Listen here to Teresa Troester-Falk’s interview with Dale Skivington, former Chief Privacy Officer at Kodak and at Dell.
Hi everyone, and welcome to #PrivacySnapshot where we discuss trending privacy news and practical privacy tips. And today is a practical privacy tip. Back with us is Dale Skivington who did a recent #PrivacySnapshot with us on the value of integrating privacy into your broader compliance framework. But today, she’s here to talk to us about how audit can be your best friend, as chief privacy officer or anyone leading privacy. So Dale, how can audit be your best friend?
Thanks, Teresa. So one of the things I noticed in coming to Dell and the same thing was true when I was chief Privacy Officer at Kodak was the relationship between audit and the chief privacy officer was that the audit department spent a lot of time auditing my program, making sure that what my privacy team or me as the CPO was doing was a best practice, whether it was from a policy perspective, or a controls perspective. But what I really needed from audit was, I needed their support. To help me enforce what I saw was the top risks at Kodak and at Dell, for example, one of those risks would be third party management. And as you know, with, with the for those of you who have third parties who have access to personal data, there are clauses in your contracts or there should be if there aren’t, which suggests to the third parties, what your expectations are around how they manage data. And whether you use standard contract clauses under you know, the International data transfer frameworks, or they’re your own clauses that you’ve developed with your counsel. They’re not self effectuating. You know, you’ve got these clauses in these contracts. And yes, you might have good indemnification. But that’s not going to help your brand. If that third party does something with that data that is inappropriate. So what we did at Dell was we made sure through this global compliance forum, I mentioned at the last session, that the audit department really had a good understanding, they sat at the table and heard us describe the risks that we felt were attended to the you know, channel and the third party relationships. So they were better, they better understood where the risks were. And we also helped them understand where those risks fit with, with the broader risks of the company. And once they understood what those risks really were, then we got them to sign on to doing some third party audits. We had it in our clauses that we had the right to do it on, and rarely do companies utilize that tool. But we did an assessment with audit, as to which are our highest risk vendors. And we set up a time, we notified one of our or two of our vendors that we were going to actually exercise our right to do an audit. And you know, you only have to do a couple before the channel understands that the company was serious about its expectations in its in its contract clauses. And you know, the word gets out. And so lots of benefits for having audit, understand your risks, and then assist you in your oversight and monitoring function.
I think that’s an excellent tip and point. And I like what you said that you only have to do one because it’s true, we often we put in those contractual provisions, everyone does or they should , but very few practically do follow up with because it is so resource intensive. But as you say, doing just one or two, the word gets out can move through the channel and that that might be all you need to kind of add the weight and leverage to those provisions that you need. So, thank you for that tip. For those of you listening audit can be your best friend in the privacy department.
Let’s talk about leveraging your internal resources, like Audit.
Ask us how we can help you feel confident and at ease with your privacy compliance efforts.