By Ben Rapp

A well-run privacy programme will support compliance with all applicable laws and regulations, implement breach planning and management, and act as your interface to data subjects and regulators. But what do we mean by a proactive privacy programme and what does such a programme add to your compliance journey?

Cyber risk reduction

Cyber-security is a whole company responsibility. A proactive privacy programme not only integrates training that addresses cyber risks, it also actively works to reduce your vulnerabilities. This combines four key aspects of privacy:

  1. Data minimisation done well reduces your attack surface in the most straightforward way by reducing the data moving through and stored in your organisation without reducing your capabilities, service delivery or insight.

  2. Data retention management is a crucial tool in reducing breach risks. Famous breaches such as Talk Talk resulted at root from poor retention management. Historic data reservoirs that are no longer in use are also often overlooked when considering active protection; at the same time, since they are no longer needed, they also add no value while costing money to protect.

  3. Limitation of access is crucial to reducing both the likelihood and the impact of ransomware attacks. This is perhaps the most overlooked opportunity to mitigate your exposure. Put simply, if I don’t have access to data, or to a system, my account can’t be used directly to compromise it. More subtly, if I can see data but not change or delete it, then I may still be a vector for exfiltration but my account can’t encrypt and then delete the original file.

  4. Much of modern risk arises from third parties – whether in the supply chain or in other relationships which involve the sharing of data or systems access. Proactive privacy programmes include effective partner risk management, which identify, risk-prioritise and assess all your data sharing relationships. The quality of a vendor or partner’s privacy programme is a vital clue to their wider cyber-preparedness, and their cyber capability is likewise a key component of privacy review. At the same time, the need arising from privacy law for binding agreements covering data sharing provides an opportunity both to allocate liability and to enforce co-operation on breach prevention and breach response.

Privacy Made Positive

Securys has a long-running research programme that demonstrates the marketing and sales value of a visible commitment to customer and employee privacy, from which we have learned, among other insights:

  1. In a fragmented and commoditised digital world, where customer trust is harder to win and more expensive to keep, but essential to sustainable growth, our research demonstrates the value of privacy in establishing and maintaining brand trust.

  2. Good privacy encourages higher sales conversion, lower basket abandon rates and better customer loyalty. We found that 70% of consumers base their purchasing decisions in part on an organisation’s attitude to and use of their personal data.

  3. Our customer journey research, part of our privacy benchmarking programme, showed that minimising data collection through a just-in-time approach significantly reduces customer friction, speeding up purchase and reducing abandon rates.

Transforming data from a risk to an asset

Above all, your privacy programme should provide crucial inputs to your wider business decision-making. Not just in the narrow sense of ensuring that your collection and use of data is compliant, but in the much richer opportunity to turn your data into a living asset with a visible return. A proactive privacy programme achieves this in multiple ways:

  1. Your data protection records, so often seen as a regulatory obligation that remains siloed in the privacy function, are in fact a detailed map of your organisation’s business activities. Properly compiled and maintained they can form part of an ongoing business analysis and digital transformation project that continually seeks both process efficiency and greater value from data insights.

  2. Considering limitation of purpose not as a restriction on trade but as a tool in that drive for efficiency turns a “department of no” into a continuous improvement programme. Our job at Securys is to show you how your organisation can achieve its goals with more focused data selection, more effective and streamlined collection and fewer unnecessary intermediate people and processes.

  3. The Data Protection Impact Assessment, often seen as a discrete project gateway or, worse, as a tedious and retrospective box-ticking exercise, is in fact a vital project scoping tool. This is particularly true when dealing with new technologies such as AI or data analytics. With a focus on specified objectives, security and quality control measures baked in from the outset and a standardised and iterative review process you can reduce scope creep, avoid project failure and mitigate vulnerabilities in design instead of requiring costly reworking after launch.

  4. The discipline of focusing on the necessity, accuracy and completeness of data to provide your services and products, ensuring that the data exists first of all to serve those customers, not only improves efficiency and customer satisfaction but also gives you a better data set on which to base better business decisions. Insights built on badly-managed data are castles built on sand; a proactive privacy programme provides firm foundations for growth.

Talk to us to find out how Securys can transform your privacy compliance journey into a proactive privacy programme and deliver genuine added value, support a safe and effective transition to an AI-enabled future and turn your data into an actively managed asset with a measurable return.

Keep in touch

If you would welcome keeping in touch, click here to sign up to our regular newsletter or here to follow us on LinkedIn.