Category: Information Management and Governance

CDO, CPO, IAPP, Information Management and Governance, Information protection, Privacy, Risk management

Beyond the Blind Spots: The Efficiency Trap in Privacy Compliance for Mid-Market Companies

James Howard

In the rush to scale, many companies—ranging from start-ups to mid-market enterprises—often make a pragmatic, yet perilous, decision: they treat privacy compliance as a “side desk” assignment.

Whether it lands with the CISO, the IT Director, or the General Counsel, the mandate is usually the same: “Make it work, keep it lean, and don’t let it slow us down.”

As a result, we are seeing a massive shift toward “efficiency-first” privacy. For the non-specialist leader tasked with this responsibility, the pressure is immense. To bridge the knowledge gap, many are turning to Generative AI to draft policies or manage data maps.

But there is a fundamental difference between having a policy and operationalizing a program.

The AI Mirage and the Knowledge Gap

AI is an incredible tool for documentation, but it lacks the “institutional muscle memory” required for true governance. It can’t sit in an Audit Committee meeting and explain why a specific data flow was deemed a high risk, nor can it navigate the nuance of a complex cross-border data transfer agreement.

For the CISO, IT Director or Legal Officer, relying solely on AI or automated “checkbox” software creates a false sense of security. It leaves behind “blind spots”—the operational gaps where data actually lives, moves, and leaks.

The New Frontier: Internal AI Adoption and Overlapping Risk

The challenge is no longer just about protecting static databases; it is about the explosive, often unmanaged, use of AI tools across every department. From marketing teams using LLMs for copy to engineering teams using AI to refactor code, “Shadow AI” is the new Shadow IT.

This creates a dangerous overlap between AI Risk and Privacy Risk:

  • Data Leakage: Sensitive customer data or trade secrets being used to train third-party models.
  • Algorithmic Bias: Automated decisions that may inadvertently violate privacy rights or fair-practice regulations.
  • Compliance Triggers: Under frameworks like the EU AI Act or evolving state laws, the mere use of AI often triggers mandatory Data Protection Impact Assessments (DPIAs) that most non-specialists aren’t equipped to perform.

When AI and privacy risks collide, they create a “force multiplier” for liability. You cannot govern AI without a mature privacy framework, and you cannot have a modern privacy framework while ignoring your company’s AI footprint.

Building on a Framework, Not Just a Feeling

True privacy compliance isn’t about the software you buy; it’s about the framework you build and the processes you implement. Boards and Audit Committees are increasingly looking for evidence of Operationalized Compliance:

  1. Repeatable Processes: How do you handle a DSAR (Data Subject Access Request) on a Tuesday morning without it becoming a four-department fire drill?
  2. Risk Documentation: Can you demonstrate that privacy-by-design (and AI-by-design) was considered before the new product feature was pushed to production?
  3. Vendor Governance: Do you actually know what your third-party AI and SaaS providers are doing with your data?

The Strategic Value of the Fractional CPO

For mid-market firms—and the PE/VC firms that back them—hiring a full-time, six-figure Chief Privacy Officer is often overkill. Yet, leaving a CISO or IT Director to “figure it out” increases the risk of a regulatory bottleneck during due diligence or an exit.

This is where the Fractional CPO changes the math. A Fractional CPO provides the specialized oversight of an executive-level expert at a fraction of the cost. They don’t just “check boxes”; they build the framework that allows the CISO and Legal teams to execute with confidence.

The goal isn’t just to stay out of trouble. It’s to build a high-velocity business where privacy is a fuel, not a brake.

Conclusion: Moving From Risk to Resilience

In the modern regulatory landscape, “compliance” is no longer a static destination—it is a continuous operational state. For mid-market companies, the efficiency trap of delegating privacy to overextended non-specialists or relying solely on AI tools creates vulnerabilities that only become visible when it’s too late.

