ENGAGEMENT
A large communication services provider engaged DayBlink Consulting to stand up a cross-functional organization-wide governance program in preparation for a major CPPA legislative update.
The effort focused on ensuring the company maintained privacy compliance in accordance with the new legislation. Various technical solutions and process updates were required to eliminate potential financial risks. The program included work streams dedicated to each of the 7 compliance areas, as well as 5 cross-functional support pillars that provided dedicated subject matter expertise and supported the business in operationalizing the solutions.
PROBLEM
The client was notified by the government of upcoming CPAA legislative requirements. Once the legislation went into effect, the client would have 18 months to ensure compliance, at which point it would be vulnerable to legal and financial repercussions of up to 5% of gross global revenue for any incidents of non-compliance. The legislation was centered on enhanced privacy measures across seven key areas: (1) analytics and algorithmic transparency, (2) consent management, (3) data portability, (4) data inventory, mapping, and classification, (5) securing data, (6) vendor management and (7) privacy management operations.
The Chief Privacy Officer and IT leadership members recognized that the company needed an organization-wide governance model that would ensure all aspects of the business properly identified areas of non-compliance and then designed and implemented cost-effective solutions.
SOLUTION
DayBlink Consulting implemented a strategic governance model to help drive compliance. This project was spearheaded by the Chief Privacy Officer, but required organization-wide collaboration. We also provided educational materials to the organization to enhance the team’s overall privacy knowledge, better preparing the business for future compliance endeavors.
DayBlink Consulting supported the identification of both requirements and opportunities that the new legislation presented, including a risk-based and opportunistic assessment of how the organization could implement various process improvement efforts. The efforts included several teams including: legal and regulatory, enterprise data governance, business process, solution delivery and security & compliance.
To effectively implement the governance structure, we established recurring SteerCos at various leadership levels, program and project level domain standups and regular review meetings with business vendors, finance and other key stakeholders. We established high-level program milestones to ensure full company compliance three months in advance of the regulatory deadline, allowing the enterprise the opportunity to pilot the new processes and adjust for any gaps or inefficiencies. We then documented roles & responsibilities for each workstream and held kickoff meetings with each business group. Next we provided regular reports to the Chief Privacy Officer to ensure avoidance of conflicts between workstreams.
RESULT
The client successfully complied with the new regulations faster than expected and in advance of the deadline. Other results included newly implemented end-to-end processes that improved organizational efficiencies.
Overall privacy knowledge across the organization increased substantially, as measured by a new annual compliance training. This initiative also unified organizational messaging between the security and privacy teams.