3 Core Steps to Developing a Robust Privacy Strategy

Data privacy: A C-suite issue with high stakes

Patient, device, or other protected data has emerged as an invaluable resource for many organizations in their quest to develop novel and innovative products and offerings. Retaining the right to use this sensitive resource demands diligent stewardship across all stakeholders in the organization. Even one incident or breach can lead to a reverse halo effect that decreases willingness to share data and, ultimately, stifles innovation throughout the organization.

With such high stakes, data privacy is a C-suite issue. Yet many organizations still take a reactive approach — evaluating privacy concerns as projects arise and often relying on highly manual business processes to do so. That approach is inefficient and expensive. Organizations with a narrow view of privacy must slow down to rethink their strategy when presented with opportunities to leverage new data sources, technologies, and methodologies.

A better alternative is to build a privacy strategy and implement standardized processes and systems. By operationalizing privacy in this way, business units and geographic regions within an organization can work with greater confidence, speed, and efficiency while delivering appropriate use and protection of sensitive data across multiple programs and initiatives.

Reactive privacy measures are unsustainable

Managing privacy as a tactical, reactive exercise can leave an organization exposed as fast-changing technology fuels new threat vectors and mechanisms. Check-the-box privacy also leaves teams flatfooted in the face of even minuscule changes to project requirements. Privacy reviews that focus on only one leg of an organization’s journey to outcomes miss the holistic view of how data is used across functions and teams. Any chance to bring in new data, technologies, or methodologies — or to use existing resources in a new way — forces a rethink of the entire data strategy to achieve compliance and usability. That costs precious time, budget, and focus.

Instead of addressing privacy in a piecemeal fashion, companies have an opportunity to develop a proactive and strategic approach. Creating a privacy strategy requires you to stop managing privacy tactically and reactively and start thinking prospectively about using it as a differentiator to protect people and promote better results.

Build a better ‘safety system’ for data

A privacy strategy is a systematic approach that addresses existing data needs and builds a foundation for managing future expansions with greater speed and cost efficiency. Privacy is no longer bolted on every time an analytics initiative is launched. If privacy safeguards are required for these initiatives, you can respond quickly and nimbly because you already have all the processes in place. Privacy is integrated into your operations, allowing you to anticipate and accommodate changes in sources, use cases, and/or audiences.

To develop your privacy strategy, there are three core steps to consider:

1. Start with a comprehensive review. Assess how current processes, capabilities, and resources are helping (or hurting) progress on meeting your vision of becoming a data-driven organization. This analysis provides stakeholders with a baseline understanding of the importance of privacy, current shortcomings, and the long-term benefits of investing in the right design and supporting capabilities.
2. Evaluate your data inventory. Now, go a step further by reviewing the privacy of existing data holdings. Map currently covered use cases, and then build a roadmap to ensure future innovations are within reach. This exercise produces an inventory of assets that, when benchmarked against the data vision, reveals gaps to address. It helps provide a robust mechanism for reducing process ambiguity, setting expectations about the time and cost of new initiatives, and creating manageable documentation on various data holdings.
3. Develop a scalable governance review system. Such a system is key to managing a volume and variety of requests from multiple business units. It needs to coordinate across teams to eliminate parallel work and streamline responses to new requests — while giving leadership visibility to activities and trends. This kind of governance system is essential in any organization where business units are not necessarily in constant communication.

A comprehensive privacy strategy is a foundation for data-driven organizations that want to innovate and grow while protecting sensitive data. By taking these three core steps—running a comprehensive review, doing a data inventory evaluation, and creating a scalable governance review system—organizations can quickly generate value from their data while ensuring they remain compliant.