Three ways to sell a privacy program to an exec who’s not listening

GDPR, HIPAA, FERPA, CCPA, CPRA, PIPL…

This is not a cat-running-over-the-keyboard situation, or someone playing Wordle after too many margs. The above spoonful of alphabet soup is just a tiny list of privacy regulations that an organization must track if it is handling customer data.

One way to follow the evolving laws is to implement a privacy program, a company initiative that sets objectives to protect client information and meet compliance standards.

A January ISACA survey of 1,890 IT pros, however, revealed an obstacle: 39% percent of respondents said a lack of executive support impeded the formation of a privacy program.

While privacy programs have a number of objectives—to find personally identifiable data, deploy access controls, and set up an audit schedule, to name a few—the benchmarks are meaningless without one key step: Get executive buy-in. Making the privacy case may involve a creative presentation of the costly consequences of non-compliance.

“If you can’t convince your CEO that privacy is important for your organization, it’s never going to get off the ground,” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.

More soup. The General Data Protection Regulation (GDPR), passed by the European Union, imposes guidelines on data-collecting EU organizations, including a clear statement of purpose and limitation of storage. US laws like the California Privacy Rights Act, along with other state-specific initiatives, offer a web of standards that organizations must understand as they pull customer info from around the world.

“Really, a privacy program is the best way to structure your response to various privacy requirements and the complex patchwork or alphabet soup of requirements that we’re seeing out there in the world today,” said Saz Kanthasamy, principal researcher for privacy management at the International Association of Privacy Professionals.

Private practices. Three factors to highlight when attempting to convince an exec to get a program going, according to experts:

• Headlines: Privacy mistakes aren’t cheap. Just last month, The Irish Data Protection Commission fined Meta over $400 million for breaching EU privacy rules. “Point to some of the headlines of the massive fines that organizations have faced. It’s the massive fines, but it’s also the reputational damage associated with not protecting privacy or with being non-compliant,” said Safia Kazi, privacy professional practices principal at the IT professional organization ISACA.
• Costs: While avoiding a fine can save money, so can deleting data. When cloud storage costs are by the byte, less data is more: “If we don’t collect this data in the first place, then we have less to protect, which saves us money,” said Steinhauer.
• Give the people what they want: Privacy can enable consumer trust. “Organizations that are better able to demonstrate that they value privacy and the importance of protecting personal data can actually demonstrate a competitive advantage over their peers,” said Kanthasamy, who admits the alphabet soup is only getting soupier.

“That picture…is one of change and one of increasing regulatory complexity,” Kanthasamy told IT Brew.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].