By integrating fractional expertise, leadership can move beyond the blind spots. You gain the ability to navigate the complex intersection of AI innovation and data protection without the overhead of a full-time executive hire. Ultimately, operationalizing your privacy program doesn’t just satisfy auditors or investors; it builds the trust and resilience necessary to compete in an AI-driven economy.

Questions for the Board & Leadership:

  • Is our privacy lead an expert, or a generalist wearing too many hats?
  • Do we have a clear inventory of where AI is being used and what data is being shared with it?
  • If a regulator knocked tomorrow, could we show an operationalized process, or just a folder of AI-generated PDFs?
  • Are we leveraging fractional expertise to de-risk our upcoming exit or audit?
CCPA, CDO, CPO, GDPR, IAPP, Information Management and Governance, Privacy, Risk management

Beyond the Blind Spots: How a Privacy Partner Operationalizes Compliance

James Howard

In mid-sized organizations, privacy responsibilities are often assigned to the IT Director, CISO, or General Counsel. These roles bring deep expertise in technology, security, and legal compliance. However, privacy introduces an additional discipline that focuses on how information is used, whether that use aligns with stated purposes, and how those decisions are operationalized across systems.

Two structural challenges commonly emerge:

  1. Privacy governs data use, not only data protection.
    As privacy regulations expand and organizations increase their use of AI and data-driven systems, compliance depends on clearly defined purposes, permissions, and lifecycle controls—not solely on security safeguards.
  2. Regulatory obligations require repeatable operations.
    Many privacy requirements depend on consistent execution (e.g., responding to individual rights requests, maintaining processing records). When these activities are handled manually or distributed across functions, they create operational risk and inefficiency.

As a result, privacy increasingly functions as an operational capability rather than a policy-only responsibility.

In this environment, organizations often supplement internal expertise with external privacy partners to address gaps between regulatory interpretation and system-level execution. These partners do not replace internal accountability, but support leadership by translating privacy requirements into operational processes aligned with existing IT, security, and business workflows.

In this context, privacy is no longer limited to published notices or contractual language. It is a data lifecycle and systems management challenge requiring coordinated execution across legal, technical, and business teams.

Governance Context: Roles and Accountability

From a governance perspective, privacy responsibilities typically align with a Three Lines of Defense model:

  • First Line (Business & IT Operations):
    Own data use, system design, and day‑to‑day processing activities.
  • Second Line (Privacy, Risk, Compliance):
    Define requirements, provide guidance, monitor adherence, and maintain oversight documentation.
  • Third Line (Audit / Independent Assurance):
    Validate that privacy controls and processes operate as designed.

Where organizations lack a dedicated internal privacy function, an external privacy partner commonly supports the second line by providing subject‑matter expertise, standardizing processes, and supporting oversight without assuming operational ownership.

1. Operationalizing Privacy Requirements

Regulatory requirements must be translated into documented, repeatable processes. Without this translation, organizations rely on ad hoc responses when regulators, customers, or partners request information.

In practice, external privacy expertise is often used to help establish these processes in a consistent and auditable manner.

Key operational areas include:

• Record of Processing Activities (ROPA)
A compliant ROPA requires more than an inventory of systems. It must link data sets to processing purposes, legal bases, and retention decisions. Where internal teams maintain fragmented documentation, external privacy support can help normalize ROPA structures and ensure alignment with actual system behavior. When purposes change or expire, associated data should be reviewed and disposed of to reduce long-term risk.

• Data Subject Requests (DSRs)
Rights such as access, deletion, and correction are time-bound and resource-intensive when handled manually. Standardized workflows—often designed with external privacy input—can support consistent intake, identity verification, and fulfillment across systems while improving response reliability and cost predictability.

• Consent Management
Consent requirements span websites, mobile applications, CRM systems, and marketing platforms. Effective consent management depends on synchronized preferences and a consistent source of record. External privacy expertise is frequently used to help define consent governance models and ensure downstream systems respect user choices across platforms.

