Design a Privacy Culture Within Your Association in 9 Steps

If your organization collects or uses personal information of any kind, then it’s time to get compliant with the regulatory powerhouses across multiple jurisdictions. Whether you’re using web forms or tracking cookies on any website, application, or software system, then new privacy rights and regulations should be on your radar.

And let’s face it, that includes pretty much every organization.

However, compliance doesn’t need to be an operational obstacle. Instead, you can tame the “data swamps” and cut through the red tape to deliver higher quality data as well as a higher level of trust for your constituents.

In this article, we’ll discuss how moving beyond mere compliance with data privacy rules and instead embracing an “open-door” policy can lead to better outcomes and help your organization establish trust and transparency in its data operations.

Get the ins and outs of how to establish and embrace a “privacy culture” in your association or non-profit to encourage more data sharing and better organizational outcomes.

What is a privacy culture?

A strong privacy culture aligns people, processes, and technology capabilities behind a formal data security and privacy program that supports the overall mission of your organization. The privacy program, including all IT infrastructure, human processes, and technology software, are driven by a mature data governance plan.

In a “best practice” cybersecurity program operating within a culture of privacy, all data users, stakeholders, and end customers are involved in the governance processes and procedures. Transparency is the central pillar that moves your privacy posture forward. The outcome is ‘data trust’ and ultimately, better stakeholder satisfaction and business results.

In other words, decision makers are empowered with reliable information, and all data processes are ethical, safe, and trustworthy. A mature organization, focused on a privacy culture could even be called a ‘data trust’ where the control of data is held by members and customers and protected by the organization’s critical infrastructure.

Legal compliance within the multidimensional regulatory landscape is one result of a successful privacy culture program, not the goal. What’s more important is how your data governance practices and privacy programs uplift your business objectives. It’s about moving beyond cybersecurity and into an organizational resilience framework.

Defining this new privacy culture and your resilience objectives can open the door to more reliable and trusted data. This puts you in the sweet spot to drive personalized digital experiences and your strategic initiatives forward.

Why create a culture of privacy?

Expanded transparency obligations and the era of privacy has heightened the need for data innovation and a proactive approach to compliance. Data privacy threats and public concerns aren’t going anywhere, so why not flip the narrative?

Here are the main benefits of adopting a “culture of privacy.”

1. Turn trust and transparency into a competitive differentiator.

A privacy culture is meaningful in the digital context. As we usher in the data economy and dive further into digital transformation, organizations are beginning to view data privacy as an opportunity, rather than a threat. Truth is, your organization’s future depends on your data ambitions, and your data ambitions depend on trust.

Aligning privacy with your strategic goals helps you break through the noise and position your organization as a trusted brand. It’s this proactive, future-gazing approach to individual privacy that will help you sustain growing membership and participation in the new data economy.

2. Store and gather more valuable data.

In a world drowning in so much data, you need to go the distance to gather and store more valuable data. Beyond just consent and opt-ins, organizations are beginning to give users full access and control over their personal data and privacy preferences.

By allowing users to have more “say” over their digital experiences and insight into how personal information is used to tailor communications, you’re able to gain their trust and encourage the free disclosure of personal information (and sometimes even more complete information as well).

“Data sharing is the way to optimize higher-relevant data, generating more robust data and analytics to solve business challenges and meet enterprise goals…[data-sharing cultures] have more stakeholder engagement and influence than those who do not.”

Lydia Clougherty Jones, Senior Director Analyst, Gartner

And in turn, you’re able to maximize data’s ability to create value while simultaneously minimizing data’s capacity to destroy it (e.g. the risk of wrongful access, compliance errors, and missed opportunities).

3. Drive better decisions.

With open access to clean data and formal data governance processes, stakeholders, decision makers, and even data end-users can make smarter, bolder, and quicker decisions with confidence to support your organizational strategy and business goals.

