In privacy, you generally have a far smaller headcount than the teams you support. So, you necessarily have to get comfortable with some imperfections. But that doesn’t mean you should leave everything up to chance. Instead, it’s wise to identify key priorities you can tackle in bite-sized steps each quarter to build your program for optimal impact.
Four tweaks to your program you should prioritize this year
In privacy, as we all know, we generally have a far smaller headcount than the teams we support. So, we necessarily have to get comfortable with some imperfections. But that doesn’t mean we should leave everything up to chance. Instead, it’s wise to tackle bite-sized steps each quarter to build your program for optimal impact.
Trying to do it all is a fool’s errand. You can create a beautiful roadmap that identifies where you’ll start and where you’ll aim to finish, but by the time you get there, the landscape will have shifted.
Instead, prioritize the significant risk areas unique to your organization. Find out what the business is asking of you and its correlating risks. It will differ from organization to organization, so there isn’t a single template to follow.
There isn’t a single template to follow because every business has its peculiarities around how they make money. But you can reason from privacy’s first principles in persuading your fellow executives or other stakeholders about why you will prioritize any given area.
That means looking at the business and asking: What is the data we have been historically collecting? How have we been using this in our various applications? What data do we plan to manage? How are we going to use it?
Discovering the answers to those questions will lead to your roadmap, and you can start building a program because that visibility will identify the teams you need to build alliances with to mitigate potential trouble down the road.
Here are four key areas to prioritize in 2024 to stay ahead of the curve, become more efficient, and enable the business rather than block it.
Priority #1: Get better visibility on what’s happening with data
The success or failure of any privacy program turns on its ability to know what the business is doing. That’s the essence of privacy by design. Privacy has to know what the product teams are dreaming up! And that means systematically inserting yourself into the product development cycle. And that can be tough because, historically, privacy has operated in a silo. It’s suffered from a reputation that it’s a mere compliance function, the place where good ideas go to die, or at least slow down.
To change that legacy image and to get the information you need about how your technology uses data, you’ve got to develop and nurture relationships with key stakeholders across the organization – especially with profit centers like sales, and supporting departments like product and engineering.
You’ll need to start building documentation based on their answers. But this can be templatized. The same template for every team can ask where data is coming in, where it’s stored, what it’s used for, and how it’s retained or deleted.
Once you’ve documented those answers, whether in a tech tool like TerraTrue or manually in a Google Doc, you’ve got your single source of truth on what’s happening with data, and you can decide how that jives with your risk tolerance to identify high-priority areas you’ll need to communicate to the business.
Priority #2: Amplify your reach
In any privacy role, the reality is you’re likely going to be vastly outnumbered by the rest of the business groups. Leveraging people and technology is the only way you’ll be able to meet the business needs at the pace the business needs you to do so. If you build a circle of solid relationships with key players in product, or marketing, or wherever your risks lie, you’ve got more privacy-minded folks sitting in meetings where data uses might require some consideration.
Take some time to build those connections. Learn who your people are and meet with them regularly. Ask them about their pain points and how you can help enable them. Ask if they’re using data in a way triggers some worries, even if it’s just their spidey senses. Many of your teammates want to do privacy right, they’re just not clear on what that looks like.
Beyond using those soft skills to build privacy champions, technology is the key to scaling the privacy function, because great news for all of us! We don’t have to operate compliance and legal programs like we’re in 1984 anymore!
Today’s tools allow you to shed the manual load you’ve been carrying. There’s no need to bury our heads in spreadsheets anymore. When you’re fighting to keep up with larger product and development teams, manual spreadsheets and legacy privacy software slow you down. Modern platforms like Terratrue provide automated tools that break the manual chokehold, so privacy can move at the speed of innovation, and you’re free to do the important work.
Priority #3: Liberate your teams! Automate where you can
There’s no avoiding the quintessential truth that the larger an organization grows, the more essential technology becomes. Plus, let’s be honest: It’s 2024! If you’re still trying to do compliance without tooling, you’re playing a losing game. And even if you’re well-resourced, you’re still grossly outnumbered by product and engineering teams, among others.
You need to liberate your teams from drudgery and repetition of answering the same questions about the same data specs time and time again. Fortunately, tools like TerraTrue will automate that work for you by re-purposing your previous data sets and reviews, so that product and privacy teams no longer need to re-categorize, re-analyze, or re-document the same processes ever again.
The reality is that your product teams have cool, fancy tools that help automate away a lot of the kind of manual tasks. And if your job is enabling their progress, you should too. By capturing what you’re doing in a tool, you’re also creating audit trails at scale, which allows your team of two or three to do the work of 10.
In addition, while privacy teams have often existed as a forkloric knowledge of privacy getting by on spreadsheets, tooling helps you formalize your process: “These are our rules, this is the data, this is how we think.” It allows you to create repeatable structured formats for your compliance needs. From those repeatable processes come the metrics that will allow you to demonstrate to your leadership that privacy is a strategic differentiator.
Using technology to make the business faster and make your own processes more robust, you’re scaling yourself to be used for the best and highest purposes and letting the automation do the busy work.
Priority #4: If you work where they work, they’ll work with you
Your success depends on your visibility into what the team is doing. Otherwise, you’re iinherently reactive and therefore unable to do your job well. And you earn that visibility by gaining trust by showing up to scrum meetings or sprint demos and getting curious about that team’s blueprints and pain points. But to operationalize that cross-functional collaboration in ways that will have a positive impact on efficiency, you need to couple that trusting relationship with true physical access to where those people are working. That doesn’t mean you have to learn code and start working in Jira, but you can pull that work into your own process by integrating their technology with your own.
Once you have access to and understand their ideation process, you can start to identify where it might make sense for you to come into it with early guidance that will help enable what those teams are building versus seeing a fully baked product and having to wholesale reject it or put the brakes on its launch.
Without that critical, physical bridge to each other, they’ve shut you out of planning details you need to eyeball to catch risks before they’re a problem, and you’re stuck in a perpetual silo that renders you in a reactive, caught-on-your-heels state
There’s evidence that early, tech-facilitated intervention is the key to risk mitigation. We can look to the security industry, which – after some big brands found themselves red-faced due to high-profile breaches – had to shift its function to earlier in the product development lifecycle for a seat at the planning table instead of the final review table. Similarly, it’s privacy’s time to tether itself to stakeholder teams with technology that automates that process.
When you can get in early and offer advice that enables product development to keep pushing forward, you gain the trust of stakeholder teams to include you from the start. After all, working together in that way means products and features ship more seamlessly and without sudden roadblocks no one had anticipated.
For more on this, watch our recent webinar in full.