In this guide we cover the steps required to build a culture of privacy. Here's what you'll learn:
The culture of your company is what determines the ways people make decisions. Culture is the key to scaling decision making company-wide. In order to empower your workforce to consistently make decisions that align with your company's priorities and values, your culture needs to align with your priorities and values. Effective organizations understand this and intentionally build and maintain a culture to scale decision making.
Today, more than ever before, organizations need to ensure every member of their workforce considers privacy in their decision making. It does not matter the role employees play or the groups to which workforce members belong. Privacy impacts every group at a company because data impacts every group.
Privacy is a part of work because data is a part of work. That data could be healthcare data or financial data or educational data or just customer data for retail or manufacturing. Data is the new global currency but we can’t put it in a safe or a bank account. It is everywhere.
In order to ensure employees make informed decisions, considering the privacy implications as a part of the process, privacy needs to be built into the culture of your company. In this e-book, we’ll walk through how to build your Privacy Stack from the ground up to create and maintain a culture of privacy.
Privacy is often bundled with the terms security and compliance. These are all separate and distinct functions that we need to unbundle to apply them effectively.
Privacy is a broad term that’s worth defining here first. Privacy, in the context of this e-book, is concerned with the use of personally identifiable data by a company. Privacy is the promises you make about how your company will collect and use that data.
Privacy is not security, which is the implementation of controls, most commonly technical controls, to limit unauthorized access to data. Security is a subset of controls that help to implement privacy. Privacy sits above security and helps dictate what security is required to do.
Compliance is proof that privacy promises have been followed. It manifests itself in audits.
Privacy hit its tipping point in 2020. Despite the newness of privacy as a global and business mandate, the importance of privacy has been growing for the last several years. Privacy was front and center during the last presidential election. As networks and platforms like Facebook and Google have become increasingly larger parts of our lives, people have lost control of their data and do not know how to get back that control.
So today, more than ever before, privacy matters. The existential risk companies face today is that data breaches and lack of privacy programs or compliance with privacy programs exposes them to massive risk. Storing and leveraging data is a new liability that has to be managed.
When people think of privacy rules, they think of regulated industries like healthcare, financial services, and education. Regulations like HIPAA, PCI, and FERPA apply to these, respectively. But, this is outdated thinking. New regulations, most notably GDPR and CCPA mean that almost every company is now regulated.
GDPR and CCPA are incredibly broad in terms of what data is covered. They apply to personally identifiable information (PII). In the case of GDPR, companies that collect and store PII on European Union (EU) citizens must comply. With CCPA, companies that collect and store PII on California citizens must comply. Given the ease with which digital services and cloud technologies cross borders, these two new regulations alone apply to many companies, whether they are based in the EU and California or not.
Data is everywhere. Data is constantly and actively being collected while you use applications and web browsers on your computers and phones. Even more data is constantly being collected passively in the background of our phones, watches, and the myriad of other connected devices we have. We send messages to friends via text, Facebook, email, and a host of other technologies. We search and browse the web. All of this generates endless streams of data, streams of data that identify the user.
The chart below shows that 2.5 quintillion bytes of data are generated every day. This is literally tons and tons of data that has to be handled in ways that comply with different privacy regulations.
Personal data is everywhere, and it is leaking. There were over 5,000 data breaches in 2019 alone, exposing a total of over 7 billion records.
Based on the scale of breaches and high profile privacy breaches from massive companies like Facebook and Equifax, the general public has realized just how much is known about them. And, sadly, the public has also learned how poorly protected their data is by the companies that act as stewards for it.
Privacy has also been a debate at the highest levels of government.
All of this attention has made privacy a priority for many in the general public. Behavior has not changed yet to account for this new priority. People still use networks like Facebook and platforms like Google. But, the behavior will follow perception, and privacy will increasingly be a part of the decisions consumers make. Look no further than Apple, which has leveraged privacy as a differentiator extensively over the last several years.
The perfect storm of regulation, massive amounts of data, and public concern driving political debates on privacy means that every organization needs to succeed at creating an effective privacy program. No longer a checkbox, privacy should be baked into everything an organization does.
What goes into creating a privacy program? It involves building out the pieces — from regulation through action to monitoring. We call this connected approach the Privacy Stack. A Privacy Stack has the following layers, which should be built in the following order.