4. Create more data-driven revenue streams.

Data is the fuel driving new business models. It’s at the center of system architecture and pretty much all revenue streams. A digitally-mature organization with a sophisticated privacy culture typically has a more advanced data trust strategy and mature data governance processes.

Trusted data helps you offer new and better value propositions, and makes your whole organization more nimble—while balancing and reducing that data’s risks and costs. Not surprisingly, an organization with a sophisticated privacy culture is naturally more equipped to monetize data assets and attain a state of data-driven process improvement.

Turning data into something of value takes several forms: personalizing products and services, improving member experience based on data intelligence, creating new products and services, and improving operational efficiency and productivity.

5. Minimize expensive cyber attacks.

Like you, cybercriminals are on their own digital transformation journey. Cyber attacks are escalating rapidly, becoming more organized, and racking up an increasingly higher average total cost per breach each year.

No matter the nature of your organization’s “Achilles’ heel” regarding data security  — whether its inadequate breach detection or unauthorized access points — hackers and malicious attackers will use an array of ultra-sophisticated schemes to exploit these vulnerabilities.

However, most data breaches and cyber threats are preventable. By creating and instilling a culture of privacy and cybersecurity, your organization can get ahead of the ever-evolving risk landscape, respond with agility when the inevitable breach happens, and keep your organization’s sensitive personal information and “asset-centric cyber-physical systems” secure.

6. Avoid negative reputational backlash.

Studies on privacy trust link transparency with improved confidence, goodwill, and loyalty. Disclosure of privacy and security practices, in particular, is a top trust factor. A lack of transparency, on the other hand, exacerbates backlash.

For example, revealing unexpected data practices can most certainly cause public outcry, as we’ve seen in bombshell headlines over the past few years.

With this heightened public awareness over privacy rights, organizations today are increasingly viewed as having a fiduciary duty to maintain the integrity of personal data. This in turn has underscored the importance of privacy leadership and data ethics.

7. Ensure data privacy compliance as a legal mandate.

Privacy regulations are like a messy bowl of alphabet soup. The web of legislation includes numerous, dynamic privacy laws, including the EU’s GDPR, California’s CPRA/CCPA, and China's new Personal Information Protection Law (PIPL).

Most of these local and international regulatory frameworks have extraterritorial reach, a broad scope of applications, and a growing list of privacy and security violations. To put this into perspective, modern privacy laws are on track to cover the personal information of 75% of the world’s population by the end of 2023, according to Gartner analysts.

Plus, regulatory bulldogs are also more active today than ever before, pledging to bite back hard against noncompliant data handling and management practices in the years ahead.

A sophisticated privacy culture centered around data transparency can help you avoid catastrophic legal, financial, reputational, and operational backlash from an unfortunate event.

8. Empowering a proactive regulatory and transformational stance.

Organizations have largely relied on reactive data protection plans with back-up processes for “worst-case” scenarios. A digitally-enabled, privacy-centric organization, on the other hand, is future-facing and cyber-ready.

Organizations with proactive privacy cultures are able to anticipate new data privacy regulation and technological developments, and secure the infrastructure and processes for sustainable growth.

How do you build a privacy culture?

1. Prioritize transparency

To build a privacy culture within your organization, you need to create a completely transparent and publicly visible system where your technology, people, and processes are all working together across the entire data landscape and information life cycle.

Such holistic, tightly integrated data trust and transparency practices not only protects the privacy of your members and other stakeholders, but it also fuels a data-centric culture – one that works in concert with your digital transformation efforts.

So, we should turn transparency into a value proposition and top organizational priority.

Position your organization as an open book and create a brand strategy around digital citizenship, privacy leadership, and reaffirming the digital world as a force for good and human connection.

You may advocate for a digital world in which trustworthy people can actually be trusted by upholding better, safer digital experience. Whatever your approach, being clear, upfront, and honest is key here.

