Stage 2: Proactive

%company% is using software to establish a structured data privacy program

Stage 2: Proactive

Building the foundation for privacy by design

Your organization will notice significant shifts in how data privacy is viewed across the business as your program enters Stage 2. Here the use of technology and automated solutions will start to replace your spreadsheet-based processes, and efficiency will start being to be built into fabric of your privacy operations. A clearly defined program structure adds further efficiency.Data privacy programs in this stage will have consistent, formalized processes for things like policy management and record keeping. Because of this, the privacy function can be proactive about its approach to new and emerging regulations.Privacy will also become its own centralized function with its own dedicated leader – typically a Chief Privacy Officer (CPO) – as well as senior leadership beginning to understand the business value of privacy.Your customers’ experience of privacy will also change significantly, with basic consent shifting to centralized preference centers and dedicated intake forms for submitting privacy rights requests. Even more importantly, you will gain visibility into where personal data sits in your organization, better assess third-party risk, and start to integrate basic AI oversight.

If you could wave a magic wand, adding what single capability would propel your privacy program forward?

An evergreen data map of all processing activities
A centralized database for customer consent and preferences
An always-on regulatory research resource

Stage 2: Business Value

In this stage, the central value of data privacy to the business is still the mitigation of regulatory risk, but with a higher bar for compliance and higher confidence that personal information is being used responsibly. The privacy function now has a forward-looking mindset, planning for new regulations well in advance of them going live.The program becomes more efficient through a greater emphasis on automation and repeatable workflows meaning that compliance begins to cost less in terms of hours needed to fulfill its requirements. The data privacy program keeps pace with market developments and can proactively address gaps before they become compliance issues.

My office is watching, and we will hold you accountable. It’s been… years since the CCPA went into effect, and businesses' right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.

California Attorney General Rob Bonta

Stage 2 : Process

In Stage 2, software-based solutions replace spreadsheets for most privacy program management tasks. This transition usually uncovers many different formats and approaches to tracking privacy in the organization and is a catalyst for developing a more unified, centrally managed process.

With software comes more workflow automation, especially for collaborative risk assessments. This increases data accuracy because now workflows are consistent no matter who is managing them because all individuals involved in privacy operations are working from the same page. Data is also more likely to be up-to-date because software-based solutions can enforce or at least encourage regular updating of data and identify when there might be gaps.

Finally, the organization implements clear change management processes to ensure that data privacy policies and programs can evolve to support new regulations without upheaval.

Download the Privacy by Design Resource Kit →

Stage 2: Organizational Alignment

In Stage 2, the privacy organization undergoes a major change from being a siloed, time-shared function to a priority initiative with a dedicated senior leader, the Chief Privacy Officer. This is usually, though not always, a legal function and provides a senior voice in the organization who can map regulation to business requirements and effectively communicate up and down the management chain.

As a result, cross-functional collaboration deepens. The privacy office now also has access to resources and budget in other teams, especially in IT, for quality deployment of software and ongoing technical maintenance and support for new requirements.

US State Privacy Laws Timeline Infographic →

Stage 2: Consumer Experience

Stage 2 programs provide a much richer consumer experience for data privacy. In Stage 1, web visitors were given control over whether they could be tracked with cookies. Now they are given an online preference center in which they can choose how they want the organization to communicate with them. These consent and data collection experience are now multi-channel, provided across all the digital touchpoints the organization has with its customers, including web, mobile apps, or other connected devices.Most privacy legislation gives individuals the right to access, delete, and modify the personal data an organization holds about them. In Stage 2, individuals wanting to make such a request are now directed to a web intake form with automated workflow, not just given an email address to contact. Email-based intake methods are replaced with such centralized webforms, and request fulfilment is automated instead of requiring human intervention to query, find, and return the appropriate data. This allows the organization to meet regulatory timeframes in a cost-effective manner.

Stage 2: Data and Activity

A foundational requirement for every data privacy program is having an inventory of all activities in the organization that touch personal data and the purpose for each of those activities.

In Stage 2, this data and activity map, which is the source of truth for processing activities and purpose, evolves from incomplete and out-of-date to comprehensive and evergreen. It is now updated regularly through structured, collaborative risk assessments and the discovery of personal information through scanning of data sources.

The organization now has visibility into its inventory of data assets that hold personal information and a better understanding of when and where personal data is transferred across national borders. For the first time, the data privacy program also gains insight into how third parties such as partners, data processors, or software suppliers use the personal data it has collected.

Responsible Data Use: Navigating Privacy in
The Information Lifecycle eBook

Stage 2: Use of Artificial Intelligence

In Stage 2, we see the start of an AI Governance program. The organization now maintains a central inventory of AI projects, models, and datasets and institutes a structured, collaborative risk assessment process very similar to what it does for data privacy.In creating its project inventory, the organization also identifies what datasets are being used to train AI models either for internal projects, like a customer service chatbot, or by vendors in the software supply chain, and whether those datasets contain personal data. This is a high-risk blind spot for many organizations, and visibility into training datasets identifies where there is most likely to be bias or unacceptable risk.

In what areas of your business are you currently exploring the use of AI?

Natural Language Processing
Predictive Analytics
Robotic Process Automation
Generative
Not Certain / N/A