• Privacy Impact Assessments (PIAs / DPIAs)
PIAs are most effective when conducted early in the system development lifecycle. Privacy specialists—internal or external—can assist development and product teams by identifying risks at design time, enabling mitigation through architectural decisions rather than post‑deployment remediation.

• Data Minimization and Disposal
Retention decisions affect legal exposure, breach impact, and discovery obligations. Operationalizing retention and disposal policies often requires coordination between legal, IT, and security teams. External privacy support can help align retention rules with technical enforcement mechanisms to ensure policies are applied consistently.

2. Privacy Technology and Tool Selection

When privacy responsibilities are distributed across functions, tool selection is often fragmented. Different stakeholders may prioritize integration, reporting, or usability, leading to overlapping or underutilized solutions.

A coordinated approach to privacy tooling—frequently supported by external privacy advisors—focuses on selecting and integrating platforms that support:

  • Governance, risk, and compliance reporting across jurisdictions
  • Automated data discovery and classification
  • Scalable fulfillment of individual rights requests
  • Integration with development, security, and IT service workflows

The primary objective is not tool adoption itself, but operational integration. Privacy activities should surface within existing workflows and control environments so that compliance obligations are met as part of normal operations rather than through parallel processes.

3. Privacy in AI and Advanced Analytics

As organizations deploy AI and machine learning systems, privacy considerations increasingly intersect with model development, data governance, and risk management.

Key considerations include:

  • Documenting data provenance and permissible use
  • Assessing whether training and inference data align with stated purposes
  • Evaluating risks related to repurposing, bias, and downstream use

Given the evolving regulatory environment, organizations frequently rely on specialized privacy expertise to support AI impact assessments and governance reviews. These assessments help leadership determine whether proposed data uses are permissible, defensible, and sustainable over time.

Summary 

Assigning privacy responsibility without dedicated operational ownership can introduce long-term compliance and operational risk. Whether delivered internally or supported by external expertise, a structured privacy function enables:

  • IT teams to design and operate systems with clear data‑use constraints
  • Security teams to reduce exposure through minimization and controlled access
  • Legal and compliance teams to rely on documentation that reflects actual operational practices

When privacy requirements are embedded into systems, governance structures, and risk frameworks, organizations are better positioned to respond to regulatory inquiries, support data‑driven initiatives, and adapt to evolving legal standards.

CDO, CPO, IAPP, Information Management and Governance, Information protection, Privacy

Looking Ahead: The New Operating Model for Business

James Howard

COVID-19 has had a horribly disruptive effect on almost all people and aspects of society.  This paper starts a dialog around an admittedly tiny aspect of that and a view to the future.  It in no way should be seen to marginalize or trivialize the pain and suffering endured by the millions of people directly impacted by the pandemic.

On May 1st, CNBC published this article that discusses how some businesses are re-evaluating their need for physical office space in light of their experience with a majority of their workforce working remotely.

The rapid shift to work-from-home has served as a catalyst for change.  Many years ago, when video conferencing first became available, companies started to invest in equipment that was office-bound, hoping to reduce business travel. That never happened because the technology was temperamental, brands didn’t interoperate very well, there were never enough facilities, and the equipment required expensive point-to-point T1 lines.

Since then, there were advances in the technology along many orientations, including high speed internet to homes, corporate adoption of laptops, smartphones, and importantly, audio conferencing.  This enabled a shift toward work-from-home, and corporate shared office space – “hoteling” (universally adopted by consulting firms and hated by employees), smaller offices/cubicles sold euphemistically as “open concept” workspaces.  But many were still reluctant to use video (Dilbert summed it up well with a series of comics depicting people “working from home” taking video calls wearing their bathrobes).  Workers were far more comfortable with audio conferencing than video, but it still did a lot to get companies and workers more used to remote working.

The needle moved further toward remote workforce with the dramatic increase in off-shoring, leverage of contractors which in itself lessened the feeling of permanence of employment, and perhaps contributed to workers feeling more comfortable as individual contributors working from anywhere.  Paradoxically, there was a simultaneous shift toward urban living, as the number of young people wanting to drive or commute went down, which one might have thought would shift them back to offices.

