.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
How Osano Does DSARs
Subject rights requests can be confusing for everybody involved.
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Martial artists use a colored belt system to denote their expertise. You start with a white belt, and, as you train and improve, you eventually achieve the next color and corresponding rank. Once you’ve gained a black belt, you’re recognized as a true expert in your martial art. Urban legend has it that historical martial artists’ belts changed color as they were exposed to dirt, sweat, and blood, slowing changing from white to black over the course of years.
Now, unless they’ve taken up judo, you won’t see privacy pros wearing martial arts belts. But if they did, there’d be a lot of white belts in the industry.
And there’s nothing wrong with that!
Privacy is a relatively new discipline, and regulations, best practices, and tooling are changing constantly. You might be a recent graduate seeking to enter the workforce in your first privacy-specific role, or you could be a seasoned specialist in the cybersecurity, legal, or technology space who’s had privacy tacked onto their list of responsibilities for the first time.
Either way, you're going to face challenges—challenges that black belts in data privacy have faced before and that you’ll need to overcome if you’re to move up the ranks.
We’ll tell you how to recognize the challenges you’re going to face, what to do and what not to do when attempting to solve them, and what to prepare for in the future once you’ve added a few stripes to your privacy pro belt.
(Hopefully without mussing it up with dirt, sweat, and blood in the process.)
The Two Major Obstacles for New Privacy Pros
Before a privacy professional can truly leave their mark on their organization, they need to recognize and overcome two key obstacles. They are:
- Keeping up with it all
- Convincing the rest of the organization that privacy matters
How do you keep up with the sheer volume of changes to privacy law and best practices in both the jurisdictions your business is subject to and those jurisdictions you may soon be subject to? How do you do all that when nobody seems to care? How do you make things happen? How do you make it all doable? Let’s dive in and answer these questions.
Obstacle #1: Keeping up with It All
New statues, amendments, rulemaking, opinions—it’s not easy to keep up with all the new developments in the privacy world, but it is essential. Unfortunately, unless your job is specifically to digest these laws, it can feel like an overwhelming distraction from your core duties.
But this is the bleeding edge of compliance and consumer trust. It’s quite possible that the practices you follow one day to stay in compliance could be non-compliant the next.
Examples abound. Consider how organizations dependent on EU-US data transfers had to switch to standard contractual clauses after the Schrems II decision. There were plenty of organizations that thought honoring universal opt-out mechanisms was something they only needed to worry about in California—nowadays, pretty much every state privacy law includes or has been amended to include that requirement.
Don’t:
Put blinders on and focus solely on your day to day.
Whether you’re a pure privacy professional or in a privacy-adjacent role like cybersecurity or GRC, you almost certainly have a mountain of work to accomplish. You need to support and execute assessments, manage data subject rights, get the organization in shape for certifications, manage vendors, and more.
It can be tempting to keep your head down and focus exclusively on these tasks. It might even seem like the right thing to do. But if you do that, you’ll be blind to potential risks to your business and industry, new opportunities to earn trust, and new obligations that your business faces.
Do:
Set aside time each day for a regulatory review.
We recommend a sustainable thirty-minute block each day. Sign up for newsletters, set Google alerts, and visit regulators’ websites. Authorities in the EU and UK (like the European Data Protection Board and Information Commissioner’s Office, respectively) are leaders in the privacy landscape and are worth following, even if your organization isn’t strictly subject to the GDPR. Similarly, the California Privacy Protection Agency is an important source of information for the US. Individual data protection authorities in the EU and attorneys general in the US are also worth paying attention to.
Non-official sources like the International Association of Privacy Professionals (IAPP), Future of Privacy Forum, and Osano resources like the Privacy Insider newsletter can be excellent additions to your daily news readout as well. Keep an eye out for law firms that specialize in privacy and compliance, as well.
Follow these sources of information and eventually (sooner than not), you’ll learn some new information relevant to your organization that you would not have heard about otherwise.
Obstacle #2: Getting the Organization to Care About Privacy
Even though investments into data privacy have been shown to generate up to $2.70 for every dollar spent, most organizations still see privacy programs as low-priority cost centers. Generally speaking, cost centers tend to get the bare minimum of the resources they need to function, don’t often spark excitement, and rarely win cross-departmental champions.
