Stage 1: Reactive

%company% is starting to build a privacy foundation

Stage 1: Reactive

Building the foundation for privacy by design

Stage 1 is where organizations will start their privacy journey. At this stage, it is unlikely that you will have an established data privacy program, and you approach new regulations reactively as they emerge. This means that your data privacy program is playing a game of catch up to meet developments, rather than staying ahead of them. Organizations that find themselves in the early stages of privacy compliance tend to manage their programs on spreadsheets with manual inputs. This method lacks consistency in the goals that are set, and the processes used to try to reach them.In Stage 1, you will find that data privacy is not yet prioritized within your organization, it is unlikely that the program falls under the purview of a senior stakeholder and the compliance programs that do exist only address a baseline of requirements, such as cookie compliance or simple consumer rights.

If you could wave a magic wand, adding what single capability would propel your privacy program forward?

An evergreen data map of all processing activities
A centralized database for customer consent and preferences
An always-on regulatory research resource

Stage 1: Business Value

In Stage 1, the business value of the data privacy program is almost exclusively focused on limiting regulatory risk. This is typically achieved by meeting a minimum standard of compliance and addressing specific requirements that present themselves as priorities such as cookie compliance.

My office is watching, and we will hold you accountable. It’s been… years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

California Attorney General Rob Bonta

Organizations may be in Stage 1 because they feel their risk is still relatively light. This is because the business may be targeting customers in regions where limited regulation exists or they may maintain, or think they maintain, only a small amount of personal data. As a result, the organization may not yet view data privacy as a high-value investment and may be focused solely on mitigating basic downside risk. Over time, however, most organizations realize they have more personal data than they assumed, and the expanding footprint of regulation requires a more mature data privacy program.

Stage 1: Process

Processes are ad-hoc and manual in Stage 1. Data privacy programs are managed on spreadsheets with regulatory requirements, processing activities, and assessments captured manually. This leads to data falling out of date because there is no structured process for keeping it current, and manual workflows cannot keep pace.

For instance, when capturing data in Stage 1, the form and format is highly dependent on the individual doing it, resulting in inconsistent records.

Additionally, there is minimal collaboration across functions and almost all the work for the data privacy program is done by the legal team. The data privacy program is ad-hoc without clearly defined policies for decision-making or consistent frameworks for record-keeping. There is no consistent workflow, and tasks are reactive, tactical, and triggered by internal requests to support a new regulation or consumer request.

Download the Privacy by Design Resource Kit →

Stage 1: Organizational Alignment

In Stage 1, no individual stakeholder considers privacy to be their top priority, especially at senior leadership levels. Organizations in this stage will find that privacy sits in the legal or compliance team but without a dedicated owner. It is a time-shared function with a set of individuals each spending a percentage of their time on privacy-related tasks.

Furthermore, limited accountability results in limited cross-functional collaboration as stakeholders outside the legal function are minimally engaged with privacy matters. As such, the quality and accuracy of the program inputs and outputs are highly variable and, without consistent processes, remain dependent on which individuals are involved at any given time.

Organizational alignment in Stage 1 also has an impact on resources. Budgets tend to come from the legal function, meaning they are typically limited. Technical resources are only minimally available, so access to systems and support for workflow integration or data retrieval is challenging.

US State Privacy Laws Timeline Infographic →

Stage 1: Consumer Experience

When it comes to the consumer’s experience of privacy, one of first investments an organization makes is how it manages cookies. Often, this takes the form of a basic banner or footer that gives the consumer the ability to opt-out of being tracked. Lack of compliance with basic consent is one of the easiest gaps for any enforcement agency to spot, which is why early-stage data privacy programs prioritize it.In most jurisdictions with privacy legislation, consumers will have the right to request access to the specific data about them that an organization stores, and then to request deletion or modification. When your program is in Stage 1, the process for fulfilling these requests is manual. There is generally an email address listed on the organization's website that an individual can use to submit their consumer rights request. That email is then processed by a staff member, and the individual’s data retrieved manually. This can become very expensive with high volumes of consumer rights requests. Because regulations require it, the website will also have a privacy notice posted, but, in Stage 1, this notice is likely just a static copy-and-paste from a legal document.

Stage 1: Data and Activity

Every data privacy program needs to document all the processing activities across the organization that use personal data. This data and activity map becomes the source of truth for the data privacy program as well as being a compliance requirement under many modern privacy laws.

For organizations operating in Stage 1, this map is likely a spreadsheet with manual data entry. It is relatively static and so can quickly fall out-of-date. It covers important activities but has many gaps and is of limited use for auditability.

Moreover, stakeholders have limited visibility into which of these activities are transferring personal data across geographic boundaries, which is key for many regulations. The data privacy program in Stage 1 has minimal visibility into where the personal data is stored and how it is used.

Risk assessments conducted on data processing activities are ad-hoc and performed manually. This introduces differing levels of oversight and completeness to each assessment.

Responsible Data Use: Navigating Privacy in
The Information Lifecycle eBook →

Stage 1: Use of Artificial Intelligence

AI governance intersects with data privacy because much of the potential risk that AI poses stems from the use of personal data to train models that then make biased recommendations due to issues in the source data. This bias can harm entire communities. It is also often the case that individuals did not consent to their data being used in this manner.For organizations in Stage 1, there is limited visibility into AI usage internally and any risk assessments that exist for AI are performed in an ad-hoc and inconsistent manner. Therefore, stakeholders have a limited understanding of the risks their AI systems pose.

In what areas of your business are you currently exploring the use of AI?

Natural Language Processing
Predictive Analytics
Robotic Process Automation
Generative
Not Certain / N/A