Powerful Disruptor

All these shifts were gradual, and the net result was tidal shifts in the work model.  Leave it to nature to provide a dramatic disruption, which has resulted in remote working suddenly accounting for 95+% of non-essential workers.  The points raised in the CNBC article are not at all surprising, given how the experts are bracing for periodic reemergence of Corona, but are also supported by:

  • The high cost of commercial real estate and the need to manage costs
  • The remarkable advances in technology enabling remote working
  • The quality of life impact of time-wasting commutes

A shift to predominantly remote working has immediate benefits, including the opportunity to hire the most qualified workers without regard to their physical location, which helps address challenges businesses have faced hiring the right talent.  It also has consequences, such as the inevitable glut of empty office space.  The sudden reduction in the concentration of office workers has a significant impact to businesses relying on them – restaurants, shops, laundry, shoe-shine, even metropolitan transportation – as large portions of their customers stop coming.

Opportunities

In the past, there have been dramatic disruption to business leading to the shrinkage or elimination of entire industries.  Yet over time, business comes charging back.  Before Corona, unemployment was at record lows, and companies were clamoring for skilled workers.  This is after gloomy predictions of unemployment after waves of off-shoring everything from manufacturing to call centers to highly skilled workers.

What has to happen for remote working to become as effective as working from a managed location?

Physical space: Many people don’t have home offices and take over the dining room table instead.  This isn’t sustainable, since asking people to shift from a company managed location to home involves a level of disruption and the only financial beneficiary is the employer.   Wouldn’t it make more sense for the employer to provide each employee a remodeling budget (funded by savings resulting from reduced commercial real estate costs)?  Small contractors could build-out home offices based on guidelines or specifications defined by the employer.

Technology infrastructure: When someone works in an office, the employer provides a laptop and a portfolio of business applications, but also the infrastructure to provide access to those applications – physical connectivity, wi-fi, deskside support.  They establish standards that they are able to support in a cost-effective fashion.  This needs to be replicated in some fashion at home, at least for a portion of the workforce.  It’s not realistic to expect the worker to solve all their home technology issues and not impact their efficiency.  Solution?  A ramp-up of home technology service-providers (e.g., Geek Squad) who set up and support home offices.

Improved wireless: There is a race underway to roll out 5G infrastructure and public wi-fi 6 that promise high-speed performance that rivals (or beats) home-based/cable internet access.  This may be a boon for remote workers and their employers because it simplifies the support model by eliminating the so-called “last mile” connectivity to the individual house in favor of a more controlled infrastructure using transmitters on towers in public spaces.

Comforts and conveniences: As people get used to working remotely, their appetite for convenience goods and services will likely return.  This means the retail services that had been located near office buildings will cater to home-based workers.  To be sure, it won’t look the same, given that the density of customers is different.  There will be more home delivery or curbside service.  Will it be the same in terms of volume?  Probably in an overall sense, but the concentration will differ.  But it seems reasonable that the businesses that can cater to distributed remote workers will benefit.

Challenges – Privacy and Data Protection – a tiny slice

There is no doubt that as with any fundamental disrupter, there will be challenges to be met before we move to equilibrium – the so called “new normal”.  Among many others, information protection and privacy faces challenges.  Some years ago, a colleague authored a prescient paper entitled “Privacy in a Pandemic” that explored the reasonable tradeoffs to be made when balancing individual rights against the needs of society, famously captured by Spock as he sacrificed himself believing “the needs of the many outweigh the needs of the few… or the one”.  But the new equilibrium has implications for privacy and data protection in a more corporate setting.  While privacy regulation accommodate these priorities, privacy and data protection programs will have to re-calibrate their risk assessments and place new weight on risks made more prominent by the shift away from office-based workers, to one where the line between personal life and professional activity is blurred to the point where you can hardly tell the difference.  Clear desk policies went from being a constant real and philosophical debate to now being completely unenforceable, and therefore mostly moot.  Implementing sound technical controls that don’t disproportionately interfere with the ability to work will take time, and likely require new technology deployments.

