As more and more privacy regulations are introduced to the digital world, how can enterprises ensure their privacy compliance programs are up to speed? ISACA Director of Event Content Development Paul Phillips recently visited with Linda Thielová, OneTrust’s Head of Privacy Centre of Excellence, DPO, to answer this question and more in an episode of ISACA Live.
Thielová is passionate about privacy because of the clear ways it improves both the lives of individuals and the tangible and immediate decisions of businesses. Phillips asked about the key components of an effective privacy compliance program, to which Thielová argues that the biggest component to be aware of is the balance between the operational and tactical elements of privacy compliance programs and the strategic elements.
“Whenever, wherever you’re running a privacy program, you’ll always have to be ‘putting out fires,’ so to speak, so you have to be able to respond in a very agile way,” Thielová says.
She emphasizes that business must not lose sight of the strategic side of the program. How does their privacy team mature the program over time? What are some of their longer-term priorities? It is pivotal to keep up with thorough metrics and to understand both the program itself and how it is reported, internally and externally. Phillips responded with enthusiastic agreement that being effective and efficient on a daily basis by striking that balance is key, but so is automating when and where possible and ensuring clarity on the objectives of your program.
In their discussion of the typical challenges companies face when attempting to implement or maintain a privacy compliance program, Thielová says that the biggest challenge is “trying to do too much in a very short timeframe.” External compelling factors, like a new regulation being passed, push companies to create or broaden their privacy program with unrealistic due dates in mind. Thielová called attention to the importance of taking a step back and introducing a phase approach to maturing the privacy program to help separate priorities from the more complex privacy requests and privacy by design strategies.
In addition to taking a step back, Thielová also emphasizes the value of alliances in a privacy context. Privacy teams can work together with security, legal, finance and marketing teams to help distribute tasks—especially for smaller and mid-sized businesses—so that one privacy professional is not left making a long to-do list and checking it off on their own.
“Privacy should not be sitting on the shoulders of one poor, tortured privacy professional,” Thielová said with a laugh, “but it is the idea that you’re finding allies and also accountability across the business for different operations.”
Thielová maintained that this continuous effort to improve and mature privacy programs is an enabler for business. Strengthening privacy means strengthening digital trust with employees, customers and stakeholders. Transparency allows an enterprise to build upon that privacy foundation and go beyond it, not as a one-off goal but as a commitment to progress.
Looking to the future, Phillips asked Thielová where she believes privacy regulations will be in the next five to ten years. Thielová predicts that businesses will become more aware of the patchwork privacy laws that are currently competing and overlapping in often unproductive ways, and that there will be more comprehensive and more stringent privacy laws soon.
Thielová said, “I am very much certain that there will be more regulations and I expect that, in that timeframe, most of the global population will be covered by a dedicated privacy law in some shape or form in their respective jurisdiction.”
Editor’s note: For additional privacy resources, find out about ISACA’s industry-recognized Certified Data Privacy Solutions Engineer (CDPSE) certification.