That human-to-human, ‘real talk’ is what’s needed to gain the buy-in you need from the public and your internal staff to reinforce your privacy culture and take your organizational capabilities to new heights in the digital age.

2. Champion education and awareness

This step is largely about human factors in cybersecurity. In order to move or leapfrog towards better business outcomes, you need to get everyone on the same page. This goes for all stakeholders and end users across your organization, as well as your members, online audience, and potentially relevant third parties.

Your education programs should clearly support the mission and goals of your organization. Raise awareness about the cybersecurity landscape and the ‘why’ behind your data processing decisions and bold UX messaging. Again, transparency is the secret sauce here.

Staff Education

.All employees and staff in your organization—especially those who process, store, and access personal data—need to be trained on your IT governance processes to foster a sense of ownership, coordination, and coherence.

This requires continuous training and capacity building within your organization, as well as the resources to support this training curriculum. You may want to analyze different training methods, frequencies, and hours required for different roles to see what the best program is for your association.

The goal is to get everyone up to speed and in agreement on your privacy programs and best practices from the first touchpoint through the post-purchase personalization journey.

Public Education

In your public education campaigns and awareness programs, be upfront about what your organization is getting out of it and how the user is benefiting as well (e.g. personalization, more meaningful digital experiences, etc.). Stay light, friendly, and communicate directly to the individual on the other side of the screen.

For example, thoroughly and clearly explain how you collect, process, and anonymize information in your cookie consent, disclaimers, and privacy policy to customize and enhance the browsing experience. The goal is to improve data literacy and data trust experimentation. So be creative and amusing.

3. Take a holistic approach

All too often, privacy programs and organizational cultures are designed and operated with a focus on technology systems, without adequately addressing people and process layers. A forward-looking, privacy-enabling organization requires a more balanced approach.

Like the three legs of the “digital transformation stool” and any organizational change initiative, the three legs of a mature data privacy culture include:

1. People
2. Processes (governance)
3. Technology

In order to usher in secure data environments, your organization’s privacy culture must encompass internal systems, structures, human processes, data management, cyber, privacy, record retention functions, and beyond.

In other words, your entire organization ecosystem and resilience strategy needs to support your privacy culture.

4. Complement the larger organizational culture

Ensure your privacy culture and cyber strategies align with your larger organizational culture and overarching strategic direction.

It should support your core objectives and even advance or inspire your organization goals and innovation culture.

So, lay out the roadmap between your privacy initiatives and performance results (e.g. quality data, improving operational efficiency, removing bottlenecks, building trust, and locking down recurring members and supporters).

5. Engage stakeholders

When developing and revisiting your privacy culture and data governance plan, encourage ongoing collaboration and participation of cross-functional stakeholders across your organization.

Regularly measuring stakeholder confidence and identifying areas of strength vs. friction can help you increase organizational buy-in, without slowing things down.

Collaborate regularly on questions like: Where is the industry headed? How can we strengthen our privacy leadership and data transparency practices? Where might new technologies lead? And how would our privacy culture need to adapt to remain competitive?

Regardless of the maturity of your organization’s privacy posture, your C-suite leaders and stakeholders should continually assess your data processes against the current vulnerability and opportunity landscape.

Coordinating your privacy plan accordingly will allow you to stay abreast of evolving situations (e.g. new data processing needs, vendors, and legislation), safely engage in change initiatives, and strengthen data’s value for your organization.

6. Give users more access and control

Increase access to critical data for your users and give them more control over how their personal information is used and shared.

Allow your members and website visitors to correct, delete, and complete their individual data and manage tracking and personalization preferences.

You may also consider allowing users to submit recommendations publicly via your privacy rights request channel and make your responses publicly visible as well. This encourages a more equitable distribution of data as well as your commitment to data trust.

Foster a data-sharing culture — not a data “ownership” culture — by identifying the emotional impacts and inherent biases that hamper data sharing.

