CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
March 17, 2023
Roughly 60 percent of Americans don’t understand what companies do with their data. Sixty-three percent say they understand very little or nothing at all about privacy laws and regulations.
And unfortunately, some of your colleagues almost certainly fall into one of these camps. Even if they do feel like they have a firm understanding of data privacy regulations, that feeling may not translate into actual knowledge.
As a data privacy professional, part of your job is to communicate the basics of data privacy and explain the responsibilities that your coworkers have toward protecting consumer privacy. But given the nature of the challenge, it seems like privacy professionals have their work cut out for them.
In this blog, we’ll break down the major challenges that privacy professionals face when attempting to communicate privacy issues to their colleagues as well as actionable tips for overcoming these challenges.
There isn’t a job that exists that’s made easier by being poorly understood. But it’s especially important for your coworkers to understand the basics of data privacy. Here’s why:
Privacy is often compared with cybersecurity, and although the two are both necessary investments for any modern business, there are significant differences. For one, the threat of cyberattacks is very tangible, and the steps one undertakes to mitigate that threat are equally tangible. Security experts can point to official reporting on the number of cyberattacks in a given year, the implementation of this technology or that process, and so on.
Privacy can feel a bit more abstract. For one, the main threat in the privacy space are fines for noncompliance—the actual damage caused by mishandling personal information is tough to quantify. Furthermore, privacy protection can feel like a frustrating obstacle to doing business, especially because the protection is mainly for others—not the business itself.
When you don’t understand why you need to do something, it’s harder to get around to actually doing it. That’s why privacy professionals need to make privacy a tangible reality for their colleagues. They can accomplish this by clarifying how the damage caused by mishandling personal information hurts customers, how that damage reflects back on the business through reputational damage and noncompliance penalties, how poor privacy practices make data breaches more likely and more severe, and how privacy practices translate into business outcomes.
Most of your colleagues will have a neutral attitude toward data privacy. Not everybody can be as interested in data privacy rights as a privacy professional, after all. That neutrality, however, can quickly turn to dull hostility if they perceive privacy compliance as an obstacle standing between them and their ability to do their job.
If assessing vendors for privacy risk, accounting for and recording personal data flows, using secure communication channels, implementing access controls, and other privacy tasks take too much time out of your colleagues’ day, they aren’t going to want to do it. When you approach your colleagues about data privacy, they’ll quickly forget whatever you told them. In a way, they’re incentivized to do so—privacy compliance feels like it makes them worse at their job.
This is totally understandable; everybody wants to do a good job. But privacy compliance is your job. To overcome this challenge, it’s important to think of ways to relate privacy compliance to the job of the marketer, salesperson, IT professional, or whoever else you’re trying to speak with. And to whatever extent possible, make the demand on their time minimal.
Even if your colleagues understand the why behind data privacy and have the time to carry out compliance activities, they’ll still struggle to put your requests into practice. You’ll run into this issue anytime you communicate a new way of doing things. Change is hard, and it takes repetition before a changed process can really stick. Your colleagues are likely to take the more privacy-conscious approach to their work once or twice before falling back into their previous routine simply because old habits die hard.
Mitigating this challenge is fortunately rather straightforward, if not easy. You simply need to be consistent and regular with your communication. The more often you remind colleagues about the need to, for instance, record where new data trackers on your website are transferring personal information, the more likely they are to actually do it.
Unsurprisingly, once members of your leadership team are on board with your privacy initiatives, everybody else in the organization starts to listen. If you can, co-opt your C-suite's visibility and authority by convincing one of them to issue a mandate on your behalf.
Naturally, getting leadership buy-in is a project in and of itself. We offer some tips in our blog, Making the business case for your data privacy program.
This will be easier if you’ve already gotten buy-in from a member of your organization’s leadership, but making privacy an OKR at the start of a new project or quarter can be a great way to keep privacy top of mind. This will help encourage privacy by design as well as raising the profile of privacy at your organization as a whole.
You can make it all the more easy for your coworkers to follow through on privacy by tailoring your communication to their specific circumstances.
It’s important to talk about the fundamentals of data privacy, such as purpose limitation, consent, data minimization, and more, but those fundamentals need to be translated into actionable advice for the given audience.
If you talk about the technical operationalization of privacy to HR, your message is going to go in one ear and out the other. If you gloss over the details and issue a high-level mandate for compliance to your marketing team, you’re going to cause a lot of panic over their ability to analyze the audience. Because privacy is so cross-functional, you’re going to need to develop an understanding of every function in the business that handles personal information if you’re to communicate key compliance initiatives to your colleagues.
Explaining why privacy matters to your colleagues isn’t something you can outsource to a tool. Only you can convey the what, why, and how behind data privacy.
However, you can create more time and structure for that conversation with the right solutions. Osano:
Schedule a demo of Osano to see how much time we can free up for you.
Score and evaluate your privacy program's operational efficiency with the Osano Privacy Program Maturity Model. With this model, you'll pinpoint gaps, identify next steps, and ultimately grow your privacy program's maturity.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.