A few years ago, I quietly sat at a networking dinner where a colleague complained that her compliance department said “No” to every idea she proposed for improving communication in her organization. I was sympathetic to her plight but I also understood why her compliance department wasn’t equally enthusiastic about her ideas.
As a communicator, I’m the first person to geek out over the latest and greatest tools available to communicators. As a privacy officer, I’ve had to say “No” to some very cool integrated technologies and ideas from our workforce.
A peek under the privacy and security hood
While healthcare organizations worry about the Healthcare Insurance Portability and Accountability Act of 1996, educational institutions are concerned with the Family Educational Rights and Privacy Act, and financial groups must adhere to the Gramm-Leach-Bliley Act. In addition, privacy laws also are applicable depending on geographic regions. For example, California has the California Consumer Privacy Act while the European Union is governed by the General Data Protection Regulation.
Keep in mind that your privacy and security officer is charged with ensuring compliance with ever-changing state and federal regulations. Sometimes, these regulations are in conflict with each other, and depending on the industry, your organization may incur penalties and fines because of unprotected Protected Health Information, electronic Protected Health Information, Personally Identifiable Information or Protected Personally Identifiable Information in the event of a data breach.
Here are some of the reasons why I’ve said “No.”
- I’ve conducted due diligence, and the new software that was requested exposes the organization to higher risk than can be justified. Often, it’s because there are vulnerabilities inherent in the design of the software, and the weakness leaves an organization more vulnerable to a cyberattack. If you are working with employee, donor or client/customer data, I run through a number of scenarios to evaluate the level of risk that will be incurred by the organization. Sometimes the risk to the organization is greater than the benefit. For communicators, this might apply to internal communication software or software used to track donor information.
- The next iteration of privacy regulations mandates that we handle certain types of data in a different way, and I know that we would have to change our current policies and processes to meet the new standards.
- Many people have learned to write code in school. As impressed as I am with the skill and ingenuity, introducing a homegrown script to an organization’s IT Infrastructure may create a new conduit for unintended and unwanted malware or ransomware.
- Your idea requires additional resources that exceed our current budget, so our current financial and staffing resources are not enough to make your idea successful.
Setting yourself up for “Yes”
The best approach to getting your privacy and security officer to say “Yes” to your idea is to understand what types of data your organization handles and what regulations apply to your organization. Do some preliminary due diligence about the company. Check with your vendor of choice and gather information about its privacy policies. Find out if your organization is a fit with the vendor’s preferred clientele and if it would be willing to fulfill the regulatory requirements for your industry. Finally, ask your friendly compliance officer to review your findings before you submit your proposal for approval.
If your vendor of choice doesn’t meet the requirements and you still want to use them, start a dialogue with them about how they might fulfill the requirements in the future. The world of privacy and cybersecurity is fast-paced and evolving, creating more opportunities for software vendors to meet regulatory demands. Today’s “No” might be tomorrow’s “Yes.”
Carolyn Price is excited to contribute to the success of SF IABC as a content writer. She has a wealth of experience in Executive and Organizational Communications and leads the evolving compliance program at CocoKids.