How to get buy-in for your Privacy Programme
Dominga Leone • September 18, 2023
I am often asked how to get buy-in and sponsorship for a Privacy Programme. Spoiler alert scaremongering about €20 Million fines doesn't really work, so I decided to publish this guide to help Privacy teams get the support they need.
First, it is worth noting that if you are a Data Protection or Privacy Leader applying for roles which involve delivering a Privacy Programme, you should not assume that just because they are hiring for the role, the organisation must be "bought into" the need for Privacy. I know from experience, and extensive discussions with others in the field, that often businesses are completely unware of the scale and breath of activities required to effectively manage Privacy -they assume that by hiring one or two people to deal with it, the Data Protection box will be ticked, without any company-wide effort. The hard truth is that no Programme can run without Executive buy in, Business Sponsors and a commitment to ground level collaboration, because there will always be a need for business execution and Executive accountability.
With this in mind, securing buy in for the Privacy Programme is absolutely pivotal and, I am afraid to say, there is no silver-bullet or single activity that will secure the company-wide support required to effectively deliver Privacy and Data Protection.
How you approach this will very much depend on the maturity of the organisation, their risk appetite and overall culture. It is important to have sensitivity to these factors, because they can make or break your ability to get buy-in.
I recommend using a multi-faceted approach, using a combinations of techniques and approaches, firing from different angles. The rest of this article outlines the methods I use and why I find them successful.
Privacy Programme Buy-In Techniques
- Selling the benefits. Selling the benefits is my favourite technique. There are many positives to Privacy and Data Protection - I like to talk about how data protection and privacy can enhance products and services, how it can improve consumer trust. Many customers in the B2B world are starting to expect Privacy and Data Protection as table stakes - they want to see it taken care of - built in, not bolted on - this feature strengthens commercial opportunities leading to a significant return on investment. When colleagues understand the benefits, buy-in comes naturally.
- Business Sponsors and Privacy Champions. Find colleagues that are sympathetic to the need for Privacy and Data Protection and secure their support. There are many of these in the business, you just have to find them, even in unlikely places! Colleagues I have found who can be real friends to the Privacy team are Security professionals because, well, they just get it! Product and Tech teams because they (in their own words) don't want to develop a product that creates the next Privacy scandal. Commercial Sales and B2B Development teams, because they love anything that can support their sales pitch 😁. Legal, risk and compliance teams because it is in their DNA. Marketing teams too, maybe sometimes a bit reluctantly, but they really understand the need for following global marketing laws which go hand in hand with Privacy. Once you have departments championing the Programme, it is easier to get executive buy in. Privacy Champions are another amazing resource - a team of people across the business who you upskill - they become your eyes and ears and inevitably great voice pieces for your cause (shout out and thank you to the great Privacy Champions I have worked with).
- Privacy Team Presence. Make sure your Privacy Team is visible to the business and stakeholders, even if you are remote. Attend meetings, townhalls, talk about how Privacy can help and become their trusted partner. Make sure the Privacy Team has a presence in Senior Leadership meetings, strategic planning and decision making forums. When colleagues liaise frequently with Privacy teams, they start to understand the whys, regularly hearing feedback about Privacy trains people to think about it more and gives you the buy-in you need.
- Strong Privacy Framework. Build a strong framework for your colleagues to use - clear policies, processes, function specific playbooks. Make it easy for them to build privacy into their work and be easy to do business with. People will automatically buy into something they can understand, more than something that confuses them.
- Privacy Horizon Scanning. Make sure you are horizon scanning, this helps you keep colleagues updated on the latest Privacy developments, opportunities and threats. Being able to translate upcoming developments into strategic commercial opportunities has really strengthened my colleagues buy in for privacy and even, dare I say it, created a bit of a buzz at times. 😎
- Education and Training. Education and training are absolutely core to getting buy-in. Not just GDPR training modules, I mean talking to colleagues about Privacy matters that impact them and their products or services. Making Privacy relevant to their goals always makes buy-in easier.
