Make the Culture of Privacy a Priority

As we all know, all organisations are collecting data as part of their business directing processes. What we unfortunately also know is that some of the big tech companies around the world know more about us than we want them to know. What is even worse is that these big tech companies are selling our personal data which can easily be bought by “bad” organisations that are misusing our personal information.

Therefore, it cannot be reiterated enough: personal information is property that belongs to us, which companies must handle with care.

That makes privacy compliance a much more complex challenge. Companies need to think more about what’s best for the consumer as we handle personal data, as well as how to accommodate the consumer and the rights he or she might exercise under various privacy regulations.

Make culture of privacy and security a watchword

In short, businesses need to make a “culture of privacy” a priority, in much the same way as anti-corruption activists like the Integrity Initiative and partners stressed the importance of a culture of compliance in the 2010s. A culture of privacy and security must be the watchword now.

It forces deeper changes in business processes, policies, and corporate awareness of privacy—and any time we talk about changes in policy, procedure, and corporate culture, the compliance function is crucial to that.

Now let’s get more practical.

Goals into capabilities

When you translate those goals into capabilities that the company must have to get the job done, several emerge as the most important:

1.  Data Management

The regulation includes a list of specific types of information within the scope of the Data Privacy law – names, e-mail addresses, photos, audio recordings, Internet search history, biometric data, and more – plus the catch-all, “any information that can reasonably be associated” with a specific person.

The most fundamental compliance capability is simply to understand what personal data your company collects. Where does that data enter your extended enterprise? What business processes touch it? What third parties touch it? Where is the data stored?

2. Assessment and Monitoring of Third Parties

Oversight of third parties is not a new capability per se, but the Data Privacy law pushes the need for that capability to new heights. For example, it draws a distinction between “service providers'' and other third parties. A service provider receives personal data from your business as part of a written contract, to execute a specific task for you: write a legal brief, host a website, run payroll, and so forth.

This means compliance functions will need to sharpen their assessment of third parties, to understand the exact business relationship and assure that it meets all the criteria for service providers.

3. Building Compliance Business Processes

Remember, the Data Privacy law gives residents certain rights to their personal data. For example, under the Data Privacy law, consumers have a right to see the data that a company has collected about them. Consequently, companies need to devise policies and procedures to fulfil that right: a way for consumers to submit the request, procedures to identify all the relevant data, and a way to present that list of data back to the consumer.

Well, security specialists have already identified bogus data access requests – where hackers pretend to be someone asking to see his data and dupe a company into sharing it. Companies will need to be aware of that threat and build identity-confirmation controls into their access request procedures.

Likewise, consumers can ask for companies to delete their personal data.

These are only three capabilities a company will need to develop to achieve Data Privacy compliance; we could discuss many more. Fundamentally, the Data Privacy law will require the compliance function to get more involved in structuring business processes, since so many business processes now involve at least some processing of personal data – and achieving Data Privacy compliance is about handling personal data with proper care, at all times.

Contributed by: Henry J. Schumacher, President of the European Innovation, Technology and Science Center Foundation (EITSC), a member of the DPEX network. This article was first published in BusinessMirror on 25 July 2022.