Blog by Divebell

Three hands playing rock, paper, scissors

Rock, Paper, Scissors: Whose Data Privacy Priority Comes First?

Mar 23, 2022
Jeremy Mailen

Nothing clarifies what’s important like limits. You know the feeling when several people approach you with something they urgently need “by the end of the day,” but there’s no way to fit it all in? In these situations, knowingly or unconsciously, you make decisions about which requests get most of your time, which get scaled down, and which get deferred. You triage.

People, teams, and companies can only do so much. Anyone tasked with data privacy knows this only too well. Sometimes, you have to prioritize one thing at the expense of another.

However, the rapid evolution of technology, data explosion, and expanding privacy laws mean that most data privacy teams stretch across multiple functional areas. For instance, Privacy Officers and Data Engineers may be part of a team working on privacy, even though they report into completely different departments.

Will those multiple departments have the same priorities?

Much like the players in a symphony, the data privacy team needs to work well together while focusing tightly on their own individual contribution. To deliver data privacy effectively as a team, it’s true that everyone needs to understand the common elements behind their different languages or terminology (a fact that I discussed in my blog ‘What I talk about when I talk about Data Privacy’). But that is just the starting point.

Everyone also needs to be aware of how each team prioritizes which data privacy measures to implement.

Data Privacy and Protection Priorities

Let’s consider three equally important aspects of protecting data: Access Control, Data Integrity, and Business Purpose, as defined below.

Access Control Only the correct users have access to the data. Measures are in place to prevent the data from being exposed or leaked.
Data Integrity The data is accurate and matches the people it claims to represent. It cannot be tampered with or lost.
Business Purpose The data was collected for valid business reasons and is retained and used accordingly.

If you were asked to rank these priorities, in terms of where to expend your energies first, how would you order them? If members of a Privacy Team — a Privacy Officer, an Information Security (Infosec) Analyst, and a Data Engineer — were asked to rank these, what would be their order? To be clear, ranking something last doesn’t mean that it is unimportant to the team or that they don’t or shouldn’t care about it. It just implies that the Privacy Team needs to focus its energy moving down a list in ranked order, treating the higher priorities as foundations for ensuring that lower priorities are accomplished.

Would you be surprised if you find that each of the three Privacy Team members ended up with a different order of priorities? Consider the rankings below:

  Infosec Analyst Data Engineer Privacy Officer
1 Access Integrity Purpose
2 Integrity Purpose Access
3 Purpose Access Integrity

So what happened here? After all, these data privacy and protection professionals are well used to working as part of a cross-functional team. What explains three completely different priority rankings? If we look at it from their point of view, individually each makes sense. The Infosec Analyst needs to keep the perimeter secure to protect data from ransomware to give the business a safe place to operate for any need. The Data Engineer sees the data itself as being the core asset, which needs to be correct and useful for anything else to be accomplished. Finally, the Privacy Officer knows that the legal lifecycle of compliance hinges on the purpose for which the data was acquired in the first place.

How then should we decide on an overall ranking? A rousing game of Rock, Paper, Scissors? That’s probably a bit arbitrary.

One approach is to revisit the most urgent Privacy Team goal to clarify more specifically what’s most important to achieve right now. If the current project involves verifiable compliance with CPRA, we need to address the law’s requirement that data be collected and shared according to the customer’s rights. In this instance, the purpose for which the data is collected is our first priority along with data mapping to monitor how it is used.

If we are shoring up our defenses in response to a new Cyber Security threat, however, Access Control will then be a top priority to ensure data protection measures are in place.

When the team is clear on the specific outcome or goal, they will be better prepared to decide together which aspect of data privacy needs to be prioritized first. Clarifying priorities and outcomes therefore plays a big part in choosing solutions and how team members will use them.

In my next and final blog in this series, I’ll dive deeper into the patchwork quilt of data privacy and security solutions that your team faces and how to comb through them with a clear sense of priorities, goals, and a shared language of privacy. Stay tuned.

Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.

Contact Us