1.
1
© 2022 TrustArc Inc. Proprietary and Confidential Information.
Why Your Company Needs A Privacy Culture
& Where To Start

2.
2
Agenda
● TrustArc’s views on a Culture of Privacy
● Create a Privacy Mission Statement and Vision
● The Effects of a Culture of Privacy are seen in a Strong Privacy Program
● What Privacy Programs Say About Culture
● From a Privacy Program to a Privacy Culture
● Create a Privacy Team
● Privacy Tech Solutions
● How Personal Data Supports Other Business Objectives
● Privacy Culture Metrics
● Q&A

3.
3
Speakers
Fernando Barreiro
CIPP/E, CIPM
Global Privacy Principal
TrustArc
Andrew Scott
Privacy Counsel
TrustArc

4.
4
TrustArc’s Leaders on Culture of Privacy Means….
“Shared understanding of how data may be used to support business objectives but enable
individuals to access their rights.” - Meaghan McCluskey, Associate General Counsel, TrustArc
“Treat the privacy of others like its your own.” - Chris Babel, CEO, TrustArc
“Pushing privacy throughout the organization (Engineering, Legal, Marketing) so everyone
knows what they need to do to protect the data and what they need to do as their job as part
of that” - Michael Lin, Chief Product Officer, TrustArc
“Changing the way management looks at the way the manage data, moving the perspective
from trying to comply with the law to that of how privacy adds value to the business rather
than taking it away” - Ralph O’Brien, Principal Consultant, Europe, TrustArc

5.
5
Create a Privacy Mission Statement and Vision
Our Data Values
At TrustArc, Privacy is our Business.
○ Embedding privacy. We strive to help businesses embed privacy into their strategy and operations by
providing simple, scalable, and intelligent solutions that help our customers continually manage privacy
compliance and risk.
○ Responsible use. We help to promote responsible data use and stewardship among businesses and
suppliers around the world.
○ Purpose driven. We only collect, use, and share the information needed to provide and operate our
solutions and to help our customers meet their accountability and regulatory compliance needs.
○ Always improving. We process data about the use of our solutions and the way we operate our own
business in order to help us better understand the needs of our customers, prospects, and other
stakeholders, and to continue to improve user experience, features, and functionality of our solutions.
Other Company’s Statements
○ “Privacy is a fundamental human right. It’s also one of our core values. Which is why we design our products and
services to protect it. That’s the kind of innovation we believe in.” - Apple
○ “At Salesforce, trust is our #1 value. This Privacy Statement describes how Salesforce collects, uses, shares or
otherwise processes information relating to individuals (“Personal Data”) and the rights associated with that
processing.” - Salesforce
● A Mission Statement statement describes the purpose and ideas

6.
6
The Effects of a Culture of Privacy are seen in a Strong Privacy Program
● Helps Meet Regulatory Compliance Obligations
○ Fines for non-compliance; compliance with one framework will not always satisfy for others
● Improves Optics
○ More opportunities to build or lose trust with brand (data can be traded for trust)
● Increases Employee Confidence / Reduces Risk
○ Providing employees with confidence to raise complaints without retaliation; reduce suits
○ Making employees aware of their rights and security of their data
● Increases Cross-Functional Collaboration
○ Communication has increased between Legal, HR, and Technology Departments regarding
privacy matters (e.g., understanding automated employment decisions, increased training
with responding to complaints/requests)
● Improves Allocation of In-House Resources
○ Need to reassess data flows, consult outside counsel, seek new technical solutions,
implement new controls, regularly assess the effectiveness of the controls, and create new
roles; improve data quality, reduces
● Improves Business Strategy (Corporate Governance)
○ Increased need to establish a privacy stakeholder and consider privacy not as a cost but as
core business strategy
● Global Regulatory Environment (Interoperability)

