What is a good privacy strategy? | Privacy | Deloitte Netherlands


What is a good privacy strategy?

A holistic view on personal data, the ability to be honest about what drives your business, and a clear understanding of the pros and cons of taking one direction over the other: these are the key ingredients to building a good privacy strategy.

By Bart Witteman & Rodney Mhungu | March 11, 2019

Your organization is almost certainly sitting on a growing pile of personal data with a lot of potential value. An important goal should be that this personal data presents a net positive (‘value’), rather than a net negative (‘risk’). But having the objective to either reduce your personal data risks or create value from your data does not mean you will reach it. Or perhaps you will, but your efforts may come at great cost to other activities in your organization.

Organizations should look at opportunities as well as risks, from perspectives that are relevant to the organization as a whole, as well as its customers. The law sets boundaries, but does not provide a direction to move. Setting the strategic direction enables you to make swift, justified and consistent decisions on how your organization uses personal data. This is why strategy is important.

Organizations in practice

In practice most organizations do not start with a personal data strategy. They usually go through three stages. Stage 1 is a reactive response to regulation; stage 2 is improving operational efficiency, based on lessons learned from internal results, regulatory action, and the effort of other organizations; and stage 3 is developing a more holistic view on personal data.

Pursuing the goals of stage 1 (compliance) and stage 2 (operational efficiency) are both necessary, but not sufficient. If you aim to create and maintain the value of personal data in your organization, then you need to be at stage 3 and have a holistic view of personal data.

Developing a holistic view and making trade-offs

Setting your direction to generate value from one business driver entails trade-offs in your organization’s ability to meet other interests. This is why developing a holistic view is necessary before you start to set your direction with personal data. We can illustrate this by highlighting three fundamental drivers.

1. Connecting with your customers:
Your primary goal could be to use data to connect more effectively or intimately with your customers, consumers or users. In this case your strategy may be driven by the need to grow or create value by drawing insights from personal data.

For example, if your organization is highly focused on insights and delivering high quality service through mostly digital connections, would beefing up the compliance department make sense if a new cohort of inhouse lawyers cannot speak the language of your growing workforce of data scientists? Perhaps a more technical approach, like building in privacy by design, would make more sense than adding compliance measures which would do more to introduce bureaucracy than to mitigate privacy risk. After all, your users or consumers may ultimately lose out if you cannot deliver the digital experience they expect at the right pace and quality.

2. Demonstrating commitment to an industry or societal standard:
On the other hand, your primary goal could be to demonstrate your commitment to standards set by regulations, best practices, or an internal code of ethics. In this case your strategy may be driven by the need to ensure effective governance for your organization to work in line with the rules you set for yourself.

For example, is your organization in a highly regulated or consumer-oriented industry, where the use of personal data, such as health data or financial information, can have clearly significant consequences for individuals in your user or customer base? Perhaps regular risk assessments and highly defined governance structures are exactly what you need to ensure you meet the standards your industry and customers expect. After all, individuals may have entrusted you with some of their most intimate and confidential information.

3. Beating your competitors:
Perhaps you still need to align the organization towards a primary goal on leveraging personal data, so you would like to understand how your peers are dealing with the same challenges. Depending on industry trends, you may lean more towards one of two main objectives: either mobilizing your organization towards a particular ethical, regulatory, or technical standard, or mobilizing your organization towards fostering insights and data-driven connections with your customers, consumers or users.

As an example, what if your customer or user base is changing drastically in their needs and preferences, and the industry is changing along with it? In this case you may need to consider what the consequences of these changes are to your existing business model. To acknowledge that your strategic drivers are unclear is the best step towards finding out what those drivers are, before you set your organization on a direction towards success.

Sign-up for the Privacy E-mail Alert

Our Privacy E-mail Alert will keep you up to date on a wide range of privacy-related topics. The Privacy E-mail Alert will be sent to you once every six weeks and will include the last news on privacy, links to our latest blogs and notifications about privacy-related events we organize.

Privacy email alert

Receive the latest Privacy insights.


More information

Feel free to contact Annika Sponselee or Bart Witteman via their contact details below.

Vond u dit nuttig?