The advantage of looking at privacy as a stack is that you can build the pieces incrementally and target improvements at different levels. Additionally, many audits and security assessments do not simply check to see if you have policies, but also verify that you have taken those policies to the execution of the day-to-day work of your employees.
Building and maintaining The Privacy Stack is beyond the scope of this whitepaper but it is an essential component to building a culture of privacy. It is assumed that most organizations have at least some of the layers of the Privacy Stack created. In fact, most organizations do the first two to three layers but tend to fall short of meeting layers four and five.
The other reason we like the Privacy Stack is that it clearly shows that policy is a starting point and not an endpoint for implementing privacy at your organization. In order to effectively spread privacy throughout your culture and organization, your Privacy Stack needs to map to the work people do each day. This mapping is extremely hard to do as work is done in different locations (home + office + coffee shops) and on shared devices (both mobile and desktop).
In order to execute your privacy policies, you need to empower your employees with day-to-day procedures they can follow. You also need to continually educate them on those procedures and give them fall back rubrics they can follow when there are no procedures for the work they are doing. And there will always be work that falls outside the scope of your procedures.
Apple, as referenced above, uses privacy in its marketing. Apple’s business model is not predicated on selling data so they instead have chosen to anchor on customer privacy as a core part of their value proposition. Whether real or perceived, Apple has successfully marketed privacy as a differentiator in the market.
This is something every company can do, more so when selling software and services to businesses. Businesses are rightly cautious about vendors and partners. Privacy, security, and compliance have become an integral part of the buying process, meaning vendors and partners need to go through mini-audits before implementation.
Privacy as an asset accelerates business relationships and open doors in the market. Sales and marketing teams need to be well versed in Privacy so they can use it as a part of the value proposition for their company.
The key to successfully implementing the Privacy Stack is to ensure it aligns from the top to the bottom of your company. Privacy cannot be a silo. And it cannot be bolted on after the fact. Oftentimes, until recently, the privacy function within companies was under-resourced and seen as a gating factor that other groups needed to get around. A culture of privacy requires that privacy be prioritized like other functions within the organization.
One of the first things that can be done to demonstrate the importance of privacy is to report on it. Every business reports from different functional groups — roadmap status, financial reporting, sales projections, etc. Privacy should be presented in the same vein as the rest of these functional groups.
This requires that you have something to report. There are constantly metrics to measure and report on when it comes to privacy. Whether it is results of security audits or assessments or comprehension of policies and procedures by employees, something that directly correlates to implementation, there is data that can be used to assess the health of privacy within your organization.
Simply reporting on privacy will have a profound effect on the way in which it is viewed in your company. It does not have to be fancy with graphs and charts. It’s simply a matter of including it as a sibling to other functions.
Corporate values should inform employee decisions at all levels of an organization. Privacy should be aligned with corporate values. Privacy does not need to be a value, but it should be clear to employees how privacy helps to enable the values of your company.
If your company uses OKRs, they are similar to values in the need to map company objectives down to individual key results. Privacy can be integrated into the OKR process as an objective at the highest level.
Your Privacy Stack is inclusive of your internal operations as well as the relevant operations of your vendors and partners. You Privacy Stack needs to include policies and procedures to ensure your partners do not expose you or your data to unacceptable risk.
As a part of assessing partners and vendors, their policies and procedures should be reviewed. These reviews need to be documented to show any identified risks and mitigating factors that minimize those risks. With connected technologies such as APIs and managed cloud services, it is all too easy for PII to flow between partner systems without clear intention or controls in place to ensure consistency of data use and governance.
The most powerful ally in developing a culture of privacy are your employees. While automated tooling is a powerful way to standardize requirements like configuration management, there are always processes that are human-centered. Employees can be a huge asset when it comes to spreading privacy in your company but they need the right tools to succeed.
A privacy champion is a specific type of culture champion. Adapting this definition of culture champion — “We define a culture champion as someone of influence who believes that organizational culture has a significant impact on business and people results and acts accordingly”, we define a privacy champion as someone of influence who believes that privacy has a significant impact on the success of the business.
