One of the biggest difficulties companies may face for effective privacy program implementation arises if they neglect strategy and focus only on the law. Namely, developing policies and procedures that mention legal requirements, but fail to address the underlying business purpose of those policies and procedures. Certainly, compliance with the law is critical. But it is not the only part. And, importantly, since regulators expect companies to follow their policies and procedures, taking time to strategize -and address how a company will comply with its policies and procedures- is critical.
Professionals implementing a right-sized privacy program, from a strategic perspective, can take several steps:
- First, a strategic program is one that takes into account and supports the underlying business needs. What are the goals of the organization? What is the current environment in which it is operating? What challenges does it face? What are its existing strengths? The program is then designed around that reality.
- A strategic program is also one that is implementable, not aspirational. It is one that can be easily understood by company personnel (and thus followed), and training to adhere to the program is achievable.
- Finally, a strategic program is one that takes into account the fact that corporate activities are ever-changing, as are privacy and data security laws. A strategic program anticipates that modifications will be needed, and is not designed with a “set it and forget it” approach.
Putting it Into Practice: Companies face ever-shifting privacy requirements. Developing a flexible, holistic and right sized privacy program can help in this rapidly-changing world. The next article in this series will look further into how a program can be customized to the company.