7.
7
What Privacy Programs Say About Privacy Culture
● Compliance Should Not be the End Goal of the Program
○ With the sole goal of regulatory compliance, privacy will be an inhibiting factor in the
organization’s to drive strategic decisions; privacy does not have to affect the bottom-line
○ Consider creating a program with a true “floor” rather than a privacy patchwork
○ If resources are thin, consider a base framework and evaluate the organization’s appetite for risk
○ Does your privacy notice tell your organization’s story?
● What Personal Information is Collected and Processed throughout the organization?
○ How is PI Collected?
○ How is PI Retained?
○ Where is PI Transferred?
○ How is PI Accessed?
● Considerations
○ The strength of the administrative, technical, and physical safeguards to protect against
collection, use, an disclosure throughout the organization

8.
8
From a Privacy Program to a Privacy Culture
● Embed a Privacy Program into all aspects of the organization (default is a Privacy Culture)
● Make the Privacy Program resilient (protect proprietary information via compliance)
● Make the Program a group effort beyond the Privacy Team (talk about it)
● Don’t Impose, ask for help/feedback: be a resource for the organization, don’t be afraid to
adapt the program based on received feed (frame it as trying to achieve strategic goals)
● Build a Privacy team or Privacy Office full of privacy advocates and good communicators
● Find Privacy Champions across the organization. Recognise their inputs and work.
● Be creative in your communication strategy: trainings should be useful and interesting,
organize privacy events, engage the audience, create friendly materials.

9.
9
Create a Privacy Team
● The team should be aligned with the organization’s objectives and goals
● Identify a sponsor / champion to liaise with other teams
● Consider cadence of meetings and who else should be invited
● Funding will not be hard if there is a culture of privacy

10.
10
Privacy Tech Solutions
● Consent Tools
● Privacy Enhancing Technologies
● Data Inventories
● Risk Assessments
● Assurance: Certifications, validations, and seals communicate trust to customers and consumers but
also allow for increased business (trade)
Wide Range of Solutions to incorporate

11.
11
How Personal Data Supports Other Business Objectives
● Privacy is not only a compliance/risk issue.
● Innovate with Privacy!
○ We don’t want Privacy to be the “No” in moving the organization’s strategic goals
● Trust! Privacy as a business driver and competitive differentiator. Privacy as a core element of
companies/brands.
● Consider the effects of losing proprietary information (FTC - algorithm disgorgement)
●
● Human error is number one reason for security breaches. Mature and well implemented privacy
program + well established privacy culture reduces this risk preventing reputational, operational and
financial losses.

12.
12
Privacy Culture Metrics
● How many legal frameworks is the organization compliant with vs. jurisdictions they are doing business in?
● How many dedicated privacy professionals are there?
● How many privacy incidents have there been?
● How many privacy trainings have been conducted?
● How many certifications and validations have been completed?
● How many risk assessments (DPIAs or PIAs) have been completed or are in-progress?
● How many access requests have been made - and how long does it take to respond?
● How many enforcement notices have been received?
● How many updates to the privacy notice have there been? (How many notices are there?)
● How many employee notices do you have?
● How many privacy enhancing technologies exist?
● How many data inventories have been conducted?
● How many privacy vendors are being used?
● How often is the organization using its outside counsel for privacy concerns?
How it Reflects on Your Privacy Culture

13.
13
Why Does Your Company Need a Culture of Privacy?
● External vs. Internal
● How do define privacy - right / obligation?
● Global Culture (opt-in vs opt-out)
● Reactive (as a society) vs. Proactive
○ Governance -
○ Fines
○ Roles
○ Meetings
○ DSARs…. In CA - Wholistic - BYOD - money -
○ Automate it -
○ Political - National vs US

14.
14
14
Q&A

15.
15
Thank You!
See http://www.trustarc.com/insightseries for
the 2023 Privacy Insight Series and past
webinar recordings.
If you would like to learn more about how TrustArc can support
you with compliance, please reach out to sales@trustarc.com for a
free demo.