Privacy champions understand your privacy policies and procedures. More importantly, privacy champions understand the importance of privacy to your organization. Privacy champions are powerful tools that can extend the reach of your Privacy Stack into every group at your company, bringing the voice of privacy to product meetings, sales calls, and every other functional team.
Building a culture of privacy is dependent on building a workforce that values and executes your Privacy Stack. Ideally, this would include every employee at your company. In order to bring the imperative of privacy to all of your employees, it needs to be integrated into their work. The best ways to do this are through 1) adaptive, interactive training (more on this below) and 2) privacy as a part of career development.
Regarding career development, privacy should be included in the assessment of employees, and in 1:1s with employees. It does not need to be punitive. But privacy, if framed in this light, helps employees fully grok the primacy of privacy.
The lines between personal and professional activities have been blurred. Employees use their own mobile devices for work and often use company computers for personal use during the day. Employees reuse passwords across personal and professional accounts. And, increasingly, those passwords and other data (that can be used for phishing or spear-phishing attacks) are publicly available.
To combat this risk to corporate systems, employees need to apply better privacy practices to personal accounts. This requires two things.
The first step is acknowledging that personal privacy and professional privacy are linked. With that acknowledgment, solutions can be implemented to address this interconnected challenge.
As privacy gets woven into the fabric of your company, it should be a part of how you build and sell products. We defined privacy above as the use of PII. The use of data is a core part of how products and services function today. As such, privacy needs to be integrated into development, documentation, and deployment to modern platforms like the public cloud.
The SDLC is a process for planning, building, testing, and deploying technology. The SDLC does not have to be cumbersome and can be used while moving quickly to bring products and features to the market.
The typical pattern is for privacy to be brought in late to the product process, or bolted on afterward when it is audit or security assessment time. Firstly, this is inefficient as it typically takes longer to bolt-on a privacy process retroactively, and backfilling documentation into your product development process increases the chance of error, not to mention ethical consideration. Secondly, bolting privacy on after the fact increases the chances that aspects of your product do not match your privacy policies. This can result in fines, large corrective action plans, and outright failed audits.
Privacy should be a part of your SDLC and integrated into several stages of development. Privacy consideration should be a part of road mapping features, assessing the impact on data, and making sure it is in line with privacy policies. Additionally, privacy should signoff on features during testing, evaluating the impacts on data usage and governance. Each of these privacy assessments is small and clearly demonstrates the implementation of your privacy policies.
One of the requirements common to multiple privacy regulations, including GDPR, CCPA, and HIPAA, is clear and transparent documentation of the ways in which your company collects and uses data. Under all of these regulations, users can request their data and also information about your companies data use and governance of their data.
As privacy is integrated with your products and services, documenting the various ways, types, and usages of data becomes a part of your product documentation. Almost nobody does this today but it is something that we think should and will become common practice because 1) it provides granular information about data usage that users increasingly expect and 2) it is more efficient to provide good documentation that field one-off requests from users.
The added benefit is that product teams and software developers associate privacy with the core aspects of products and services. This further ingrains privacy as a part of the way your company operates.
Increasingly, new technologies are being deployed to the public cloud, most commonly Amazon Web Services, Microsft Azure, and Google Cloud Platform. Over the next 5-10 years, we will see many legacy technologies increasingly move to the cloud. As the cloud becomes the backbone for more and more products and services, assessing the privacy of cloud partners is a key step in managing risk and passing audits. GDPR and HIPAA have names for these entity relationships — data processor in GDPR and business associate in HIPAA.
The relationship with cloud providers is a unique form of a partnership. In this relationship, The Privacy Stack is shared between cloud customers and cloud platform providers. This shared responsibility, shown below in graphical form for AWS, blends the responsibilities for data governance, especially in the operations of cloud services.
The reality is that cloud platform provider services can be made to comply with almost any privacy regulation including GDPR, CCPA, and HIPAA. It is a paradigm shift in operations that requires mapping privacy procedures to cloud implementations.
At the heart of a culture of privacy is training. The problem organizations face is that privacy training has lagged modern work processes and modern technology. The current versions of privacy training simply summarize and train to the regulations. While understanding the legal implications of work is important, it is not meaningful to employees. Privacy training is seen as a checkbox, not as something of value.
Conducting training in this way is a missed opportunity to accelerate the creation of a culture of privacy.
