by Steve Badger, 24th September 2021
As privacy professionals you know the benefits of doing privacy well. Not least of which is to mitigate compliance risks and fines, but also, to contribute a net business benefit to the business. The challenge is, how to convince the board of the value and contribution to business outcomes.
We have been working with a number of our Privacy Navigator customers to understand their governance approach, and, how they put their business cases forward for investment into the privacy function, and for privacy governance in particular.
For those not familiar with GDPR Governance, its simple. Over and above just keeping a record of processing, governance helps you embed good data privacy practises into your business, into your people and into your value proposition. Being able to prove that you do make employees aware, that you do build GDPR into BAU (business as usual) practises and that you are transparent with what you do with your customer’s data, is key to be able to defend the business. It also enables differentiation, underpins financing rounds and drives trust in your brand.
We found 7 common business outcome drivers that our customers have used to justify good privacy governance internally:
Digital Asset Protection – Digital assets are the lifeblood of many businesses, unfortunately they are also increasingly targeted and vulnerable. Having them locked/ransomed by hackers is a significant threat. Ensuring that privacy and security are working together to identify, secure and manage rights of processing of the sensitive data is key. Where it is collected, where it is stored, who has access, how it is processed, which businesses it’s shared with, all contribute to the protection and utility of those vital data assets.
Business Change Risk – Businesses must change constantly to be able to take advantage of market transitions, short term opportunities and react to competitors. Many businesses who only have “stick on” privacy, will shift out of compliance quickly as these changes happen. Therefore, the privacy work has to be done and re-done, in fact constantly done, as a sticking plaster. Many businesses carry a lot of privacy debt anyway, and in high change environments the debt builds up casing a significant reduction in business agility and an increasing cost of addressing the debt.
Data Breach and Fines – Without a defensible position on the attitude of the business and the maturity with which you manage sensitive data assets, the business is at risk of regulator fines, and, at risk of data breach which carries its own payload of reputation and remedial pain. Either can be a business killer. Governance ensures you have a handle on the risks the business is running. Embedding assessment and mitigating practises into BAU procedures, especially those around business change, high risk and high value data chains helps manage these risks.
Funding and Merger – The businesses ability to be able to pass due diligence in readiness for capital funding rounds, merger, acquisition or share floatation often includes the evaluation of the current risk levels. This includes those around data privacy exposure and data security. Many venture capital firms, banks and investors require an ESG report to evaluate the level of social responsibility, sustainability and socially legitimate practises. Being ready to be able to show and prove, on demand, your maturity of responsible data practises, are a vital element to these due diligence assessments.
Regulatory Defence – In the case where you have suffered a breach, or complaints are made to the regulator, regardless of the legitimacy of the claims, your business will be investigated. In many cases where violations have occurred, the ability of the business to show the level of maturity, the programs undertaken and the effort employed go a long way to defend against adverse rulings or penalties. If you can prove demonstrable accountability; that you are educating your staff, that you do have executive ownership of privacy, that you are embedding privacy into BAU and you do protect sensitive data to the best of your ability, you have a defensible position.
Brand Value / Brand Trust – Its well known that 73% customers visiting your site will give you false sales lead data if they perceive a lack of trust. 87% will take their business elsewhere if they feel that trust and ethical business practises are missing. Governance helps you ensure that your communication to your customers, the transparency with which you use their data and the purposes for which you use it meets the law. More importantly meets your customer’s expectations. Our most mature customers use the confidence that running GDPR governance gives them to be able to use their privacy practises as a differentiator. They use it in external marketing and product offerings to win against their competition and brand value.
GDPR Compliance – Of course, being able to prove you are doing all this good stuff has its foundation in taking the actions to be compliant. Governance allows you to look across the business and ensure that documents are not only recorded, but updated. That people own their responsibilities, that there is the right level of awareness among employees and the privacy is built into BAU processes and built into new systems and business processes.
All business are different, and each of these business drivers and the governance maturity levels you need differ depending upon size of business, industry vertical, domestic/international etc. For this reason, with our governance solution, Privacy Navigator it is possible to activate relevant controls and set your desired maturity level for each.
We hope your find this guide informative, and that you can use the business case justifications to be able to drive awareness, investment or just better adoption of privacy specific to your business. If you would like to know more about us, or ask for our help with resolving any of these issues, please contact us at www.privacyone.co, or email us at firstname.lastname@example.org.