategies on implementing a successful privacy program, but the common refrain among them was the importance of engaging the entire organization in the endeavor. Jane DiGangi, Senior Director of Search & Business Operations at Koya Leadership Partners, and Peter-Christian Olivo, EVP and General Counsel at Circadence, both revealed that working collaboratively across the organization and having everyone share the mission of privacy and data security were key to their successes in establishing their respective privacy programs. “You have to know what data you have,” Peter explained. Faith Kasparian, CIPP/US, Member and Chair of Privacy Team at Morse, emphasized that by bringing together stakeholders across the enterprise you will get a more complete and accurate picture of what data the business possesses, what the business does with that data, and ultimately which privacy laws and requirements are applicable to the business. Faith also underscored the necessity of understanding the privacy and data security obligations reflected in contracts and policies of the business – and that these obligations reflect actual practices.
Once an organization has an established privacy program, it is crucial to recognize that the program must be continuously evaluated. “Privacy is a process and not an event,” Jane observed, and likening it to laundry, remarked, “It’s never done!” A successful privacy program must not only change with the laws, but also with evolving technologies. Andrew Priest, Partner and Head of Technology at Hewitsons, suggested that once a privacy program is in place, the company should conduct test runs to see how the organization would respond to a data subject request or a data breach event. He stressed how critical it is to know how your company would react under the circumstances. The exercise highlights the need for training throughout the business and the importance of making privacy and data security a part of the culture at the organization.
Bob Siegel, CIPM, CIPT, CIPP/US/G/E/C and President of Privacy Ref, shared his “three A’s” of a privacy program: alignment, awareness, and agility. First, align the privacy program with both the organization’s goals and the individual departments’ operating goals. Then, make sure the entire organization is aware of the privacy requirements. And finally, be agile; the laws and technology are going to change, and your business needs to be ready to change with them.
With the range of perspectives of the panel, and the pragmatic advice offered, the program left attendees inspired and empowered to address the challenges of the privacy landscape!