It’s a well-known problem that privacy and compliance initiatives may appear to be misaligned with the mission or purpose of companies, which want few obstacles to the pursuit of revenue and innovation. Privacy teams face the challenge of getting the company to invest in compliance while a growing body of law and regulation makes compliance harder to accomplish. How can privacy teams be more sophisticated in getting the organization to invest in and do things that it does not want to have to do? Privacy teams must bring their “A-Game.”
There was a time when I was pretty sure that the formula for getting the company to care about and invest in privacy and compliance initiatives was to arouse fear and then provide hope to conquer that fear. As an example, one fear was regulatory inquiry, which could lead to fines. Companies could take the position that fines are a cost of doing business, and although regulatory inquiries are a nuisance, that nuisance could be fobbed off on the Legal department to minimize it. The fear that matters is a fear of not being able to do the things they want to do.
By now there is plenty of evidence that fear cannot be counted on as a reliable motivator for privacy and security compliance. Climate change activists have evoked fear of the end of the world and that has not motivated companies and countries to modify their behavior.
More recently, value prop sophisticates attempt the jujitsu of finding ways to align the compliance work with things that the company actually cares about. This usually means finding some way to have compliance work cover most of the common elements of global and state privacy laws. Perhaps there is an efficiency benefit, or a cost benefit. We have heard of companies reporting that when data inventories and mapping are thorough, the cost of subject access requests or deletion goes down. When companies are buttoned-down on compliance it is easier for them to sign on new business partners or to effectuate mergers and acquisitions. Non-compliance is contagious, and partnership is easier when the answers to the compliance questionnaires are reassuring.
And yet, the struggle continues. Even when privacy teams seek to align compliance needs with business objectives, it is hard to reach agreement on prioritization and funding of compliance work. How can we make the value proposition for compliance work more compelling?
The “A-Game”
Before you can change anyone’s mind, you have to get their attention. That’s going to take some doing, and you’ll have to raise awareness about the issues over time. Note that awareness-building is not the same as persuasion. It’s simply getting the issues into the conversations going on.
Another big “A-word” to be confronted is ambiguity. Laws like GDPR or some of these state laws are drafted in a way that keeps lawyers busy analyzing while regulators draft guidance that takes forever to arrive and rarely provides clarity. For example, seven years after GDPR entered into force, is it clear enough that you’d bet on what can safely be called “de-identified”?
What do organizations do in the face of ambiguity? I fear that too many allow the prevalence of ambiguity to be an excuse for avoidance. It’s easy to say, “We’ll wait for clarity, or to see what others do first, before we act” and then invest in something you’d rather do.
It’s time to reframe ambiguity. Ambiguity is an opportunity, an invitation for the organization to be smart and creative and find alignment of compliance objectives with business objectives. How can you construe compliance work as investment in an asset rather than a liability? If data is one of the key assets the firm has, doesn’t better knowledge of where that data is, how it is secured, how it can be used, and how it is legally defended ultimately make that asset even more valuable to the company? Compliance work turns gold into platinum. Good data mapping and inventory is a ticket to greater value of the company’s key asset.
When you cut through the ambiguity of new laws to find common elements, think of common requirements. At this point there should not be a Connecticut project or a California project, there should be DSAR and deletion work, opt out work, disclosure work, etc. Taking the common elements and showing their validity across 20 state laws (and counting) can make it easier to argue for the prioritization of engineering work, because it becomes an investment in an asset, less of a liability.
There is also cost and efficiency savings in reducing swirl. Find ways to reach agreement sooner. You can find clarity in ambiguous laws but still have a challenge in getting your recommendation approved. Where possible, create new decision-making mechanisms. Senior executives don’t know the details and they are not incentivized to learn them, because they are evaluated on other key objectives. Creating decision mechanisms or forums can allow them to delegate an issue they’d otherwise avoid, to people who understand the tech details better. Getting agreement among senior technical and legal people for a recommendation to senior executives is a more reliable path than fighting to get a complicated and undesirable issue on their agenda only for them to punt to delay and wait for more information. This approach reduces ambiguity in decision-making, which makes avoidance harder to do. Instead, you are creating a path toward the decisions you need to have made.
Cost efficiency and reducing swirl can be compelling, but don’t overlook the sexiest “A-word” for getting attention and prioritization: AI. If the company is investing heavily in AI, or at least talking about it a lot, evoke the challenges of AI or automated decision-making legislation and regulation. Investing now in sound AI processes that will enable the innovation the company hopes for is a compelling argument for
Build alliances. That idea shouldn’t be novel, but you can think about alliances in new ways. The basic idea of alliances is to amplify the message. Two or more leaders making the case are certainly more powerful than one. You can leverage the value of alliances by observing that alliances create psychological safety. Privacy and security teams are rarely “in” groups at companies, not considered by most to be part of the core work of the company to innovate and generate revenue. Few want to hear what the privacy team has to say, especially when the message is ambiguous because the law is ambiguous.
But you are not alone. The key is action — collective action. Alliances of people and teams making a clear, aligned, case for a compliance investment makes it easier for everyone to take a risk, to not feel like they’re sticking their neck out for you.
How does this work? Start small, with one-on-one conversations that become small groups, and get people aligned. Then connect the small groups so everyone knows that there is strength in numbers. Then leverage your new decision-mechanisms. Then communicate effectively. Alliance, alignment, aggregation, amplification.
Finally, observe that doing all these things will make the organization more accountable. You’re preventing groupthink and avoidance of uncomfortable topics by slowly and steadily finding clarity, aligning with business objectives, aggregating support, and amplifying the message. This work will surely help keep the organization on an accountable path to compliance readiness that supports the assets of the business.
The A-List:
Build awareness to secure attention.
Reframe ambiguity to promote alignment.
Avoid avoidance.
Protect and promote assets.
Leverage AI.
Create collective action.
Build new alliances to aggregate and amplify messaging and support.
Collective action and alliances promote accountability, which helps reduce groupthink and avoidance.