.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Multi-Hyphenate Privacy Professionals: 3 Strategies for Success
When we write about data privacy, it’s easy to default to talking to...
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
When we write about data privacy, it’s easy to default to talking to “privacy professionals.”
But take a look at the privacy management industry: The privacy program managers, chief privacy officers, and other purely privacy-focused professionals are in the minority. Most people working with privacy have a literal or implied hyphen in their job title.
Some of them are Directors of AI & Data Privacy, Chief Ethics & Privacy Officers, GRC and Data Privacy Analysts, Senior Legal and Privacy Compliance Officers, and more.
Sometimes, the “privacy” part is an invisible but implied part of a job title.
Chief Information Security Officers (CISOs) are often Chief Information Security, Privacy, Governance, and All Things Data-Related Officers. Legal counsel are also often data privacy compliance counsel. The list goes on.
For the purposes of this article, we’re going to lump all these folks together into one big bucket and call them multi-hyphenate privacy professionals.
The Two Kinds of Multi-Hyphenate Privacy Professionals
This bucket of multi-hyphenate privacy professionals can be further divided into two major categories:
- People who are explicitly responsible for privacy.
- People who are implicitly responsible for privacy.
The first group doesn’t have the benefit of being solely dedicated to managing data privacy at their organization, but the business has enough of an understanding and need for data privacy that they’ve officially recognized it as part of somebody’s role. This could be a GRC & Data Privacy Analyst, for example.
The second group is in a bit more trouble—their organization has yet to make the leap to hiring somebody specifically for their privacy expertise and hasn’t really recognized the need for data privacy management skills yet. That need is present nonetheless, however, so somebody has to handle data privacy. This can often fall on the CISO’s lap.
Whether you’ve got the word “privacy” in your title or not, one thing is certain: your challenges are going to be different relative to somebody whose sole job is managing data privacy. But fortunately, you’re also going to have more opportunities to drive privacy outcomes.
Challenges Faced by Multi-Hyphenate Privacy Professionals
If data privacy management is just one bullet point in a long list of responsibilities, you’re going to run into certain challenges. Here’s what to look out for.
Learning to See Things from a Privacy Perspective
If your primary training was in security, law, or another area, you might struggle to shift into privacy mode. CISOs, for example, might easily grok the technical aspects of privacy (leveraging privacy-enhancing technologies [PETs], for example) but may struggle with the legal and human aspects (the non-stop barrage of regulatory updates, for example).
Doing It All on Your Own
When nobody is paying attention to data privacy holistically, it can be difficult to plug all the gaps and tackle inherently collaborative projects (like passing an audit or earning your SOC2).
Your security colleagues only care about privacy’s security ramifications, your legal colleagues only care about meeting regulatory requirements, and your marketing colleagues only care about privacy’s brand impact—how can you tie all these threads together and attend to your other responsibilities?
Proving & Measuring the Value of Privacy
If you’re used to managing security, your success metrics might consist of how many employees successfully passed a phishing test, how many near misses you protected against, or how many reported phishing emails you receive.
Data privacy is a lot harder to measure in a quantifiable way. When something goes wrong with data privacy, there might not even be any visible signs depending on the maturity of your privacy program. Fortunately, there are strategies you can adopt to report on privacy success.
Strategies for Success
If you recognize any of these challenges in your daily work, then managing data privacy might seem impossible as a multi-hyphenate privacy professional. Fortunately, you can mitigate or erase these challenges with the right approach. The following strategies will improve your and your organization's privacy awareness, ensure you’ve got help when you need it, and drive tangible, showcase privacy’s value in a highly visible fashion.
Cultivate a Culture of Privacy
If you’re reading this, then you recognize the importance of data privacy on some level. But it’s still easy to undervalue data privacy.
Like security or IT/operations, privacy is a cost center. Organizations tend to give cost centers the bare minimum in resources and attention, but security and IT have a longer history to help demonstrate their importance to the business. Plenty of organizations have suffered major cyberattacks or crippling downtime—enough that even non-experts understand their importance.
Data privacy is a relatively new, and it’s a slightly more abstract concept. Even when a data breach happens, laypeople aren’t always going to understand the privacy implications of such an incident.
Privacy training, spreading awareness, and cultivating a culture of privacy at your organization is essential to reduce your organization’s and your customer’s risk. When privacy is better understood throughout the organization, you’ll achieve tangible outcomes.
Consider how:
- Privacy by design reduces tech debt
- Consumers trust privacy-forward organizations more
- The less data you process, the less severe any breaches may be
- Cyberattackers have less data to use for follow-up attacks when organizations practice data minimization
- And of course, privacy management helps you avoid penalties and reputational damage associated with regulatory non-compliance.
Check out our eBook, the ROI of Privacy Management, for more reasons to embed a culture of privacy throughout your organization.
Bake Privacy into Your Tech Stack and Tooling Strategy
Depending on your non-privacy area of expertise, you may have significant influence on technology decisions made at your company. By considering data privacy factors early on, you can significantly facilitate your downstream compliance work.
The fewer external parties and solutions you need to use to carry out your work, the better; but that doesn’t mean you can’t use any third-party vendors. Start with a privacy-focused vendor management solution that can help you identify high- or low-risk vendors and monitor their privacy posture over time.
You might encourage your R&D teams to thoroughly investigate which SDKs they use, which are common sources of privacy violations.
Rather than rely on multiple vendors with attractive point solutions but varying privacy postures, you might consolidate to a few key vendors whose solutions meet your overall needs and enable more consistent privacy and security. (Of course, you need to make sure you’re not over-reliant on a single point of failure).
You could write a book about how privacy impacts technology strategy, and you still wouldn’t cover every scenario. Each company is going to be in a different situation. Still, it’s crucial to consider the privacy ramifications associated with the tools your colleagues use to accomplish their work.
Build Relationships Across Departments
If they aren’t already, your organization’s privacy and security personnel should be talking on a daily or near-daily basis.
At first, it might seem like there isn’t much to cover. But as you learn more about each teams’ work, the more you’ll find shared responsibilities and initiatives. This could include:
- Policy building: Your privacy and SOC2 policies have important ramifications for both data privacy and data security management. Working together can create a more holistic strategy for the organization.
- Board reporting: There’s no reason to create multiple reports that look at the same subject from different angles. Consolidate discussions around the lifecycle of data at your organization and paint a clearer picture to your board.
- Incident response: Data privacy must be taken into account when considering incident mitigation and disaster recovery. Understanding what data has been affected; how that impacts consumers, vendors, and the business; whether the incident triggers regulatory requirements; and more are all questions privacy can help answer.
We’ve focused on having discussions with security here, but the same can be said of IT, GRC, and other functions. Privacy is a team sport, and when you zoom out far enough, you’ll see that each of these functions have significant overlap that should be explored.
TL;DR: Work Smarter, Not Harder
It’s trite, but it’s true.
If you’re only reacting to privacy challenges as they come up, you’ll never gain the time to attend to all of your responsibilities at once. You’ll continue to face the challenges we described in this article: seeing only part of the privacy picture, feeling alone in your work, and struggling to show why the organization should care.
But investing effort in strategies like training and awareness, considering privacy in your tooling and technology, and building privacy-focused relationships across teams will make your downstream privacy tasks significantly easier. Often, you’ll be able to embed privacy into your other tasks and responsibilities, effectively killing two birds with one stone.
But it all starts with understanding why.
If you’re looking for clearer insight into what value data privacy management can bring to your organization and how, download our eBook, the ROI of Privacy Management.
Or hop on a call with an Osano expert; we’re always happy to chat data privacy.