Understanding purpose: A key enabler to pivoting data privacy will be a mature data governance program.  Making assumptions around higher level enterprise controls is no longer safe.  Instead, knowing the nature and location of data is far more important in order to protect while enabling use.  Providing more discrete permissions around the use of data will help lessen the risk of loss and unauthorized disclosure.  Understanding the purpose behind proposed use of data will enable assigning more discrete permissions.  Since preserving privacy is a lot more than just ensuring protection, the philosophy of understanding purpose also helps ensure appropriate use of data.

Fundamentals: Implementing new controls will take time and carries the risk of creating more frustration and confusion that benefit until the edges are smoothed out.  Privacy leaders should step back and consider the full breadth of their programs, leveraging all techniques to manage risk while avoiding unnecessary disruption.   An effective awareness program, for example, can go a long way to encouraging people to make safe decisions when handling data.

Summary

COVID-19 has created havoc in unprecedented ways, and has affected the lives of billions of people.  The human toll cannot be measured, and the suffering by so many should not be swept aside.  Experts are working through the optimal medical strategies while economists are still trying to model the short, medium and long term impacts to business.  Entire books will be written and college classes will be structured around the Coronavirus pandemic.  This paper has taken a very narrow slice of that and will hopefully start an open-minded dialog around how to help enable the future operating model for business.  The dialog can and will continue in months and years to come.

CCPA, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy, Risk management

Why do we have such a hard time understanding, assessing and managing risk?

James Howard

Introduction

Risk is a real concept that manifests across life.   Within a business context, risk management is a valuable tool to help improve the probability of success.  This paper explores the role of a risk manager, and is applicable across the board – whether business processes, technology, security, privacy, information or enterprise.  The reader can easily extrapolate the ideas to any aspect of life.

Definition and Reporting

Definition of risk: The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

The key word is “probability” – the likelihood that the event will occur.  In some instances, that can be calculated empirically, if all inputs and effects are known, where triggers can be identified – even if random (roll of the dice).  Other times, probability can be estimated based on historical data around similar conditions (50% chance of rain).

Other times, especially in business settings, there are more variables than can be practically tracked and quantified.  In those settings, Risk Managers use judgment to assess the risk of an event occurring.  The risks are usually classified in a 3 or 5 point scale – say, red, yellow, green or severe, major, moderate, minor and insignificant.   And the more knowledgeable the Risk Manager, the more insightful their assessment of risk, but it still remains a probability.

Challenges

Communicating risk gets complicated when we start factoring in risk mitigating strategies – avoid, reduce, transfer, accept—and reduction techniques – controls, TOD/TOE, residual risk, control risk, etc.

Even within the mitigating strategies there are grey areas – avoiding has consequences (lost opportunities), acceptance doesn’t mean the adverse event will occur, reduction doesn’t mean eliminate.

While some leaders claim they are comfortable navigating uncertainty, there is no question that business hates risk: markets react to uncertainty, and “punish” companies that operate with too many unknowns, and reward those that demonstrate clarity.

People publish dashboards and discuss numbers of controls, as though they were currency – more controls must be better – even though one good (strong) control could replace many poor (weak) controls.  Even auditors are reluctant to rely on process controls and would rather verify every transaction instead (assuming they could).

So what’s the issue?

To some extent, we, as Risk Managers, are the issue.  When asked about risk, we articulate it in our own language:

Risk Manager to Client (or internal business stakeholder): “there is a risk that such-and-such could happen that has these consequences”

Client: “how likely?”

RM: “moderate”

Client: (thinks: “huh?”) “what can we do about it”

RM: “implement x-y-z control”

Client: “will that make it go away”

RM: “implementing this control will reduce the risk, but it leaves a residual risk”

Client: (thinks: “huh?”) “Is that a ‘yes’?  Why wouldn’t you just do it?  And what’s that mean?”

