Privacy as Strategic Business Partner for Growth
Osama El-Masry
ME Lead - Data Responsibility & Privacy @ Cognizant | IAPP KnowledgeNet Chapter Chair | Ex-Vodafone DPO | FIP | CIPP/E | CIPM | CDPO | ISO27701 Sr. LI | ISO27001 Sr. LI | ITIL | PRINCE2 Certified & PECB Certified Trainer
With data becoming the New Oil, this reflects its unquestionable value and potentiality of using it as source of power and influence in the hands of its collectors/miners, and hence the need for a robust laws and regulations to regulate its use and commercialization is inevitable. Yet what gives uniqueness about data laws and regulations are that:
a) They must be ongoing and evolving to cope with the new types of personal data being collected and the endless use cases that evolves with new technologies and;
b) They must balance between the Commercial aspect and the Human Rights aspect (primarily Right for Privacy) being on one side the proprietary of its person/data subject representing part of his/her personal life and on the other side, the accountability and responsibility of its collector/miner to use it ethically, securely, and with respect of privacy.
With such robust and evolving data protection laws/regulations and the enormous obligations imposed on organizations with exaggerated fines, the need for internal strong Privacy Risk Management and Governance Framework that ensures compliance with those laws and regulations is no longer an option, however the stronger the privacy governance program, the more resistance and misperception of Data Privacy Management Office perceived by other business departments (specially revenue generating ones) as a growth hindrance and sometimes even as a showstopper.
So the simple two questions now are:
1) What needs to be done to achieve balance between organizational growth and privacy?
2) How it can be done?
On the “What?” side, “Respecting Customer’s Privacy” must be one of the organization’s strategic goals and on its list of top ten corporate risks out of executive management’s and shareholders’ belief that it’s essential for organizational growth, profitability, and sustainability where in this regards, DPO must work on achieving two main goals equally and in parallel; a) making privacy compliance easy and seamless and, b) promoting privacy as a differentiator and competitive edge in the market.
On the “How?” side, it must be acknowledged that achieving such goals is a journey of collaborative work, mistakes, learnings, and continuous improvement where such journey is primarily lead by organization’s DPO with the support of the executive management and collaboration of all departments.
For the first goal “Making privacy compliance easy and seamless”, it’s a must goal to cope with business growth aspirations and provide the needed support it can be achieved through establishing a cooperative environment between Privacy Management Office and other departments where rather than Privacy Management Office operating as a Control/Compliance Function, it operates as a Strategic Business Partner supporting business departments in the adoption of privacy requirements in all of organization’s products and services with ease and speed. The starting point of establishing such environment highly depends on the maturity of the Privacy Program in the organization but in general it starts with Obtaining Management Buy-in and Support à Building Strong Governance Model à Changing Mindset and Cultural Awareness à Ensuring Flexibility and Scalability à Introducing Efficiency and Automation.
Examples of things that need to be taken into consideration when it comes to Ensuring Flexibility and Scalability and Introducing Efficiency and Automation are:
a)??????Waterfall vs Agile Methodology considering the major difference between them in terms of structure, pace, proactive/reactive engagement by business, etc...
领英推荐
b)??????Threshold Questions in terms of use of initial few questions that can identify in and out of scope and the need for further engagement or not
c)??????Repetitive Requirements and Standardization where there will always be opportunity to have Patterns per Policy/SME Team for different products/processes scopes
d)??????Must Have vs Parallel Requirements concept that may help with expediting product go live where some requirements are considered a must before go live and others can be managed in parallel;
For the second goal “Promoting privacy as a differentiator and competitive edge in the market”, DPO shall have the strategy of introducing the Privacy as a Differentiator to organization’s products and services which is beyond compliance requirements whenever possible and applicable with an innovative mindset till embedding privacy components in products and services becomes a competitive edge requested by commercial departments rather than a policy requirement mandated by privacy compliance function. This can be achieved by the Privacy Management Office through the well understanding of the organization’s strategy and the ongoing exploring/market intelligence of latest privacy technology trends in relevant fields and reflecting both on the design of products and services in brainstorming sessions with commercial teams to introduce privacy added value.
Let’s now shed some light on an a good example of moving from “Privacy Compliance Requirements” mindset to “Privacy as a Differentiator” mindset:
Apple Private Relay:
Privacy Compliance Requirements
Requirement of Art. 32 GDPR Security of Processing https://gdpr-info.eu/art-32-gdpr/ that can sufficiently be fulfilled via applying international standards e.g. ISO 27001:2013 A.13 Communications Security https://isoconsultantkuwait.com/2019/12/14/a-13-communications-security/
Privacy as a Differentiator/Privacy Value Add
Going beyond law mandates and security standards is an attempt by Apple to link its Brand with Privacy and hence increasing market share and more growth and sustainability of the brand via its new feature i.e. Private Relay https://support.apple.com/en-au/HT212614 and commercializing it in one of its new products Apple iCloud+ including iCloud Private Relay
So in conclusion, the concept of Data Privacy as Strategic Business Partner for Growth is required for every organization and is the proper perception over being a Compliance Control Unit which can easily be implemented with the right leadership and strategy, adapted mindset, robust governance model, and efficient tools, where all must be lead by its DPO with shared responsibility amongst all organization’s departments and the accountability and support of the organization’s Executive Management to maintain good reputation, compliance with laws/regulations, and even increase/generate more revenues (where applicable) which are all considered integral aspects of the organization’s growth, profitability, and sustainability.
ME Lead - Data Responsibility & Privacy @ Cognizant | IAPP KnowledgeNet Chapter Chair | Ex-Vodafone DPO | FIP | CIPP/E | CIPM | CDPO | ISO27701 Sr. LI | ISO27001 Sr. LI | ITIL | PRINCE2 Certified & PECB Certified Trainer
2 年Ahmed Alajlani