One of the major gaps with privacy training is that it is delivered out of the context of work. Privacy training typically requires people to leave what they are doing and spend some number of hours learning privacy curriculum. They then go back to their work and have no way to translate that training to what they are doing.
The result is that this type of training is wholly ineffective. Worse yet, this training is often done on an annual basis, a cadence that guarantees the content will not be comprehended or followed.
Privacy training should be delivered in or as close to actual work as possible. This means leveraging integrations with tools like email or chat. It also means delivering training in bite-sized lessons that can be done as a part of work, not separate and distinct from work. These bite-sized pieces of training can be done on a regular basis, not just annually.
One of the most effective forms of training is scenario-based training. These are extremely common in education and highly effective. Privacy training delivered in scenarios does the mapping of regulations to policies to actions for your employees, meaning they can see how privacy fits into their work. Below is an example of a privacy-based training scenario.
> You are a cloud engineer for a large telemedicine company. Your company provides asynchronous virtual visit technology for dermatology practices. The application gathers clinical information and images of lesions from existing patients. Dermatologists are then able to view all of this data and “prescribe” virtual treatment plans. The dermatology practices are covered entities and your company is a business associate.
You get a Slack message first thing in the morning from a developer. The message says the developer set up a new Amazon Web Services (AWS) S3 bucket for storing images. The developer was creating an AI algorithm to analyze the images and recognize lesions. The S3 bucket has over 10,000 images with associated names and medical record numbers. The developer realized this morning that he left open public access to the S3 bucket on when he created, meaning anybody connected to the Internet can access the images and data without logging in first. He has already shut off public access but is scared of the fallout because of HIPAA.
What are the appropriate next steps?
One size fits all training does not work. Privacy is applied differently depending on the function of the employee. Privacy training needs to reflect these differences. At a minimum, privacy training should be adapted to sales and technology functions.
Additionally, privacy training should also adapt to the level of comprehension. Effective training constantly assesses comprehension and then delivers training content adapted to the learner’s strengths and weaknesses. This form of adaptation has been shown to increase comprehension and engagement with the material. Increased engagement increases the perceived priority of privacy at your company, helping make privacy a part of your culture.
The steps outlined above will help jumpstart a culture of privacy at your company. The process does take time and will not happen overnight. Too many privacy initiatives start with big announcements from leaders but quickly fizzle out without much follow-through.
Privacy isn’t a fad. And you can’t treat the above initiatives as fads.
The most important way to maintain your culture of privacy is to ensure that privacy has a budget. Even if you are small and cannot afford a dedicated privacy person, the function of privacy needs a budget for the ongoing support of the above initiatives. If not, privacy will slowly fade into the background and you will lose future political capital when you try to tell employees privacy is important.
The budget need not be large. A small privacy budget could be used to train more employees, helping to engage and build up privacy champions who can amplify the message.
With a dedicated budget, each of the following practices will help maintain a culture of privacy at your company.
If privacy is a priority, including it in budget planning and allocation of resources aligns the priority with the operations of your company. This is how you make privacy a sustainable part of your culture and the day-to-day work of your employees.
Building and maintaining a culture of privacy touches every part of your company. It requires work, often with new processes needed as outlined above. But the work you put in results in a more efficient and consistent operation. Your company has to comply with privacy regulations regardless of if you prioritize privacy or not. Building privacy into the fabric of your work makes complying with regulations a part of your business operations.
The best first step is to get buy-in from the top levels of your company that privacy is a priority. Include a discussion of a privacy budget at this early stage, even if you do not plan to get budget approval until later. Once you have buy-in, layout a plan for where to start. You do not have to do all the above from the start. Some of the things, like modifying your product roadmap and development process, are a lot harder than simply reporting on privacy alongside financial reporting.
The best and most economical way to start is two-fold:
In time, you can add on things like employee privacy profiles, making privacy champions a designated thing, building privacy into marketing and sales, and including privacy at various stages of your product development process.
Today, more than ever, managing data is an essential part of operating any organization. It does not matter what you do, you need to ensure the privacy of the data you collect and store. Technology alone will not fully address the challenge of privacy regulations. You need to engage and empower your employees around privacy. The most effective way to do that is to build and maintain a culture of privacy.