RM: “here – sign this ‘residual risk acceptance document’”

Client: “ok – done”.  (thinks: “thank god that’s over!”) Back to business as usual.

Let’s face, this exchange isn’t very helpful.  The Client clearly doesn’t understand the risk as a potential impact to his/her business, and the “residual risk acceptance document” is a rubber-stamp.

Who owns the risk?  Risk Managers say that their business process stakeholders own the risk, and the Risk Manager’s role is to explain the risk, options for control, and residual risk.  However, it’s fair to say that the business process stakeholders often doesn’t truly accept their role, or if they did, they would engage in a more meaningful dialog.  And the residual risk acceptance document effectively nullifies the dialog.

If the controls are effective, or for whatever reason, the risk fails to manifest, then what?  How often does the client step back and acknowledge that RM did their job and issues were avoided?  Or does the client question why the risk management exercise was undertaken?  On the other hand, if an adverse event takes place, despite controls, does the client look at RM as though they failed?  The cynical reader would point out that if the on-going processes of managing risk management were part of core operations, then you wouldn’t see a spike in RM funding after an event takes place; you might see some refinement or realignment, but not a huge uptick in funding…

An alternative approach

So the challenge is how to meaningfully communicate risk to leadership in a way that puts risk in a business context.

First, one must keep clear: generally speaking, risk can’t be eliminated if the business wants to undertake the activity that introduces the risk.  That said, the Risk Manager can keep the following in mind as these points might promote meaningful communication:

  1. Articulate the risk in familiar business terms (“speak English!”). Explain what would have to happen to trigger the risk.  If you describe a chicken-little event without explaining the triggers, you might get dismissed.
  2. Be realistic when describing the risk and the likelihood. The likelihood should include realistic related events.
  3. Propose options for mitigating the risk, including avoid-reduce-transfer-accept. Bring a reasonable amount of research to present viable options, and be able to articulate the residual risk.
  4. Understand appetite for risk at an appropriate level. A mid-level manager may have a different appetite for risk than the CEO.
  5. Consider what kinds of risks needs to be escalated and to what level: Don’t present a risk to a CEO in a “Enterprise Risk Management” setting that should be addressed by a mid-level manager.
  6. Be realistic in evaluating the consequences of the risk. Walk the stakeholder through understanding the various consequential outcomes to help determine an appropriate mitigating strategy.
  7. Make clear who owns the risk. Get rid of “risk acceptance” documents – if a risk is significant enough to warrant action, it should be pursued.  Risk Acceptance documents are an attempt to shift/assign responsibility, and if they are needed, then they will also be ignored in the post-mortem.
  8. Acknowledge that business environments are dynamic, and events rarely unfold negative risks occur. People intervene.  Processes engage.  The outcome is rarely what was predicted when the risk was recorded.  And the more catastrophic the risk, the more it morphs as it unfolds.

Many of these considerations apply in the post-mortem stage.  One of the big challenges in the risk management community is one of appropriate hindsight.  When evaluating changes to make in risk management in light of an event, it’s important to remember what was known and considered at the time risks were assessed.

The overarching themes in this article is that risk managers need to be realistic when articulating risks, consequences and controls.  Risk managers must recognize they need to bridge the communications gap to their stakeholders by describing risks in business terms that will resonate.

Risk is a fact of life in every aspect of business.  Bad stuff happens, and risk management is not risk “elimination”.  Risk managers play a critical role, and by thoughtfully supporting their stakeholders, they can help business accelerate forward.

 

 

CCPA, CPO, GDPR, IAPP, Information Management and Governance, Privacy

How effective are privacy programs?

James Howard

Background:

In September 2019, A group of 100 data leaders from respectable NY financial institutions were asked whether they’d heard of the General Data Protection Regulation (GDPR – the far-reaching European law governing how EU citizen’s personal information is handled around the world); 5 hands went up.  When asked a follow-up question: how many had heard of the California Consumer Privacy Act (CCPA), 2 hands went down.

