Stage 3: Strategic

%company% has optimized processes with shared accountability for privacy across the business

Stage 3: Strategic

Scaling privacy by design across the business

The transition from Stage 2 to Stage 3 represents the most significant transformation a data privacy program undergoes in this four-stage maturity model. Here, the focus of the program expands from compliance and mitigating downside risk to consumer trust and creating business upside.In Stage 3, there is shared accountability for data privacy across the business and a framework in place to anticipate regulatory requirements. Most importantly, responsible acquisition and use of first-party data starts to be viewed as central to customer trust and lifetime value. The organization also actively monitors and addresses data privacy violations, establishes and validates data controls, and mitigates the risk of sensitive AI training datasets.Senior leadership commitment to data privacy results in cross-functional accountability and the buy-in of functional leaders. Directly responsible individuals (DRIs) are now embedded in IT and marketing teams, not only the legal and compliance function, to ensure that privacy is being considered at the outset of new products and services and “privacy by design” principles are leveraged across the organization.The data privacy program also evolves from visibility into where and how personal data is being used to having the appropriate data controls to ensure responsible use. Data use is now actively management, not just observed.

If you could wave a magic wand, adding what single capability would propel your privacy program forward?

An evergreen data map of all processing activities
A centralized database for customer consent and preferences
An always-on regulatory research resource

Stage 3: Business Value

In Stage 3, the data privacy program begins demonstrating substantial value to the business beyond compliance. Compliance remains foundational to the program, but the organization is now strategic in its approach and more confident in achieving the outcome of responsible data use. Such assured compliance indicates program maturity in anticipating new regulations, providing visibility into program violations, and assigning clear accountability across the business.The emerging source of business value in Stage 3 is centered on customer trust. When an individual trusts that an organization is using their data responsibly, they are willing to share more data, which enables the organization to increase its customer engagement, loyalty, and lifetime value. This virtuous cycle of earning, retaining, and reinforcing customer trust to unlock the value of data is the strategic goal of a mature data privacy program.The customer trust that an organization builds through assured compliance now results in responsible acquisition of consented first-party data through expanded customer preferences. This data provides the fuel for the business.

Stage 3: Process

Stage 3 is center stage for automation. The software-based processes established in Stage 2 now focus on reducing the manual work of the privacy office through deeper integration with business workflows and data systems. This fosters repeatability and efficiency of processes and accuracy of data.

The organization now has more confidence in the auditability of its data privacy program because program data is more complete and of higher quality. Compliance gaps are more easily discovered and remediated, and comprehensive documentation of your compliance efforts is always handy if regulators come knocking.

This also results in more effective risk-informed decision-making, which in turn increases the defensibility of the organization’s privacy approach, priorities, and inevitable tradeoffs.

Download the Privacy by Design Resource Kit →

Stage 3: Organizational Alignment

In Stage 3, engagement in the data privacy program from business and product teams increases substantially. The value of privacy in building customer relationships and collecting first-party data is better understood by the business and so they are willing to invest more resources.

While the privacy program is still led by the privacy team, there is now cross-functional accountability, and individuals in IT, InfoSec, and/or Marketing are assigned as DRIs to assist with privacy initiatives within their function.

With expanded cross-functional collaboration and ownership, privacy increasingly becomes a consideration at the outset of any new product or service. The business now realizes the privacy team’s role is not to block, but rather to responsibly make data available for business use.

US State Privacy Laws Timeline Infographic →

Stage 3: Consumer Experience

In Stage 3, the consumer experience of privacy becomes much more of an ongoing relationship between the organization and customer. Consent and preferences are managed in a centralized preference center, established in Stage 2, but now with more breadth and depth in the types of data collected. This gives the business more knowledge of its customers. The preference center also allows the customer to have more control over their own data, presenting options for incremental and granular opt-outs of different communications/services.The static, copy-and-paste privacy notice of prior stages is now replaced by a dynamic notice that can be automatically updated, tracked in a central location, and synced across multiple web properties. This allows you to deliver the right information about your privacy program to the right individual at the right time.

Stage 3: Data and Activity

In Stage 3, the data privacy program moves from data visibility to data action. Instead of focusing on just visibility of where data reside, now the program focuses on taking the appropriate action on that data to reduce risk and protect privacy.

Some examples include:

When retention periods have expired, data is tagged for deletion.
When personal data is found where it should not be, a risk assessment is triggered to identify whether there is a missing data activity that should be captured or whether the data has leaked and should be removed.
When sensitive data is found in an environment with open access, it is moved, or access rights are changed.
If data should not be accessible to a group of individuals, it is masked.

Responsible Data Use: Navigating Privacy in
The Information Lifecycle eBook →

Stage 3: Use of Artificial Intelligence

In Stage 3, AI Governance starts to become part of the software development lifecycle. It may be more of a “checklist” item initially than a true vetting function, but this evolves over time. Risk assessments are now done for both internal and third-party solutions that use AI.And keeping with the Stage 2 to 3 transition from data visibility to data action, AI model training data sets are now scanned to identify if they contain personal data and, if so, the appropriate risk mitigation actions are taken.

In what areas of your business are you currently exploring the use of AI?

Natural Language Processing
Predictive Analytics
Robotic Process Automation
Generative
Not Certain / N/A