Lydia Clougherty Jones, Senior Director Analyst, Gartner

Going along with this, be sure to carefully identify new data needs and manage user expectations. Balance risk and value for new data uses, while handling each request with care and 100% transparency.

7. Make it formal

The vast majority of organizations have traditionally approached personal data privacy and security from the ground-up, training users as the first line of defense against cyber threats and vulnerabilities.

Becoming cyber smart in 2022 and beyond requires an organization-wide approach with a written IT security policy and a formal, end-to-end privacy culture. Becoming a privacy champion isn’t about working hard, but rather it’s about  “Thinking Big” and adapting to support your goals.

Consider the triad of projects related to data privacy and IT security as a whole to get things documented and formalized:

1. Data-mapping: Inventorying all personal information and any “sensitive personal information” collected and/or disclosed by your organization, third-party vendors, suppliers, and indirect parties. Then map out who all has access to that data, where each dataset is located, where third-party tags are firing from, and the storage and disclosure processes of all third parties.
2. Risk assessment: Analyze the different visitor profiling or tracking activities (e.g. pixels and cookies including Google Analytics or Google Tag Manager) on your sites and applications, including the purpose and method of data handling and processing. Then rank the data sensitivity levels and associated risks of each data activity.
3. Development of a written IT security and risk management governance plan.

Tackling these three data protection demands together with fervor and with a broad, comprehensive approach will get you on the right path to sustainable growth without derailing innovation and competitiveness.

Really, though, depending on the maturity of #3 in those triad of project priorities, you may not need to worry about #1 and #2 because those should ideally be incorporated into your governance framework.

8. Develop your IT governance plan

Create, document, and roll out a rock-solid IT governance program gives your organization’s data trust framework and privacy culture a firm footing.

The goal is to build a controlled environment capable of governing and managing data transparently. It should be defined at the strategic level across risk management and compliance areas, and turned into action at the practical level. The key to successfully following through on your governance plan is to gain continued acceptance and adherence organization-wide.

Every organization is unique in their purpose, goals, industry, and target audience. So while there’s no magic template to mirror, here are some highlights to keep in mind when developing your governance roadmap:

• Include people, processes, and technology elements within your organization and relevant third parties.
• Define the roles of each actor and establish clear lines of authority, without disempowering your frontline staff.
• Make all processes and procedures repeatable, flexible, and scalable.
• Include adequate guidance to continuously adapt to evolving compliance challenges.
• Include all data processing structures, mechanisms, and decision-making processes.
• The ‘techie’ stuff should detail an efficient, risk-oriented internal control environment with automated alerts and structured safeguards.
• Detail your training processes and cybersecurity awareness programs.

As the focal point of your privacy culture, a fully implemented IT governance can turbocharge your organization’s full potential. The main benefits include the ability to:

• Earn user confidence and monetize trusted data.
• Bridge information and communication gaps for “real time” collaboration.
• Remove data silos, reporting inefficiencies, and clunky IT infrastructure.
• Improve budget performance, reduce overhead, and meet compliance demands.
• Enhance accountability, productivity, and preparation for a digitally-enabled future. 
• Improve organization-wide synergy and commitment to shared initiatives.

Many organizations have even put together a dedicated, cross-functional data privacy team to oversee the implementation and continuous improvement of their governance plan. You can also outsource to an association IT consultancy like Cimatri to keep things streamlined and moving forward.

9. Continue adapting and iterating

Never stop learning, monitoring, and adjusting. Not only should you have structures in place to regularly monitor compliance requirements, but you should also keep tabs on industry trends and benchmark operational changes to further cascade trust and crystallize the culture shift.

A more sophisticated understanding of the people involved in your governance roadmap, how they connect, and their specific contributions or overlapping inefficiencies will help you continually improve productivity and progress your privacy program.

Regularly test and experiment with your IT governance processes as your organization evolves. Then, assess the results and adjust accordingly to find better UX strategies and reinforce user control.