On December 26, 2019, CNN published a story explaining why consumers are all of a sudden receiving so many privacy notices, which goes on to summarize CCPA, including the activity that triggered it.  The article explained – at a high level – the events that led legislators to pass the law. 

Over the summer, a small group of CFOs were interviewed and felt that GDPR is a mess, readiness was a waste of money, and that compliance is being addressed by “someone else”. 

Problem statement: 

Companies want to increase the degree to which they store and process personal information, but in an effort to protect the rights of individuals, law-makers are seeking to reduce the number and severity of incidents by imposing regulations.

Companies are making big investments in initiatives to take advantage of the transformative potential of data.  This covers an incredible array of opportunities, from simply using data and analytics to enrich their products and services, all the way to inventing algorithms to mimic human thinking to improve the lives of millions.  

The initiatives all have one thing in common: they depend of high quality data.  Vast amounts of it.  Increasingly pertaining to people.  Companies are building systems that pull together and combine data from a myriad of sources – internal and external. 

Breaches are happening – bigger and more impactful.  In 2019, records containing personal data were being stolen at a rate of over 15,000,000 per day.  The consequences to organizations are significant – financial and reputational.  Regulators are stepping up their actions, conducting investigations, and imposing fines.  Companies are having to pivot to correct issues and address new requirements reactively because many have failed to implement a data management framework efficiently adapt to regulatory changes.

Many companies don’t have a prominent leader assigned responsible for privacy – a Chief Privacy Officer (CPO) or equivalent.  Privacy is managed by legal or compliance groups as an adjunct to operations.  As a result, the people doing the day to day business of the company are not aware of their privacy responsibilities.  So is there any wonder why companies are mishandling personal data?

It’s time to act

More to the point, it has been “time to act”, but the regulatory requirements around data privacy are not going to get simpler, and companies should consider implementing an operational framework, with appropriate tools, enabling them to adopt new requirements in a time and cost effective manner.

An effective program to enable business to use data while also managing risk and ensuring compliance must reflect 3 interlocking components: Privacy, Data Governance and Risk Management.  Together, they can protect an organization while serving as a catalyst to accelerate forward.

Privacy

Most companies have a Privacy compliance program.  However, the informal poll referenced above revealed that privacy compliance is not embedded in the data programs.  This gap is very significant, since provisions of the laws speak very specifically to plans data scientists are pursuing,  The result is certain initiatives will have to slow down or get re-tooled.

And it’s not just data science teams who are dangerously disconnected.  Data science is probably a key area where data is being handled outside the boundaries set by the regulations (kept and processed for purposes beyond why it was collected, for example), but the breaches are mostly tied to weak controls on the operational side of companies – ranging from how and where it is tracked and stored, to how it is processed or disclosed for business purposes.

“Privacy by design” has eluded organizations since it was first envisioned in 1995, in part because it is frequently promoted by an under-resourced parallel organization, trying to apply one-size-fits-all techniques.  It doesn’t have to be like this.  Privacy programs can be structured to bridge to data users in an foundational sense, where privacy obligations are taken into account through-out project or operations lifecycles.  Risk goes down.  

Addressing the challenge begins by assessing the current state of the privacy program against a privacy template or framework, such as the latest draft NIST Privacy Framework, and creating a gap analysis.  The framework is useful because it breaks down the objectives of a privacy program in a way that aligns in with both regulations and the way organizations use data.  To be fair, the full Framework can be overwhelming for many companies – especially those not familiar with the NIST Security Framework, on which the Privacy Framework is based.  But this can be addressed by first distilling the NIST framework down to a more manageable version that still preserves the key elements. 

