Transparency and Trust with Stakeholders
Overview
Glen Willis and Ajay Prasad talk about building trust with partners across the company. The focus is on clear goals, early communication, and less duplication. They share ways privacy can feel like a help, not a hurdle, and how to work with security so teams answer questions once and keep moving.
- Set the tone that privacy is here to help the business win.
- Be open about why you ask for data and what happens next.
- Coordinate with security and GRC to avoid repeat requests.
- Add light privacy checks into vendor reviews to streamline work.
- Keep everyone aligned on outcomes like revenue and protection of user data.
Transcript
Glen Willis
Hello, I’m Glen Willis, Director of Cyber Technology at Kalles Group. I’m here with one of our wonderful privacy consultants, Ajay Prasad. We’ve planned a series of topics to talk through that we hope you find helpful in understanding ways to set up for success with your privacy programs.
Ajay, let’s talk about how we support stakeholders. One thing we want to avoid is stakeholders feeling like they don’t fully understand what’s going on. Sometimes it can feel like the privacy team is just out to find gotchas or catch people who didn’t respond to an email with a policy document attached.
Users, colleagues, and others want to feel like they’re being set up for success and that they can trust they’ll have access to support when they need it. Give us some tips on how an organization can set up for success in that way.
Ajay Prasad
Sure. I think one of the first things any privacy or security professional needs to remember is that they’re there to support the business and help drive it forward.
One thing that often happens in privacy is that we seem like a blocker. A big project comes along that could bring in a lot of revenue, and then privacy steps in with a bunch of questions. How are you protecting the data? Who has access to it? What platform are you using? Are they certified?
Even if we’re not doing a full vendor risk assessment, these are still important questions to ask. Now, some folks in the business may see this as repetitive. Why is privacy asking the same questions that security already asked? But this is just part of what we do.
Delivery really matters. You support a stakeholder by saying, “I’m here with you. I’m working with you to get this to the finish line. Provide me with the information, and we’ll get there as quickly as possible.”
Being open and transparent about your goals in a privacy impact assessment is very important. You might be communicating with a security professional, a VP, a COO, or a CFO. That’s not uncommon, because they’re often the ones pushing initiatives forward.
So you need to walk a fine line. You have to ensure privacy practices are followed, but you also don’t want to stop the business from reaching its goals, which often means generating revenue. At the same time, remind them that reputation matters. What we do with our users’ data matters.
Once you establish clear communication and transparency, it really helps the business move forward.
Glen Willis
In situations where the security team and the privacy team aren’t collaborating enough, and users are getting the same questions from different parts of the organization, what’s a way to simplify things so they’re not dealing with redundant requests?
Ajay Prasad
That’s a great question, and we see this all the time. In smaller organizations, there’s often one person wearing multiple hats or one department doing multiple things.
Here’s a real-life example. In security, sometimes folks are asked to do GRC work, but that’s not really their focus. They’re trying to secure the organization. Compliance and GRC professionals, on the other hand, want to ensure the organization is compliant. They’re looking at all practices, not just security.
In cases like that, you need to ensure cross-collaboration is happening consistently. One thing you can do is include a small section in a vendor risk assessment that asks privacy-related questions, like what privacy practices are in place to support your security measures.
Many newer vendors offering SaaS services are already making this distinction clear. They’ll say, “Here’s what we do for privacy, and here’s what we do for security.”
In larger organizations, you might find that the security team has been in place for five years, GRC for three, and privacy is just now being built out due to recent fines or new state regulations. So you bring in a privacy team that knows privacy, but security has been doing things their way for years.
It can be hard to get those teams to collaborate without stepping on each other’s toes. But it goes back to the point I made earlier. If everyone is transparent and aligned with the business goal, whether that’s increasing revenue or protecting user data, then privacy and security, or finance and security, or marketing and privacy, can all work together.
We just need to understand that we share the same end goal.