Make deliberate choices about how you are using personal data
Organizations have encountered a demanding 2018/2019 since the GDPR came into full force on the 25th of May, 2018. Following 20 months of the GDPR efforts we recommend organizations take some time to explore the possibilities that a good personal data strategy may bring, as well as the course ahead. We list five key steps to devise a personal data strategy that reflects your organization’s values and vision
1. Determine your stakeholders and their stakes
First and foremost: it is crucial to get an understanding of the context that may influence your organization’s strategy. Ask yourself who your main stakeholders are in both the organization as a whole, as well as within the privacy and data management function. This can include investors, board members, as well as the Data Protection Authorities, but don’t forget that your clients and suppliers also have a big stake in the personal data strategy. After having identified your main stakeholders, determine what their stakes in the business and privacy might be. Different stakeholders will have different views on the ethics surrounding the processing personal data. Your customers may expect you to deal with personal data carefully, and to provide them value while using their data, even at the ‘cost’ of some of their privacy – as long as it is transparent. Pressure groups may focus more on adhering both to privacy principles as well as the rule of the law at all times.
2. Determine the company’s risk appetite when it comes to using personal data
With stakeholder stakes and motives in mind, you should reflect what the organization’s risk appetite is when it comes to privacy. It can be of value to keep the rising public awareness on privacy in mind when defining your risk appetite. The way your organization is viewed by the public in relation to privacy can have long-lasting effects on the organization as a whole; in both a positive, and negative sense. Imagine a scenario where your organization is featured on a newspaper’s front page – what would you not want to see written about your organization when it comes to privacy? Additionally, think about what you would like to see written about what your organization has done well, whilst keeping the risk of additional attention in mind when you encounter mistakes.
3. Develop a vision owned by the business
Based on the stakeholder analysis and risk appetite it is time to start thinking about the vision of the organization as a whole. Imagine your organization in five years’ time, how do you want it to have developed? What roles do data and privacy play, and how can they support this development? Do current regulations affect the business vision? Data is providing incredible opportunities for organizations to grow and mature, the possibilities are endless. Therefore, it is important for your organization to understand what these opportunities are and what impact they can have.
An important word of warning for this step is to involve all relevant internal stakeholders in the development of this vision, as well as the role that personal data and privacy may play, since all parts of organizations will deal with personal data and privacy in some capacity.
4. Determine the impact of your personal data strategy
After developing your initial vision, make sure you understand what impact it may have within your organization. It is tempting to draft a strategy with far-reaching, but non-committal statements: ‘we will use personal data to improve our customer engagement dramatically’, or ‘consent will be the basis for all of our processing to remain transparent’. However, both statements lack value without committed underlying actions; requiring systems, processes, capabilities, and projects, to facilitate the change to get your strategy to work. There should always be an assessment of what your strategy actually means, which should ideally be supported by data.
5. Take into account future trends
Central to strategy is the element of the future. A strategy can contain a road map, or a vision of your organization and plan of action and timeline of your organization’s future. New trends may affect the impact of your personal data strategy, or your newly formulated personal data strategy may become completely irrelevant if your organization turns to new ways of working. You may want to keep in mind the fact that all types of data may soon be ‘personified’. Or the fact that societal awareness of privacy issues is growing. These can all influence the way you are dealing with personal data, and your stakeholders.
Developing a personal data strategy is a complex and time-consuming task, but it is one that can propel your business forward, and prepare it for the future.
In one of our previous articles, we discussed the key steps guide to achieve a solid baseline compliance. For more information around how you can build a personal data strategy that reflects your organization, feel free to contact us