The Privacy Organisation of Tomorrow

1.      Intro

The aim of this post is to discuss if and how the concept of agile can help the privacy organisation increase organisational buy-in, while freeing up time to do more impactful work and at the same time strengthen the ability to demonstrate accountability.

2.     Agile + privacy work = strengthened accountability?

To stay competitive and innovative, many executives have recently turned their attention to agile. The high degree of delegation, more independence and less bureaucracy are some of the advantages that executives are striving to attain. All lead to faster development cycles and shorter time to market.

With its heritage from the software development environment the agile approach to managing work and solving business needs, has provided a new and more responsive way to manage work. Take the agile manifesto and replace software with privacy and you will have a first good idea of what agile privacy requires.

From the perspective of the privacy professional it raises the question: how can my company and how can I work with privacy in the agile environment. Below I share my thoughts on how, if managed well, “going agile” can significantly strengthen privacy work. I will briefly look at some of the challenges of ensuring accountability and share my thoughts on how an agile approach and sound organisational thinking can put organisations in a better position to tackle this challenge.

The answer to the question posed in the headline? Yes, if done right.

3.     Is it time to change how you have organised your privacy work?

The first question to be answered is, why should the privacy function consider agile at all. For decades compliance work has been done by:

1. defining organisational requirements,
2. training the organisation, then
3. monitoring the work and if necessary
4. enforcing non-compliance.

This has for some delivered satisfactory results and allowed for an acceptable overall level of maturity of implementation of governance. So why the need for change?

GDPR introduced changes to both the extent and quality of the documentation that organisations need to produce to commence data processing activities. The accountability principle requires organisations to assess and document data processing activities ex ante and keep records of their considerations. Many organisations have been taken aback by the extent of this work. They have realised that the historic organisation of work is not producing the amount, nor the quality of documentation that is required to demonstrate accountability.

One of the common issues that organisations are facing, is the lack of organisational ownership of data protection responsibilities.

Introducing new processes – which many organisations did as part of their GDPR projects – without defining the roles required to maintain these processes, and without assigning clear responsibilities to these roles, have resulted in organisations having merely defined their good intentions, and not building the organisational foundation needed to carry them out.

4.    The agile organisation seen through the privacy binocular

The taxonomy of agile may vary from organisation to organisation, but the most commonly used labelling (the Spotify naming convention) of the cogs of the agile organisation is the separation in tribes, chapters, and squads. The idea is that the tribe will cover a specific business domain, that chapters will consist of certain employee groups/roles within the tribe, and that a composition of various chapter-members will make the individual squads (Scrum teams) within the tribe. The idea is that every squad – through the composition of individual members from relevant chapters – will have the skills and tools needed to independently design, develop, test and release new services or products. You may also find cross-functional guilds that across tribes will manage certain common objectives, e.g. performance, security, or privacy for that sake.

Few organisations will however be able to have dedicated privacy chapters  – limiting direct participation of privacy resources in day-to-day operational work. In some organisations, you may find privacy and security guilds. The guilds role will however be more tactical and advisory of nature and involvement will typically happen on requests from squads. At the same time, the intrinsic nature of agile with its increased focus on delegation of responsibility, reduction of bureaucracy and decentralised decision-making, clashes with the idea of a centralised privacy function with a mandate to stop initiatives in the early stages of development.

5.     The three lines of defence and the three layers of organization

Agile does not mean the absence of structure or a casual ad hoc approach to development. On the contrary, agile requires structure and clearly understood roles and responsibilities. So, one of the questions to ask is from what and where can one take inspiration for the set of roles and responsibilities that have to be implemented?

One place to consider: risk management and the idea of three lines of defence. Another is to understand that privacy tasks vary between those of strategic and tactical nature, and those operational tasks that must be maintained to remain compliant through time.

It is my view that to effectively implement any type of governance, both of those dimensions of organizational design-thinking need to be considered. I describe their interplay below.

5.1.   The three lines of defence

The notion behind the three lines of defence is that 1^st line is responsible for the operational implementation of the organizational requirements defined by internal governance and external legislation. The 2^nd line of defence defines the requirements and monitors the overall operational compliance with the defined requirements. The 3^rd line of defence acts as independent oversight unit. It assesses gaps in the compliance framework and deliberate non-compliance or circumvention of the defined requirements. In an effective organizational design this segregation of duties ensures effective checks and balance and allows the organization to identify risks and governance issues that must be mitigated.

5.2.  The three layers of organization

The second critical component of organisational design is the structuring of the operational implementation. Here the various roles of strategic direction setting, tactical planning, and operational implementation need to be thoroughly considered. The strategic layer is aimed at setting direction for the operational work, defining ambition level, and allocating resources to implement the activities required to achieve the strategic ambition. The tactical part is aimed at planning the actual activities required to implement the strategy defined by the strategic layer. And lastly, the operational level is responsible for the actual operationalisation of the activities planned as part of the tactical provisioning and day-by-day fulfilment of those duties.

What this means for the design of an agile organisation is that the tasks related to each layer needs to be defined, and the organisational ownership of these tasks needs to be clearly assigned to well-defined roles.

5.3.  Conclusion of the two – and how they fit to agile

As for all other organisational planning – further accentuated in an agile setting – all resources required for the effective management of privacy related tasks, need to have a clear and aligned understanding of what they are required to do when involved in data processing activities.

In an agile setting, both dimensions, a) the three lines of defence and b) the three layers of operational implementation, need to be thoroughly considered and the conclusions with its subsequent organisational delineations needs to be clearly described and communicated to the organisation.

The pieces fall into place when you apply the three lines of defence and the three layers against the agile blueprint. Not one person in a chapter or in a tribe will have the sole responsibility to ensure all privacy related tasks. Instead, through a well-crafted organisational design, the responsibility for data protection will be an organisational responsibility assigned to the various roles in the organisation’s 1^st line that are best suited for the task.

The 2nd and 3rd lines of defence play an important role in ensuring the robustness and longevity of the implementation of privacy practices. But it is the clearly defined layers of the operational implementation of 1^st line of privacy practices that lay the bedrock for successful organisational privacy management.

6.     The privacy organisation v2.0

Prior to 25 May 2018, only few organisations got to the stage where they reviewed existing non-privacy roles and defined new clear responsibilities for these to ensure an appropriate and effective management of privacy tasks.

The – agile – privacy organisation v.2.0, will involve the entire organisation and require not only the definition of new roles, but first and foremost a more comprehensive account of roles, and clear assignment of responsibility. This requires a much more granular assessment of what it will require from an organisational perspective to deliver on the overall objectives of the organisation’s privacy management program. Roles, tasks and responsibilities needs to be broken down to a level, that allows for a clear assignment and understanding of who does what by when. This will allow the privacy function to move away from the time-consuming and not necessarily very impactful operational work to a more tactical role. In this role, the privacy function can focus on driving the organisation forward through effective planning of initiatives to drive change and meet the overall strategic objectives of the organisation.

Therefore, as a starting point, privacy functions that want to move towards agile, need to define a target state for operational work and draw the organisational blueprint needed to reach this target.   

If the organisational processes are designed effectively, individual squads will be able to navigate almost autonomously without having to wait and involve central privacy resources for “sign-offs” or guidance. As services matures and moves beyond the MVP stage, additional privacy features can be added without sacrificing the agility of the organisation.

The journey towards stronger privacy management starts by actively empowering your organisation to take responsibility for privacy work. This requires planning. Agile is a proven method to take you one step in the right direction, but it requires a very different approach compared to how compliance has been managed in organisations historically. But again – privacy should never be treated as mere compliance. It needs to be managed on an operational level.