Once upon a time, I had a client who asked me to help them bolster their practices regarding personally-identifiable information (PII), a very important exercise as they well knew. Because they were a large-ish organization, we decided to scope the effort in a cascading fashion, starting with departments of particular priority and then working down the list over time.
This is a smart and fairly common approach to take to almost anything regarding governance, so it was a very good at-bat so far. (For those who don’t know, I’m a big baseball guy, and I’m writing this on Opening Day. So bear with me!)
But then came the swing-and-miss:
“We don’t have to worry about the sales department because they use SalesForce,” they said. “In fact, they chose SalesForce because it doesn’t have any private information in it.”
Wait. What? Time out.
If your salespeople are doing their jobs correctly, then SalesForce and solutions like it should be FULL of PII! Maybe not datapoints like social security numbers, but certainly relationship-building personal information like customers’ birthdays, their interests, the names and ages of their children, etc.
That this wasn’t understood was a missed sign at a critical point of the game.
The reason for the cross-up was that the client was viewing the problem from the standpoint of documents rather than data, and believed, as many do, that because SalesForce is a database-y kind of thing, it doesn’t have to be part of the privacy conversation. But it most certainly does.
For a number of reasons that, for them, started with legal defense, I encouraged my client to tackle privacy in terms of answering the question, “Can I see all the information you have on me?” You will notice, as they did, that there’s no qualifier here regarding system, format, medium, or anything regarding that information, just merely its existence. So it’s critical that you hit to all fields when dealing with PII.
I am happy to report that this game was won in the end, but we did have to juggle the lineup a bit to adjust to the larger field we found ourselves playing in.
—
If you’ve got a privacy program in place or on the horizon that you’d like to discuss – or if you simply love baseball – then reach me TODAY and let’s start positioning you as your organization’s MVP.