- Privacy Reporting. People underestimate the importance of reporting on Privacy. Of course it is required to ensure the Controller's accountability, but it is also a really effective tool for buy-in. Giving Exec teams and Stakeholders clear key performance indicators, and reporting at a regular cadence, keeps Privacy and Data Protection at the forefront of people's minds, because it demonstrates the status of Privacy and often shows the scale of activities. Knowledge helps buy-in.
- Articulating Risks. Now this is really important, but it has to be balanced, the biggest turn off is excessive scaremongering combined with lack of pragmatism. Do talk to colleagues about risks relevant to them, but always accompany them by solutions and options that take into account their risk appetite. Appreciate that businesses might want to accept some risks and be pragmatic, this collaboration will ensure better buy-in.
- Tone From The Top. This one isn't always possible, but it is a great winner when Executives talk up Privacy and really embed it in their strategy. Buy-in is almost guaranteed when Privacy is built into OKRs and Privacy outcomes are aligned with individual performance metrics. This kind of tone from the top means that people don't get rewarded for launching great initiatives if they create Privacy risks, which have not been accepted, and encourages Privacy from the ground up.
These techniques combined translate into a set of tools, relationships, governance and commercial benefits that together, used selectively, will place buy-in efforts on a strong footing.
I hope they are helpful to your Privacy Programme. Let me know if they work and if there is anything I have missed.
Good luck with your Privacy Programme! Please get in touch if you need any support.
#privacy #dataprotection #privacyprogramme #gdpr #ccpa #privacyprogramme
Managing this type of data is a tricky business and almost no organisation seems to be doing it in a way which respects privacy and data protection laws. Here are our key messages for those processing geolocation, vehicle data, connected car data and telematics data.
In this piece, I want to dive into some key points of the proposal, which if passed, have the potential to derail certain long term business strategies and to change the way IoT organisations are run.
Background Over the last 12 months, I have been leading workshops with OEMs, IoT product owners and business stakeholders, to discuss the proposed upcoming EU Data Act and how it will impact their organisation and business models. Over this time, I have become fascinated with the EU Data Act and, whilst it is not without its hurdles, I consider it to be a truly revolutionary move by the EU. I believe it will change how we view data creation, ownership, use and distribution. In fact, considering the colossal implications it is likely to have, it is surprising how infrequently I see it discussed. As we move into an era of big data, AI and machine learning, democratisation of data is pivotal - all of us generate data through our labour and our everyday actions, but few of us reap the rewards and profits of that data creation. I view the EU Data Act as an instrument to ensure that the benefits of this data are distributed evenly across society. Whilst it no doubt brings challenges, it creates infinite possibilities for all players - from manufacturers to individuals, businesses and service providers and of course public bodies. It will require careful consideration from organisation leaders, who will have to, once again, consider data at every stage of their strategy and operations - just like they did for GDPR, but this time for all data, not just personal data. Data protection professionals will certainly be key stakeholders and advisors on this journey and I am excited. This is the first in a series of articles about the EU Data Act. This initial piece is a very high level overview of the EU Data Act – what it is and where we are at. It will provide the foundation to my future articles, which will be deep dive ‘think pieces’ and analysis about the opportunities, threats and impacts of the proposed legislation. I will consider the Privacy and Data Protection, the Automotive industry, OEMs, Insurers, IoT manufacturers, businesses and consumers. I should caveat that everything that you read is my interpretation and opinion at the time of writing. The EU Data Act hasn’t yet been finalised and is likely to evolve over time, as will the broader understanding of it. Please feel free to engage and even challenge in the comments for some healthy debate. What is the EU Data Act? The EU Data Act is a legislative proposal which aims to lay down consistent rules, specifying who is entitled to access data generated by the use of products or related services. Its goal is to ensure a greater balance in the distribution of the value from data. Why do we need the EU Data Act? Data-driven technologies have been transforming and driving all sectors of the economy. Products and services connected to the Internet of Things (IoT) have led to more data being generated than ever before. This data can be extremely valuable for consumers, businesses, and society, but there are massive barriers to gaining access to and sharing this data, including a lack of incentives for companies holding the data to share it, uncertainty about rights and obligations, high costs, fragmented data, lack of interoperability and data protection issues. These barriers prevent data being shared and used in a way that benefits society and the wider economy, so monopolies reign. The EU Commission states that 80% of