Listen here to Teresa Troester-Falk’s interview with Dale Skivington, former Chief Privacy Officer at Kodak and at Dell.
Teresa Troester-Falk

Audit – Chief Privacy Officer’s Best Friend – Hi, everyone, and welcome to #PrivacySnapshot, where we discuss trending privacy news and practical privacy tips. And today is a practical privacy tip. Back with us is Dale Skivington, who did a recent #PrivacySnapshot with us on the value of integrating privacy into your broader compliance framework. But today, she’s here to talk to us about how audit can be your best friend, as chief privacy officer or anyone leading privacy. So Dale, how can audit be your best friend?

Dale Skivington

Thanks, Teresa. So one of the things I noticed in coming to Dell, and the same thing was true when I was chief Privacy Officer at Kodak was the relationship between audit and the chief privacy officer was that the audit department spent a lot of time auditing my program, making sure that what my privacy team or me as the CPO was doing was a best practice, whether it was from a policy perspective, or a controls perspective. But what I really needed from audit was, I needed their support. To help me enforce what I saw were the top risks at Kodak and at Dell, for example, one of those risks would be third-party management.

And as you know, for those of you who have third parties who have access to personal data, there are clauses in your contracts, or there should be if there aren’t, which suggests to the third parties, what your expectations are around how they manage data. And whether you use standard contract clauses under, you know, the International data transfer frameworks, or they’re your own clauses that you’ve developed with your counsel. They’re not self-effectuating. You know, you’ve got these clauses in these contracts. And yes, you might have good indemnification. But that’s not going to help your brand. If that third party does something with that data, that is inappropriate. So what we did at Dell was we made sure through this global compliance forum, as I mentioned at the last session, that the audit department really had a good understanding; they sat at the table and heard us describe the risks that we felt were attended to the you know, channel and the third party relationships.

So they were better, they better understood where the risks were. We also helped them understand where those risks fit with the broader risks of the company. And once they understood what those risks really were, then we got them to sign on to doing some third party audits. We had it in our clauses that we had the right to do it, and rarely do companies utilize that tool. But we did an assessment with audit as to which are our highest risk vendors.

When we set up a time, we notified one or two of our vendors that we were going to actually exercise our right to do an audit. And you know, you only have to do a couple before the channel understands that the company was serious about its expectations in its contract clauses. And you know, the word gets out. There are lots of benefits to having audit, understanding your risks, and then assisting you in your oversight and monitoring function.

Teresa Troester-Falk

I think that’s an excellent tip and point. And I like what you said that you only have to do one because it’s true; we often put in those contractual provisions everyone does or should, but very few practically do follow up with because it is so resource intensive. But as you say, doing just one or two, the word gets out and can move through the channel, and that might be all you need to kind of add the weight and leverage to those provisions that you need. So, thank you for that tip. For those of you listening, audit can be your best friend in the privacy department.

Let’s talk about leveraging your internal resources, like Audit.

Ask us how we can help you feel confident and at ease with your privacy compliance efforts.

Follow us on LinkedIn: https://www.linkedin.com/company/blueskyprivacy/mycompany/