Effective Privacy on a Tight Budget

​THOSE IN CHARGE of corporate privacy programs must work closely with a wide variety of executives and departments throughout the organization to achieve the program’s goals. But the programs, relatively new in many organizations, are frequently viewed by other departments as a potential drag on business.

That challenge can keep programs from being effective, according to Gartner, Inc., research director Carsten Casper, who spoke at a recent Gartner conference. To overcome internal resistance, privacy program managers must find allies to help push for mutually beneficial policies and security solutions.

Before critical meetings, for example, it helps for privacy officers to have a good sense of the other parties’ business goals, and to understand how both sides can help each other succeed, he said.

Privacy program aims, for example, could include expanding the use of consent when collecting customer data. If meeting with marketing executives, officers might relate how expanded use of consent could generate more data, which could then be used for purposes such as targeted advertising, he said.

In certain cases, privacy programs can help to improve the efficiency of business operations by helping the business understand that it really doesn’t need to collect so much data. Many organizations have gathered extensive amounts of medical information from employees to prepare for situations such as medical emergencies, for example. Given the sensitive nature of such data, however, organizations could consider requesting less, but more relevant, information such as whether an employee has disabilities or insulin requirements, said Casper.

Privacy programs could also take far greater advantage of available security solutions. Some are already taking advantage of some security technology, such as encryption, he said. That makes sense because data breach laws are more lenient when lost data is secured via encryption.

One oft-overlooked technology, however, could be data loss prevention (DLP) solutions. Increasingly popular, DLP solutions are used to protect data such as customer financial information from leaving the network. But DLP could also be used to help contain many other forms of personally identifiable information (PII), said Casper. Another type of technology, data masking, is also being employed more often, frequently by business units sharing information overseas as well as in situations involving application and software testing. Data masking could help with privacy requirements related to data minimization, secure data storage, and other areas, he said.

To access and employ such technology, officers might seek to identify and ally themselves with “stakeholders” throughout an organization who might also benefit from the security products. Solutions such as DLP could appeal to business areas such as sales or business development, which might want to better secure data such as business contacts and intellectual property, he said.