Once you’ve achieved this level of maturity as an organization, you’ll be able to promptly tweak your privacy initiatives to accommodate new knowledge and regulations without jeopardizing data security.

While working through your governance maturity checklist, strive to build a seamless system to convert raw information into trusted, business-critical information. It’s equally important to use succession planning to build a pipeline of leaders to take up the torch on your privacy culture.

What are some privacy and security practices?

• Develop and regularly update formal cybersecurity and governance programs with the insight of stakeholders.
• Engage and monitor all direct and indirect third parties about their privacy policies and data security practices, and update contractual agreements accordingly.
• Allow users to manage personal data and consent preferences for personalized advertising and previous consented activities.
• Integrate a strong cookie policy and customized banners on your site and applications.
• Block profiling cookies until explicit opt-in consent has been obtained.
• Maintain valid records of opt-ins and opt-outs.
• Disclose how you store and use collected data.
• Implement formal processes for data retention, minimization, and elimination.
• Implement preventative measures (including automated and manual processes) for auditing, assessing, and resolving security issues.
• Enable multi-factor authentication (MFA) and single sign-on (SSO).

Common data privacy and security pitfalls

The following bad practices can make your organization resistant to change. When you’re trying to shift to a privacy culture, be sure to avoid these ticking time-bombs.

• Not developing and adhering to IT governance policies and procedures.
• Using many technology systems and applications that don’t “talk” or work well together.
• Inadequate third-party risk management and operational resilience (e.g. not completing or coordinating end-to-end mapping, scenario testing, annual cybersecurity audits, or regular risk assessments).
• Inadequate stakeholder engagement or management (e.g. not coordinating governance processes and data processing practices based on stakeholder insights and needs).
• Lack of organization-wide education around security and privacy risks, data collection and use, and the need for formal IT governance.
• Stretching limited resources too thin and focusing on too many things at once instead of limiting capability “sprawl.” Take on additional change initiatives and continuous process improvements only when your resources and organizational maturity permit.

Current state of digital trust and privacy leadership

According to the 2021 U.S. Digital Trust Insights snapshot survey, only 54% of organizations have implemented formal processes to understand where sensitive and high-value data are stored and processed within their organization. Only about half of organizations know how data is sourced and moves through their organization, let alone have actual structures to protect data sharing within their ecosystems.

And out of the organizations that actually have a formal data governance process in place, only 37% have dedicated data privacy teams or a data protection champion. Yet these pacesetters are already more than twice as likely to report ROI from new data-driven revenue streams, improved value streams, and more efficient and wiser operations.

Simply put, organizations have a lot of work to do in order to better govern, discover, protect, and minimize the personal data it holds. Good news is, it does look like data protection and information security practices are heading towards greater visibility with boards, donors, investors, and the public in the year ahead.

Considering accelerated privacy regulations and cybersecurity threats are cited among the top emerging risks for U.S. organizations, this shift towards transparency only makes sense for short-term viability and long-term sustainability.

Point is, you need to start building an integrated culture of privacy leadership and data transparency into your organizational direction ASAP.

Summary: How do you develop a culture of privacy?

Wrap your privacy culture into your larger organization culture. It requires you to formalize your data governance plan and garner stakeholder support. And while you're responsible for data security, the control of that information should ideally be in the hands of the user.

A mature, well-integrated privacy culture is the necessary, future-ready solution to drive measurable outcomes with demonstrably higher reward in the digital age. A privacy-advocating culture is a brand image among your members, customers, and website users. It distinguishes your organization as stewards of your users’ critical data, helping to reinforce your brand and engender trust.

Unfortunately, many associations with limited resources are still treading on dangerous waters when it comes to compliance practices, let alone data privacy leadership.

Ready to accelerate your privacy culture (and drive better organizational results)? Take this first step: this short self-assessment diagnoses the maturity of your association IT in minutes.