But it doesn’t have to be that way.
And for privacy, it has to be different. It’s not possible to run an effective privacy program in a vacuum. You need your colleagues to identify the need for and help complete assessments, adhere to privacy-by-design practices, fulfill subject rights requests, and more. If your development team doesn’t care a fig about privacy and can’t be made to, then you and the organization have a big problem.
Don’t:
Be ignorant of your data landscape.
At first blush, this might sound unrelated to the need to win support for privacy across the business, but it actually lies at the center of this challenge. As a privacy professional, your job centers around data, and your job overlaps with others’ when they handle consumers’ personal data.
Understanding which teams and projects potentially handle personal data will identify which teams and projects you need to collaborate with. Furthermore, this will be your “in” to collaborating with your colleagues.
It can be tempting to wait for others to come to you when they have a question about data privacy or to send out company-wide email blasts on the need to adhere to privacy practices. You’ll find much more success if you consider your data landscape and target your outreach to those teams that handle the most sensitive personal data.
Do:
Schedule regular stakeholder meetings.
Find somebody on the teams with detailed knowledge of their data-handling practices who is willing to lend an ear. This person likely won’t be a CISO, CIO, or another C-suite member (but if they are, that’s great). They just need to be somebody willing to champion data privacy to the rest of their team.
Furthermore, they can be a key resource to tap when you need to inventory data, complete assessments, or execute any other cross-departmental data privacy task, especially if you’re not at the stage where you have access to automated solutions.
Keep an Eye on the Horizon
Okay, we may have fibbed a little bit when framing this article—these are challenges for every privacy pro, not just newbies.
You’re still going to need to keep up with the constant stream of developments and put in the work to win cross-departmental allies at every stage of your career. You will, however, get better at meeting these challenges as time goes on.
Once you’re effectively addressing these challenges, your reward will be... more challenges! Such is the life of a privacy professional.
The good news is that there are methods and approaches that will improve your ability to handle these future obstacles. That starts with knowing what they are. Here’s what you can expect to run into once you’ve handled the first few hurdles identified in this article.
Consistently Assessing the Health of Your Program
When you’re so used to evaluating others, it can be difficult to turn that perspective inward. You’ll need to establish a regular practice of evaluating your privacy program’s maturity, strengths, and gaps.
Documenting Processes
It can be a real pain to document your workflows, but it’s half the battle of running an efficient privacy program. Consider how privacy fits into other parts of the business, whether that’s marketing campaigns, sales journeys, benefit providers, or new products and services.
If you bump your head and suffer retrograde amnesia, how will you re-learn the best approach to supporting compliance, for discussing privacy with different stakeholders in deals, or when and with whom PIAs need to be conducted?
Okay, maybe you wear a helmet when you ride your bike and are sure to crouch when passing through short thresholds; you’ll likely have to train a new hire or substitute when you go on vacation at some point. And most importantly, having your process documented means you can consider it holistically and identify opportunities for improvement.
Flexing Your Project Management Muscles
Privacy is a team sport—and you’re more like the coach than a player. You’ll need to get disciplined about assigning tasks, tracking deadlines, load balancing, and communicating. Learn how to use the project management tools your organization depends upon, and you’ll be much more effective at directing your team towards greatness.
Finding Solutions That Meet You Where You Are and Scale with You
If your small business of 50 employees purchases a do-it-all platform for enterprise compliance and risk management, not only will your wallet hurt, but you’ll also struggle to achieve the compliance outcomes you were hoping for. Similarly, a large enterprise that springs for a bare-bones cookie consent plugin for their CMS is going to be blatantly out of compliance and running risks across the board.
But no matter where you are in your journey, manual compliance is a thing of the past.
If you’re going to gain the time to digest the developments in the data privacy world and plan outreach to your colleagues (not to mention actually doing the work of privacy compliance), you’re going to need a solution that automates tedious tasks and streamlines complicated workflows. It just has to be a flexible solution that scales with you as both your business and career grow.
Osano can help! Whether you’re at the stage where you just need to manage cookies, privacy policies, and subject rights requests or if you’re orchestrating dozens of assessments and complex data maps, we can make it that much easier. We’re happy to support you while you take your privacy professional belt to the next rank.
