3 Ways GRC Pros Can Manage Privacy Risk (and Still Have Time to Sleep, Eat, and Relax)

Governance, risk, and compliance (GRC) can feel like thankless work at times. You can’t ship risk mitigation to market. It's not usually reflected on your balance sheet. Only especially canny investors notice the absence of risk. 

The worst part? Risk mitigation never ends. In fact, it seems like it only grows. One study found that 45% of GRC professionals expressed concerns about balancing compliance with innovation, ensuring data privacy and protection, and maintaining operational resilience. 

With an endlessly growing list of responsibilities, it’s only natural that a GRC pro would look like streamline duties where possible. Often, data privacy makes for a tempting target. It’s not that GRC pros want to downplay privacy—it's just that something’s got to give.  

Fortunately, data privacy doesn’t have to be a time-suck that distracts from GRC pros’ other duties. With the right strategy, you can manage risk of all types—privacy included. 

GRC and Data Privacy Are Natural Allies 

GRC and data privacy may go together like cookies and cream, but data privacy is just one of many types of governance, risks, and compliance requirements to manage. Despite having many domains to manage, the business sees data privacy as another monkey in your circus. 

Whether you see data privacy as a distraction or an important responsibility for your role, it’s tough to make time for it. You may have more important, more urgent duties managing PCI DSS compliance, preparing for SOC2 audits, implementing ISO controls, managing policies, reporting to the board—the list goes on. Where does privacy fit in? Where can it fit in? 

With little time and few resources to dedicate to privacy, GRC professionals often find themselves engaging in easy, but sub-optimal approaches to privacy management. 

See if any of the following patterns sound familiar: 

• You feel like you’re playing whack-a-mole. Privacy risk appears every now and again, such as when a regulator announces an investigatory sweep into your industry. You react to problems, knowing full well that the underlying issues remain. 

• You do your best to emphasize privacy in higher-level assessments. When it comes time to prepare for your SOC2 or ISO assessments, you make sure to classify privacy risks in those assessments. But either through misunderstanding or misclassification, these assessments leave you with a number of “acceptable” privacy risks that are left to pile up, unmitigated. What’s more, you know there are more granular assessments you could be conducting that might uncover hidden privacy risks.  

• You incorporate privacy into your security-related work. You may feel like you can manage and protect the data you have, but you’re left wondering whether your organization really needed to collect all of this personal information in the first place. 

3 Strategies to Manage Privacy Risk When Your Time Is Limited 

In a pinch, the approaches described above are a good way to ensure data privacy gets at least some attention—and they’re certainly better than ignoring data privacy entirely.  

But if this is the extent of your privacy management efforts, then there are still quick wins you can achieve without driving yourself crazy.

1. Find the Overlap

Data privacy management has fallen under your purview precisely because it’s multifaceted and impacts multiple teams and processes. That’s a challenge, but it’s also an opportunity. Find the activities that reduce your privacy risk and help you manage risk in other aspects of your remit. 

You may already be doing this through high-level assessments or security exercises, as we described earlier, but there are many more ways you can kill two birds with one stone when it comes to privacy management. 

Consider data inventorying and data mapping. Knowing where your organization's data comes from, where it lives, how it’s handled, and where it’s transferred empowers you to identify and reduce risk of all stripes. For example, not only will data mapping help you meet standards’ requirements like ISO 27001’s asset inventory, it will also enable you to more quickly execute data subject rights requests. 

As another example, your organization might be investigating the use of AI systems in its operations or its products and services. AI brings with it a number of risks, but many of them can be mitigated through traditional data privacy practices, like consent management and subject rights management.  

For example, when IBM scraped images hosted on Flickr to improve facial recognition AI models’ ability to process darker complexions, it failed to secure appropriate consent from the photograph subjects. IBM faced a lawsuit under Illinois’s Biometric Information Privacy Act (BIPA), which levies up to a $5,000 fine per violation—in this case, one for each face scanned without first securing consent. Had the company performed a privacy risk assessment and sought methods to secure the needed biometric data with the subjects’ informed consent, the lawsuit and bad press could have been avoided.

2. Focus on Smart Delegation

You already know you can’t do it all. What you can delegate, you already have. But you may have paused further investigation and investment into data privacy because it’s unfamiliar waters. You don’t want to delegate tasks that you haven’t fully understood yourself—and that means if you invest more into data privacy, you’ll be taking more work on yourself. 

The good news is that the daily work of privacy doesn’t have to be complex or risky. It can be, of course; you wouldn’t want to have a non-expert design your subject rights workflow or consent banners in case they push a non-compliant design live to your website. But there are related data privacy processes—like classifying cookies and executing rights requests—can be relatively straightforward.  

If you spend the time identifying which data privacy tasks can be handled without undue risk or complexity, you’ll find that many of these tasks can be handled by less busy members of your team. A well-designed privacy solution will feature built-in guardrails that enable non-experts to manage privacy without risking non-compliance, too.

3. Look for Privacy Integrations in the Tools You Already Use

GRC solution vendors aren’t blind to the fact that GRC professionals are increasingly managing data privacy risk. In fact, more than half (53%) of GRC professionals report that managing data privacy was absolutely essential to their organization. Not only do many GRC solutions contain rudimentary support for data privacy, they often integrate with privacy-focused software. 

GRC solutions like Vanta and BitSight, for instance, integrate with Osano for consent management and vendor privacy risk scoring, respectively. If you use those solutions, you may already have access to a portion of the Osano platform. 

And if you want to follow through on the other strategies identified in this article, then the full Osano platform could be worth investigating. We bake compliance best practices into the platform and put guardrails in place that discourage accidental non-compliance, making it ideal to delegate day-to-day privacy management tasks to members of your team. We also provide data mapping, assessments, and other functionality that benefits a broader GRC program outside of privacy specifically. 

Schedule a demo today and find out if Osano has a place in your GRC program.