Articles

The 7 Biggest Pitfalls for Modern Privacy Programs

Written by Matt Davis, CIPM (IAPP) | February 15, 2023

What worse feeling is there in business than to get excited for some new initiative, only to see it stagnate and gradually fade away into obscurity weeks or months down the line? 

When it comes to data privacy, letting your privacy program suffer this fate isn’t an option—attorneys general or data protection authorities won’t be sympathetic. For full-time privacy professionals, other professionals responsible for their organization’s compliance, or anybody who’s looking to build a privacy program that lasts, avoiding these 7 pitfalls can increase the odds your privacy program.

1. Not working on a privacy program at all

After you implement your privacy program, will you be able to look at your quarterly financial statement and say, “here’s the boost in revenue we saw after we became compliant”? Probably not. 

For most businesses, data privacy is seen as a cost sink. That means there’s going to be a lot of scrutiny over whether it’s actually worth the investment or not, and some companies will conclude that it’s not worthwhile. 

They’ll look at the lengthy timelines presented by data privacy laws and think they can get to it later. Or, they might think that they can get away with noncompliance until an authority actually investigates their operations and gives them a warning. There are two major reasons why that’s a mistake: 

  1. Not every authority offers what’s known as a “right to cure” period. Under the CCPA, for instance, there was a 30-day right to cure. The California Attorney General gave violators 30 days to address the issue before imposing any fines. That cure period disappeared January 1st, 2023. 
  2. Cure periods are meant to give businesses working toward compliance a way out—30 days is not a lot of time for the totally noncompliant. Just look at Sephora; they received a 30-day notice and failed to address the violations in time, resulting in $1.2 million penalty under the CCPA. In fact, building a robust data privacy program can take anywhere between 6 to 18 months! Even if you manage to address the specific complaint in a notice of violation, you’ll still have invited unnecessary scrutiny into your company—and you’ll have to build out a privacy program anyways. 

Businesses that think they’re safe until they get called out are playing a risky game that worries investors and customers alike. It might seem like an unwanted expense, but in the long run, building out a data privacy program is worth it. 

2. Not securing buy-in

Data privacy impacts many different departments in an organization. Not only will you need their collaboration to carry out compliance activities (like developing a data inventory or executing a data subject access request [DSAR]), but some individuals might oppose the implementation of a data privacy program out of fear that it’ll affect their work. 

The marketing department might express concerns over consent management and their ability to track leads. Your financial department might insist that there isn’t room in the budget. Your CEO might think it’s a waste of time to make privacy a company-wide mandate. 

That‘s why one of the most important parts of developing a data privacy program is to secure buy in from these and other stakeholders. You don’t have to get 100% consensus—but you do need at least a champion or two and a general willingness to let you operate unimpeded. 

3. Going straight to the C-suite without a plan

If securing buy-in for your program is important, you should go straight to the top and make your pitch, right?  

Not exactly. 

You’ll need to get the C-suite on board with data privacy compliance if you’re to build a well-functioning data privacy program, but you need to be prepared first. 

Some executives might feel that data privacy is a distraction from more important, revenue-generating activities. Others might be facing pressure from board members and investors to get compliant, but they underestimate the scope required. A well-planned proposal will help you both convince the unwilling and secure the commitment a data privacy program requires. 

There are a lot of ways you can make the business case for your data privacy program. One approach is to talk to team leaders first. Rather than going straight to the Chief Product Officer, talk to the Head of Engineering first and discover how your data privacy program will impact their work and their team. Then, you can make plans to mitigate those concerns. When you do go to the C-suite to secure their top-level buy-in, you’ll be able to demonstrate an understanding of the different executives’ unique responsibilities and that you’ve got the support of their most trusted coworkers. 

4. Expecting everybody to “get it”

It’s no exaggeration to say that education and communication are among the most important elements for a successful data privacy program.  

If the extent of your data privacy training is a 10-minute speech at your next all-hands meeting, it should come as no surprise when data store owners fail to fulfill their part of a DSAR within 30 days. Or, you might find teams are sidestepping the vendor review process in order to get the tools they need faster. There might be new data collection technologies on your website every month, with little documentation on where those technologies are transferring visitor data.  