industrial data is never used and believes the introduction of the EU Data Act will unlock the value of the data economy and act as an engine for innovation, competition and economic growth. What are the specific objectives of the EU Data Act? Some key points of the EU Data Act are still under negotiation, but the following broad goals are likely to apply: Design - Connected products and services should be designed in such a way that allow the User access to data generated by the use of that product or service. For the purpose of this proposed EU Data Act the User of a product or service could be an individual or organisation - for example an individual User would be a connected vehicle owner driving their vehicle, a business User could be an organisation who runs a fleet of connected vehicles. Both would be entitled to access data. Sharing data with Users – At the request of Users, data generated by the use of product or services should be made available to those Users or other data recipients providing services to those Users. Again, Users can be individuals or organisations. This means that organisations that are offering legitimate services to Users will be able to gain access to data that, prior to the introduction of the EU Data Act, may have been very difficult to obtain. For example insurers wishing to insure based on how an individual drives will be able to get access to the Insured's connected car data on the request of the User. Contractual terms – Ensuring fair contractual terms for data sharing agreements to prevent parties to contracts abusing imbalances in negotiating power to the detriment of weaker parties. In essence this means that big players won’t be allowed to impose unfair terms that disproportionately benefit them. Sharing data with public bodies -Where there is an exceptional need in the public interest, data holders will need to make data available to public bodies. Cloud Switching - Provisions of interoperability to facilitate switching between cloud and edge services easily, to avoid vendor lock-in, thus improving competition. Safeguards against unlawful transfers - Introducing defences against unlawful international governmental access to non-personal data. Whilst the EU has strict rules on how personal data may flow internationally, there are no protections for non-personal data. This part of the Data Act aims to introduce some safeguards from unlawful government access. Interoperability standards - Provide for the development of interoperability standards for data to be reused between sectors. What is the current status of the EU Data Act? The EU Data Act proposal has been reviewed by the EU Council and EU Parliament and they have each proposed amendments. EU institutions are now in trilogue discussions – a third scheduled for the 27th June 2023. The EU Data Act is likely to pass in 2023, some are saying sooner, rather than later. Does the EU Data Act only apply to EU companies? No it will be broader - there are still some minor points that will be clarified in EU negotiations, but it is likely to apply to the following: Organisations providing products or services on an EU market and the use of data generated in relation to the use or those products and or services. Data holders that make data available to recipients in the EU Users of products or related services in the EU that make data available to data recipients in the EU. Data recipients to whom data are made available. Public sector bodies that request data holders to make data available (where there is an exceptional need for that data for the performance of a specific task carried out in the public interest). Providers of data processing services to customers in the EU. Are there any exemptions for smaller organisations? The EU Data Act provides exemptions for micro and small enterprises as follows: A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. A micro enterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. The above applies, as long as these enterprises are not linked or partnered with other enterprises that do not qualify as micro or small. Depending on how the negotiations proceed, we may see other exemptions for medium enterprises and possibly tighter exemption qualifying criteria, whereby micro and small enterprises will still be in scope if they are subcontracted to manufacture a product or provide a service. When will the Data Act be effective? There is still some debate on the timeline for enforcement – as it stands it looks to be between 18 and 24 months after it enters into force. Will the EU Data Act apply retroactively? Maybe – if negotiations align with the EU Parliament’s view, then obligations under Article 4.1 to make the data generated by User’s use of a product or related service, will apply to products and services placed on the market 5 years before the EU Data Act came into force , as long as the provider of a related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements. Will organisations have to comply with the EU Data Act? Yes, there will be fines and penalties for non compliance. Conclusion The EU Data Act has far reaching scope and implications and creates endless opportunities and threats. Business leaders should be thinking about the EU Data Act now and considering how it will impact their strategy, roadmap and objectives. Has your organisation considered the EU Data Act? What opportunities and threats do you see and how are you preparing? Please follow our LinkedIn Page for future blogs on this topic and if your organisation requires support navigating the proposed EU Data Act, please visit www.dataactconsulting.com