Six Steps to Sustainable Privacy Maturity
Co-authored with Graham Thomas, Cognizant Global Head of Data Privacy.
Is privacy dropping off the corporate agenda? Even as regulations and legislation for data protection march on, an alarming number of privacy programs are being quietly pushed to the back burner.
A global assessment conducted by Informatica and Cognizant reveals that organizations are shrugging off privacy risks at the worst possible time – just as consumers are actively prioritizing trust and confidence.
From huge fines to the reputational damage inflicted by a major breach, the downside of getting privacy wrong is massive.
But there’s also huge upside for businesses that get it right.
A recent report from Cisco  found that more than 40 percent of companies are seeing benefits of at least twice their privacy spend. That ROI comes from increased operational efficiency, greater business agility, and the ability to innovate more quickly.
Establishing yourself as a reliable custodian of customer data has a vital reputational benefit. Consumers are five times more willing to permit use of their personal information — and will hand over more of it — to companies they trust. 
With the need to sustain customer loyalty and compliance both bearing down, businesses need to treat privacy protection as a core requirement rather than a single initiative or series of projects.
But making the journey isn’t straightforward. Regulatory regimes have complex requirements that aren’t addressable with simple checklists. And at the moment, there is no formal certification for wide-ranging regulations like the General Data Protection Regulation (GDPR).
Organizations have to self-determine their level of adherence with a clear understanding of their data exposure risk — alongside the value that personal data can unleash when used appropriately and transparently.
Informatica recommends this framework to help you operationalize data privacy controls:
- Define and Manage Governance Policies – While GDPR means most European companies have this well in hand, organizations looking at the California Consumer Privacy Act (CCPA), LGPD, and other regulations may still need to map critical business users and stakeholders, then align them with the data and privacy processes they need to own.
- Discover, Classify, and Understand Personal and Sensitive Data – Next is to know exactly what data you hold, and exactly where it sits. Look across IT environments such as multi-cloud and on premises, Hadoop and relational – for both structured data and unstructured file systems.
- Map Identities to Personal and Sensitive Data – Knowing exactly what personal and sensitive data you hold under different regulatory definitions will enable faster access to data that belongs customers, employees, and partners. That will strengthen your ability to respond to data deletion orders under the Right to be Forgotten, and Data Subject Access Rights (DSARs) by building a data subject registry.
- Analyse Data Risk and Establish Protection Plans – Continuously measure privacy risks and record them to provide Key Risk Indicators (KRIs) for your privacy program.
- Protect Data and Manage Subject Rights and Consent – Use data masking and encryption to ensure reliable control during the exposure, access and use of personal information. Document the location, lineage, history, and retention periods for all the Personally Identifiable Information (PII) you hold.
- Measure and Communicate Audit Readiness – Track and record what’s been achieved on your privacy journey for auditor visibility to demonstrate success or quickly remediate privacy gaps with the controls you’ve put in place.
The end goal is a mature privacy footing that’s sustainable and repeatable — which will be vital when new data protection regimes like CCPA start to be enforced.
By establishing governance best practices that deliver data trust and quality, organisations can move beyond reductive objectives like fine avoidance and address compliance as a target state, more a continuous journey rather than a single destination.
That will help put compliance risk in the rear-view mirror, accelerate value creation, and help businesses at the head of the curve leapfrog the competition.
 Cisco: 2020 Data Privacy Benchmark Study
 Boston Consulting Group: Bridging the Trust Gap in Personal Data