Stage 4: Scaled

%company% has data privacy in mind as a key part of decision-making and business strategy

Stage 4: Scaled

Embedded Privacy by design across the business

In Stage 4, data privacy becomes a key part of decision-making and business strategy. Organizations in this maturity stage now use customer data to enhance products and deepen customer relationships because the advanced analytics and AI are being used to deepen those relationships.Datasets with personal information are future-proofed, meaning that personal information is either permissioned or deidentified in a way that the organization can confidently use it to train AI models and seed analytics programs over the long-term. The organization also has a clear methodology for making risk-informed decisions around data sharing.The processes of the data privacy program are now optimized, and policies are defined centrally, with reliable decentralized execution.AI governance programs surface issues early in the development process to support innovation and fast time-to-market. The data privacy program becomes central to unlocking the business value of customer data.

If you could wave a magic wand, adding what single capability would propel your privacy program forward?

An evergreen data map of all processing activities
A centralized database for customer consent and preferences
An always-on regulatory research resource

Stage 4: Business Value

In Stage 4, the value of the data privacy program is centered on unlocking and activating data. The organization realizes that a “shift-left” approach of moving risk assessment and governance early in the lifecycle of personal data, even to the point of data collection, is often the right way to structure a program. Privacy requirements and risks are assessed regularly, and responsible use policies are enforced before rather than after the fact.This at-scale, shift-left approach to data privacy makes data available to the business in a responsible manner and does not gate business innovation later. Data can be shared responsibly and future-proofed appropriately for purposes like AI model training.

Stage 4: Process

In Stage 4, processes are now truly optimized and are regularly reviewed. These processes do not have major bottlenecks or single points of failure.

It is, however, difficult to achieve this stage of process maturity for data privacy due to rapidly evolving technology, regulation, and consumer expectation. Organizations will need to have flexible processes that can quickly adapt to this changing landscape.

Download the Privacy by Design Resource Kit →

Stage 4: Organizational Alignment

In Stage 4, many organizations will begin to adopt a hub-and-spoke organizational and decision-making model. Policies are defined and refined centrally, but with decentralized execution. For example, the CPO will typically establish the data privacy program’s policies, but they will be enforced by privacy DRIs embedded in different business units.

Organizations might find models other than hub-and-spoke that scale for their businesses, but they will likely still share the theme of central, unified policies to provide a consistent approach to privacy across the organization.

US State Privacy Laws Timeline Infographic →

Stage 4: Consumer Experience

Your customer’s experience of your organization changes dramatically in Stage 4. Here, all the consumer-facing, trust-based experiences such as consent preferences and privacy rights requests are brought together in one central Trust Center.In addition to data privacy, this Trust Center could include consumer experiences that communicate the organization’s commitment to security, business ethics, accessibility, and other practices that strengthen its bond of trust with its customers. Stage 4 of consumer experience is appropriate for brands whose existence is deeply tied to trust. This is especially appropriate for brands that are tied deeply to trust.

Stage 4: Data and Activity

In the prior stage, the data privacy program evolved from data visibility to data action. Now, in Stage 4, the central focus evolves from protecting the data to unlocking and activating that data for business use.

Data sets with personal information are future-proofed, meaning that personal information is either permissioned or deidentified in a way that the organization can confidently use it to train AI models and seed analytics programs over the long-term. The organization also has a clear methodology for making risk-informed decisions around data sharing.

Many organizations are migrating their data to a data warehouse, data lake, or customer data platform. Those with mature privacy programs know that they won’t be able to ethically gain value from the customer data in these new data systems unless there are data and access controls that enforce responsible use.

Navigating the Data Lifecycle with
OneTrust Privacy Management - Video Series →

Stage 4: Use of Artificial Intelligence

In Stage 4, AI governance becomes truly embedded in the software development lifecycle. It “shifts left” to surface issues earlier in the development process so they can be addressed quickly and cost-effectively. AI governance begins to be seen as an enabler of responsible innovation and fast time-to-market. In this stage, the organization internalizes the importance of responsible and defensible AI practices and operationalizes the appropriate controls.

In what areas of your business are you currently exploring the use of AI?

Natural Language Processing
Predictive Analytics
Robotic Process Automation
Generative
Not Certain / N/A