By Kaitlyn Jiminez[i]
The passage of the California Consumer Privacy Act[ii] (CCPA), its multiple amendments and revisions, and the recent support of a majority of California voters to pass Proposition 24, the California Privacy Rights Act,[iii] aimed at enhancing it, reflects how privacy issues occupy consumers’ attention and consequently, are on the radar of companies who collect information about California residents. Today, it would be difficult to find a Silicon Valley organization that is not claiming to practice strict data protection. This need to publicly profess privacy protection spreads from large technology companies through other industry sectors heavily reliant on technology and even companies not as technology reliant.[iv]
As companies become aware of the growing public concern about control over individual personal information[vii], technology leaders are more vocal in their support of data protection especially around highly visible events like Data Privacy Day (DPD).[viii] Tech Titans like Apple[ix], Google[x], Cisco[xi] , as well as many other organizations[xii] advocated for data protection on DPD 2021 by posting their support across social media or hosting their own DPD events. Many also had members of their leadership teams speak of DPD events.[xiii] Unfortunately, marketing campaigns touting the significance of privacy issues masks a complacency with implementing data protection tools and safeguards.[xiv] This is an area where words are not enough.
It may sound obvious, but to improve privacy practices and avoid the harsh potential backlash from being discovered of merely privacy-washing practices, organizations need to make privacy an aspect of every employee’s job function. Employing internal privacy professionals helps an organization in its efforts to comply with data privacy regulation; the entire leadership of an organization needs to support privacy initiatives to ensure the trust of its consumers. Broader inclusion into the privacy conversation will provide transparency and accountability as well as different perspectives on what privacy is and why it is important. Stakeholders are also consumers and can make data protection personal to their own privacy values. Technology journalists advocate that “[c]ompanies have to actually see [privacy] from the consumer perspective — and understand what they do to protect our data is part of how we’re going to judge them.”[xv]
The best starting point is at the top. The trickle-down from the C-suite substantially impacts company culture and values[xvi], which is why executive support is paramount for a successful privacy program. The Cisco 2020 Data Privacy Benchmark Study shows that there are significant tangible benefits to investing in privacy processes.[xvii] Poor encryption and data collection management have been the gateway for numerous data breaches exposing people’s highly sensitive information.[xviii] Global information management services company, Iron Mountain, urges entities to “encrypt all data at all times, whether at rest or in motion” and to “beef up authentication” with password management tools and two-factor authentication for any devices that can access the personal data in their possession.[xix] Other best practices include data minimization and strict data retention policies so that information without a significant business purpose is never collected and information not being used is deleted.[xx]
Companies that incorporate best privacy practices “on average, receive benefits 2.7 times their investment, and more than 40 percent are seeing benefits that are at least twice that of their privacy spend.”[xxi] They are seeing “increased competitive advantage and improved attractiveness to investors, and greater customer trust.”[xxii] These are points that should help get C-suite on board.
Executives are not the only ones who foster a culture of privacy. Organizations have seen success with their privacy efforts by establishing privacy champions. The International Association of Privacy Professionals defines privacy champions as “individuals who will help promote the privacy program within their own team and while working on various projects.”[xxiii] Establishing a privacy champion on key teams such as product, development, engineering, and marketing, helps to operationalize privacy controls as those privacy champions are aware of new features or tools that impact privacy at the inception of those projects and ideas.[xxiv] Privacy champions ensure privacy awareness at each team level to stop any data protection risk from falling through the cracks.[xxv]
Management needs to assist the privacy and legal department in identifying team members who would excel at being a privacy champion. Then, in-house counsel or the privacy department program leads could train these employees on data protection fundamentals and how to spot privacy red flags. Privacy trainings should answer the questions: what is personal data, what is considered data processing, what data protection regulations affect the company, what privacy protocols are in place, and who can privacy champions reach out to with questions or concerns.[xxvi] If employees know these key points, they can serve as additional eyes and ears throughout the organization and ensure protection of personal data across departments.[xxvii] It is also important that the training set clear expectations for these roles including the intent that this privacy assistance does not impede the employee in their main work responsibilities. The goal is to spread privacy awareness, not distract from other goals and efforts. Lastly, for privacy champions to be truly effective, there needs to be regular check-ins between them and the privacy program leads. Communication builds trust and results in greater transparency.[xxviii]
The third tier is to raise company-wide privacy awareness with all employees. Because privacy effects everyone, the more people aware of the privacy program, the better. Privacy issues should be included in the employee handbook and onboarding materials so that new employees understand the organization’s culture towards privacy. These materials can incorporate a high-level summary of the topics covered in the privacy trainings. It is important to be consistent with privacy messaging; therefore, providing the same key points to all employees aligns the whole organization on privacy values and the processes in place to protect privacy.[xxix]
The privacy program leads should also do regular all-hands privacy trainings to keep everyone up to date on what the company is doing to ensure strong privacy controls with its products and services. Many people may dread these types of trainings, but they do not have to. The trainings should celebrate what the company is doing right and involve privacy champions to make it relevant to each team and department.
Finally, organizations can employ their communications team to regularly distribute a company-wide newsletter to inform employees of global and internal privacy developments and to highlight members of the organization for contributing to data protection efforts. A newsletter spotlighting employees who take an active role in building privacy safeguards or flagging privacy issues for the organization recognizes and rewards employees for their involvement. Creating a personal impact through employee recognition “is the key factor influencing employee engagement, and therefore organizational performance.”[xxx] It confirms that their effort is valued by the organization.
As the FTC continues to increase its scrutiny of organizations’ privacy practices[xxxi], raising privacy awareness within an organization will create accountability to ensure that employers are implementing best privacy practices. In response to the increase in FTC regulations[xxxii], companies should move beyond privacy washing and actually protect personal data to get ahead of these enforcement measures. Getting in front of the regulations will not only allow companies to continue to operate smoothly avoiding a disruptive FTC investigation[xxxiii], but to also evade any reputational harm[xxxiv], costly consent decrees[xxxv], and individual liability for CEOs and other C-suite members[xxxvi].
[i] Kaitlyn Jiminez is a J.D. and Privacy Law Certificate Candidate at Santa Clara University School of Law.
[xv] https://www.washingtonpost.com/technology/2020/01/08/ces-apple-facebook-amazon-are-preaching-privacy-dont-believe-hype/; https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do
[xxvi] https://www.mediapro.com/blog/9-topics-privacy-awareness-training-program/; https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions