Privacy laws such as the CCPA are being enacted all over the country at a rapid pace. Some firms are still struggling with how to get executive levels on board. Successful data governance plans need a C-level sponsor who understands the business value of adopting a thorough data governance strategy as well as the risks of kicking the can down the road. It may be up to you to convince them why.
Four Steps to Data Governance C-level Sponsorship
Getting executive support starts with educating your internal team on data privacy laws. You’ll need to be able to communicate the benefits to the bottom line while illustrating the urgency of preparing for the rapidly developing regulatory environment.
Nothing speaks truth to power as quickly as fact. The implementation of the GDPR in May of 2018 caught many companies unprepared. Your proposal should give your internal team a glimpse of what happened to those firms who were not GDPR ready and highlight critical data risks firms are experiencing. The goal is to align data privacy with leadership’s priorities and be able to respond to their questions.
Here are four steps you can take to prepare your proposal to educate your internal team on data privacy law.
1 – Point out the effect of data privacy law compliance on revenue
As the California Consumer Privacy Act (CCPA) begins in 2020, we can look back at the implementation of the GDPR in 2018 and how those companies that set up a data governance plan immediately had a competitive edge over those that didn’t.
The consumer climate is data privacy-aware. Customers and business associations are starting to insist that firms answer questions about data privacy. As a result, compliant companies experienced less of a sales delay due to customer privacy concerns.
A January 2019 report by Cisco Cybersecurity mentioned that 87% of the companies reported having delays in sales because they hadn’t yet created a data governance plan or were struggling to implement one and could not respond to the client’s data privacy requests or concerns.
Cisco also reported that GDPR-prepared companies experienced roughly one week less of a sales delay than those that weren’t yet compliant, and two weeks less of an impediment than those who knew they wouldn’t be able to reach compliance in one year.
There are both benefits of being compliant and detriments to not being compliant, and becoming compliant is not something you can do overnight. The sooner C-level and internal teams understand the potential damage to the bottom line by ignoring data privacy laws, the closer you are to being ahead of data privacy laws..
The goal is to present the importance of a data governance plan, team, and execution as inseparable from your firm’s vision for growth and scalability. Being GDPR and CCPA compliant is becoming a public marker of personal data safety. The more consumers demand data transparency, the more your level of competitiveness will hinge on your level of compliance.
2- Highlight key data risk issues firms are currently experiencing
Data graveyards — Many businesses have masses of latent data stored in disparate locations which interferes with database efficiency by impeding migration, increases risk, and bleeds finances. Data assessment, data mapping, and data pruning as a part of a data governance plan are first steps in tackling data graveyards.
To comply with data privacy laws, firms will have to be able to retrieve and delete data in a timely fashion or face the possibility of fines and lawsuits. House cleaning and streamlining data storage will enhance a firm’s ability to scale and remain agile amid rapidly evolving technology and accelerated data privacy-focused business climate.
Fines and lawsuits — The lack of a thorough and compliant data governance program is a liability that leaves a firm’s bottom line exposed. Fines, lawsuits, and reputational damage are definitely something that C-suite management can understand. Bring in the statistics, resources, and projected outlook to build a sense of urgency. Data privacy penalties are real, and they are becoming more and more prevalent in all markets and countries. Here are some recent examples:
- British Airways £183.39M
- Uber £385,000
- Equifax £500,000
- Marriott International £99M
- Facebook Ireland £500,000
- Google $50M
- YouTube $150M
Information security — Data breaches are a genuine threat. Without a robust and scalable data governance plan in place, companies will be less able to defend against the increasingly evolving technology used by malicious agents. Not only will data breaches harm your reputation and your brand, new data privacy laws such as the CCPA will also slap you with fines and open you up to civil action. Some of the data breach headlines of 2019 include:
- Capital One — One of the most significant data breaches in history. 106M private records were hacked, including customers’ personal information, Social Security, and credit card numbers.
- Adobe Create Cloud — 7.5M users’ emails and other details that could be used in phishing attacks against users.
- Canva — 140M users login credentials hacked.
- American Medical Collection Agency —7.7M private records, including Social Security numbers and medical records resulting in the medical billing vendor filing for bankruptcy.
Third-party vendors — The GDPR requires mutual B2B compliance. This means if your vendors are not in compliance, neither are you. The CCPA requires a written contract in place with all vendors that has specific language. Privacy laws make it compulsory for companies to audit the third-party vendors in their supply chain as soon as possible. This also means that you can expect inquiries about your level of data governance from your business associates as they prepare for compliance with data privacy laws.
3 – Align data privacy with leadership priorities
What execs need to understand is that data privacy is here to stay and will only continue to develop in a future that is inextricable from the dependence on data collection for business processes. In short, tabling this issue will only make things more complicated and more expensive down the road.
After the passage of GDPR, many US media sites had no choice but to block EU customers because they didn’t prepare soon enough. The California privacy law has a more extended reach. As the 5th largest market in the world, expect the CCPA to become a national standard. Any company doing business with any person or service provider from California will be directly affected.
Overhauling or implementing a data governance program will be an investment challenge. It will require embedding data protection throughout all processing operations and communication through all lines of business in an organization. It may even require firms to rethink their business models. Your internal team needs to understand that the quality of this investment will have a direct effect on scalability in the future.
4 – Be prepared to respond to C-level questions
1 – Study GDPR and CCPA laws with legal to grasp a full understanding of the bar set for current data privacy laws.
2 – Review your ongoing master data management and data governance programs with IT to isolate primary weaknesses and brainstorm solutions.
3 – Research data governance plan and data governance team options considering the structure currently in place. You have choices here depending upon your current data management structure but keep agility and scalability in mind. You’ll want to be able to illustrate the benefits of the future adaptability of any data governance investment.
4 – Beyond regulatory obligations, prepare to speak to risk mitigation, customer expectations, and ROI considerations to leverage leadership priorities.
Depending on your organization, you may only get one shot at getting your internal team on board. Take the time to prepare thoroughly to maximize your chances of getting funding and support from senior leadership. Identifying the key decision-makers, their priorities, and what angles have persuaded them in the past will go a long way towards a smooth sale.