Data privacy programs cannot function without willing collaboration. Securing buy-in from the top levels of your organization can help; if the C-suite thinks data privacy is important enough to merit a company-wide mandate, others will listen. Naturally, you should use this platform to spread your message about why data privacy matters, how it impacts different roles, how the organization can work together on achieving data privacy compliance, and what specific changes your coworkers can expect to see in their day-to-day. 

5. Treating your privacy program as a one-and-done venture

Becoming compliant with data privacy regulations is an on-going task—otherwise, it’d be called a privacy project rather than a privacy program. There are three major reasons why data privacy programs need to be regularly reviewed and maintained: 

  1. Data privacy laws are constantly being created or amended. 
  2. Your business may become subject to new laws as it grows. 
  3. The way your business processes personal information will change over time. 

If your organization makes a big push for data privacy compliance once and then fails to maintain those results, all that work will quickly become irrelevant when: 

  • Your website begins collecting data that visitors can’t opt out of, 
  • You hit one of the threshold requirements for a data privacy regulation. 
  • New data stores of personal information are created that aren’t accounted for in your DSAR process. 
  • Your organization adopts any new data collection and processing practices. 

Once your organization reaches a certain size, maintaining a data privacy program becomes somebody’s full-time job or even a dedicated team’s job. Smaller businesses may get away with giving this responsibility to somebody in the legal or operations department. In either case, whoever is responsible for privacy at the organization needs the resources and bandwidth to ensure the privacy program is regularly attended to. 

6. Not prioritizing

While there might be some international standard for data privacy someday, today, each of the 50+ data privacy laws on the books have their own particular requirements. Fortunately, most of these privacy laws take the same basic shape and generally match the requirements of the GDPR. 

That doesn’t mean your organization can work on becoming compliant with multiple laws all at once, however. Each law is distinct enough that working toward total compliance with everything will lead to months or years of effort, all while major areas of your business remain noncompliant. A better approach is to prioritize the most comprehensive data privacy law that you are subject to—such as the CCPA/CPRA or GDPR—and focus on achieving compliance there. 

If, for instance, you do receive a notice of CTDPA noncompliance from the Connecticut Attorney General, you can point to the efforts you’ve made at becoming compliant with California’s CCPA/CPRA and demonstrate a willingness to plug the gaps. Not only will working toward CCPA/CPRA compliance set you up for faster compliance with other laws, but the demonstrable intent to become compliant will reduce your legal risk. 

To zoom in even further, it’s a good idea to prioritize your efforts within the scope of a given law. Are you consistently missing the CCPA/CPRA’s 30-day DSAR deadline? That might be the right place to focus your efforts, especially since individuals making DSARs are more likely to know their rights under the law. Or, perhaps your website doesn’t provide consumers with a means of opting out of data collection; that’s an easy target for enforcement authorities, so you might focus on identifying a consent management solution first. 

7. Thinking you can operationalize it all yourself

Understanding your legal requirements is one thing; putting it all into practice is another.  

For many, especially those new to data privacy, it can be tempting to think that a well-organized spreadsheet is the key to a streamlined DSAR process or that you can cobble together open-source tools to manage consent on your website. This perspective underestimates the complexity of actually operationalizing data privacy compliance. 

Not only is it technically complex to develop a consent management solution, for instance, but that complexity grows exponentially as you scale. The homegrown approach to compliance also requires perfect knowledge of all of the legal requirements your organization is subject to, as well as the design expertise to translate those requirements into practical solutions. Lastly, it requires dedicated development time for maintenance, not only to address growing business needs, but also to address the changing legal landscape. In short, the homegrown approach to compliance would require an entire business dedicated solely to developing, implementing, and maintaining compliance solutions. 

Fortunately, businesses dedicated to compliance already exist—like Osano. Many of the pitfalls in this article fall on the privacy professional to avoid, but we can help you steer clear of this last one. The Osano data privacy platform provides the tools for privacy professionals to: 

  • Manage consent on their website 
  • Streamline and automate the DSAR process 
  • Quickly evaluate vendors’ privacy practices 
  • And more 

If you’re fleshing out an existing data privacy program or building a new one from scratch, consider signing up for a free trial or scheduling a demo to see how Osano can operationalize compliance for you.