The gap analysis forms the basis for discussing how to enhance existing privacy efforts to achieve compliance, in a deliberate, sustainable, pragmatic way.  If done right, it can be scaled – whether down to a small privacy team of, say 2-3, or up to a full enterprise-level team.  This also allows a more focused approach to address specific pain points, including:

  • Compliance with GDPR or CCPA, which might range from early stage assistance, to specific process solutions (e.g., data subject access requests, data inventory upkeep, privacy-by-design, training and awareness, etc.)
  • Consideration for placement of the program, to integrate into company culture; companies are struggling with where to assign privacy, if not in Legal, and it’s landing with the CISO, who often needs help getting ramped up
  • Operationalizing Privacy, making the program resilient and sustainable, incorporating activities such as: 
    • Strategic oversight and stewardship, including obtaining executive and Board support
    • Monitoring for legislative changes, 
    • Updating and implementing policy,
    • Risk assessment, 
    • Process and control documentation and testing, 
    • Integration with business and IT change management, 
    • Incident management, escalation and resolution, 
    • Vendor management, and 
    • Contract review.

Data Management

Data programs are high priority for CEOs – over 95% believe that leveraging data is key to continued success and to defend against external disruption.  Yet Gartner concludes that 85% of data projects fail.  How is this possible?  Oftentimes, data initiatives are launched without implementing basic management and governance techniques.  Objectives are not defined at the outset, C-levels and the Board aren’t clear in what they are asking for, and may not understand the path to get there – or the cost.  

Introducing data management and governance discipline to create the data equivalent of “scientific method” can dramatically reduce risk and increase the chance of success.  Many companies – especially those in regulated industries – have records management programs that can be adapted to provide a management framework for data to be leveraged for monetization or through analytics or AI initiatives.  

The value proposition is to implement sufficient management and governance activities to

  • Provide transparency and accountability in to the program, including ethics and legality,
  • Ensure that data is handled in a way that doesn’t violate compliance obligations, whether contractual or regulatory
  • Provide shared-service capabilities, including inventory, procurement, tracking and disposition.
  • Create logical interface and touch-points into privacy, security, internal audit, compliance and legal programs
  • Triggers and objectives are to close the gap between CEO expectations and the practical success rate of data projects.
  • Expose the relative value and sensitivity of data to enable proper risk and threat management, in collaboration with others, such as a Chief Information Security Officer.

Information Risk Management

In a metaphorical sense, data programs are taking the jewels out of the safe and passing them around.  Handling high value assets definitionally increases the risk of theft or breach, when compared to keeping them locked up.  But they must be handled in order to derive value.  Many companies have built information risk or IT risk management capabilities over the last several years; the question is how well are they tied into data initiatives or aligned with the way data is used?  Given that 15,000,000 records are breached every day, one might suggest “not very”.  

In the context of the increased use of data for market-facing benefit, Information-related risk needs to be assessed in a more focused way.  As a discipline, IT RM has created a good foundation, however it frequently aligns with core IT process like strategy, architecture, change management, and security, and not to data.  

Information risk management can provide a critical interface between a data leverage program and a privacy/compliance program.  The techniques used to assess information risk result in key insights into the nature, relative value, uses and threats to information.  This helps direct risk-mitigation resources to align with the risk.  Specifically, it helps to recognize whether risk can be mitigated through, say, security controls, or whether the employee community needs tools that better align with their jobs (obviating the need for them to find their own solutions to business problems), or whether increasing awareness can help people make better judgements.  

Companies should consider identifying, categorizing and managing risk by looking at initiatives through an information lens – as opposed to a technology lens.  This changes the dialog with business stakeholders, which increases their understanding and appreciation of what could go wrong, what is acceptable residual risk, and the steps needed to bridge the gap.  

As indicated, IT RM in the marketplace has achieved a level of maturity, and there exists opportunities to adjust the scope and approach to more effectively identify and manage information-related IT risks, which arguable, can help manage overall financial, regulatory and brand exposure for companies.

Summary

Companies are increasing their use of data at a tremendous rate – and they should.  The opportunities to gain competitive benefit are exploding.  But the risk and consequences of missteps are growing as well.  By implementing data governance and integrating risk management and compliance in a pragmatic way, organizations can continue to explore the ways data leverage can provide benefits, while taking proportional measures against events that can impede progress.