Setting up Privacy for Cross-functional Success
Overview
Glen Willis and Ajay Prasad share how to make privacy work across teams. Set clear roles, pair engineers with privacy champions, and teach the difference between security and privacy so requests make sense and progress does not stall.
- Start with a simple RACI so people know who does what.
- Name privacy champions and connect them with engineering early.
- Offer short training that explains privacy by design in plain language.
- Clarify where privacy differs from security to avoid mixed signals.
- Keep everyone informed on the goals and how success will be measured.
Transcript
Glen Willis
Hi, I’m Glen Willis, Director of Cyber Technology at Kalles Group, here with one of our privacy experts from the team, Ajay Prasad. We’re going to cover a number of topics that will be released in a short podcast series.
I think one of the most underappreciated aspects of setting up a privacy program long term is how much cross functional work has to be coordinated and collaborated on. Sometimes, when organizations are early in their journey, they think they can just hire a couple of privacy analysts to build some requirements. But once you really start rolling things out, it touches a lot of different functions.
Ajay, give us the top two or three things you’ve learned in this area as you’ve supported organizations through that part of the program.
Ajay Prasad
Hi, Glen. I think overall, when you’re thinking about privacy or any practice, it’s like any other business function. You need to be organized. You need to understand who to turn to when you have a question.
One of the things most organizations do is develop a RACI chart. That helps define who is Responsible, Accountable, Consulted, and Informed. When it comes to privacy, because it’s typically an organization wide initiative, everyone needs to be informed about what privacy practices are and what the best practices look like.
So I think one of the first things any organization can do is establish who is responsible for the program and also provide training materials to help everyone understand what the organization’s North Star is when it comes to privacy.
Glen Willis
Great. And then specifically, some organizations focus heavily on policy, making sure end users are following it and staying compliant. But others need to implement actual engineering changes. Anything come to mind to share with our listeners about how to make it easier for engineering teams to advance technical requirements?
Ajay Prasad
One of the most important things is to get engineers in the same room as privacy champions. For example, an engineer may be focused on setting up a system but may not know what privacy by design means or what current best practices are.
A privacy champion is someone who stays informed by reading articles, following IAPP, engaging with others in the privacy industry, and keeping up with regulations like GDPR, CCPA, and the growing number of state level laws.
Once engineers are connected with privacy champions, they start to understand what steps to take. In my experience, I’ve worked with engineers who had no idea what data privacy even meant. There’s often confusion between security and privacy. You can have a completely secure environment, but if privacy practices aren’t properly implemented, you’re still at risk.
Engineers have a very technical mindset and will follow instructions if they know what to do. So getting those folks together makes a huge difference.