11 Steps to Building a Privacy Culture

What sits at the foundation of your company’s culture?
What matters most to you and your organization?

Organizations need to regularly evaluate their culture. We, and that means all of us, are now standing in the midst of one of those required evaluations. Why? Because of the increased emphasis and regulation being placed on data privacy and the protection of personal information.

European Union residents don’t have an option but to comply with new regulations, thanks to GDPR.  But whether your business engages with EU residents or not, we all need to take a moment of pause and reflect on our privacy culture. With the ease of accessibility to data and information, protecting the privacy of employees and customers should be our leading priority.

Consider the volume of data breaches that happen annually. North Carolina alone documented 1,000 data breaches in 2017. Data breaches often occur when personal information is stolen, poorly documented or compromised in some way. If individuals fully understood the elements of privacy, and how to properly handle, collect and store information, many of those same breaches could be avoided or prevented.

Data breaches will continue to happen; we cannot avoid them completely. But for organizations who have a privacy culture embedded into their company, those breaches can decrease. You can help safeguard your business and the privacy of customers by creating a more informed and aware employee base.

But know this: a privacy culture doesn’t form overnight. It requires reflection, evaluation, communication and consistent nurturing to grow and sustain itself. It’s one thing to talk about privacy and communicate about its importance, but instilling a privacy culture takes much more than communication.

How can you build a data privacy culture within your organization? Here are 11 places to start: 

  1. Do the hard work and conduct a privacy gap analysis on your business. Building a privacy culture first starts by understanding your current privacy stance. With a privacy assessment, you can evaluate the policies in place, how data is handled when it comes into your organization, who has access to personal data, and the current process of data storage.
  2. Understand which lines of business are critical to integrate into a privacy program. Bring those key players to the table (Executives, Legal, HR, Internal Communications and IT) to evaluate the privacy gap analysis and to begin building out your privacy program.
  3. Start the conversation about the importance of privacy among all employees. The conversation will help raise awareness and understanding of why data privacy matters.
  4. Create well-documented procedures that are highly visible for all employees. Those procedures can help employees understand the expectations for gathering, storing and accessing personal data.
  5. Communicate the data privacy message frequently from executive leadership, and reinforce that message with management teams across the enterprise.
  6. Make connection points for employees with clear examples of what appropriate and inappropriate data collection, handling and usage looks like.
  7. Avoid making assumptions or fearing over communication. It’s important that employees see examples and hear messages reinforced time and time again to understand the role they play in data privacy. Repetition is key.
  8. Build a privacy training program for all. With a privacy program in place, an all-employee training is needed to ensure the collective organization is aware and accountable for privacy expectations and standards. What’s important is that employees see that privacy falls on the shoulders of all individuals, and is not reserved for those reporting into IT, Legal or Executive Leadership.
  9. Build an internal community of privacy advocates across departments to champion, encourage and reinforce the company’s commitment to privacy. Cultivate a privacy culture with advocates. The program will be more effective than one driven by executives only.
  10. Assign data privacy responsibilities to individuals or to a team within the company. Creating that responsibility helps ensure the privacy culture will continue and withstand overtime.
  11. Set and communicate clear expectations for non-compliance and the potential risks and outcomes associated with data breaches.