How should we staff our privacy function?
A question that regularly comes up when we are working with clients is, “how should we staff our privacy function?” It is normally the CFO that asks the question from the financial perspective, and often the CEO will ask “What do our competitors do?”
The answer is not as simple as one would imagine. And perhaps, it is not the right question to be asking. Looking at what your competitors are doing may give you an idea of the decisions that were taken in the past, but not necessarily what your organisation needs for the future.
The road to compliance with any data protection legislation will, because of the direct impact on employees, customers, IT-systems and well-established business processes, be long and winding. It will be an exceptional transformational exercise for most organisations.
Due to the nature of the origin of the project, i.e. new legal requirements, it is only natural that most data protection programmes historically have had a strong focus on legal compliance. And obviously, a data protection programme needs to deliver exactly that. It is however critical that we don’t allow the focus on legal compliance to make us forget about the other critical enablers for a successful privacy programme.
In addition to legal documentation, core components of any privacy programme are the efficiency of the programme, the longevity of the programme, and lastly the programme’s ability to deliver value in line with the business objective defining the direction of the privacy programme.
Longevity is achieved by a programme that seamlessly amalgamates privacy considerations into the relevant strategies and activities taking place within the organisation. In other words, a programme that makes sense from the perspective of the resources that are involved in the management of the programme.
Value is achieved when the data protection programme delivers on the business need of the company, and ultimately supports the overall strategy of the organisation. In other words, a privacy programme that creates tangible and demonstrable benefits for the organisation.
So, before asking the question “How should I staff my privacy function”, I encourage the CEO and CFO of any company to rather ask “How should we construct our privacy programme”.
Below, I will do my best to briefly introduce the pertinent considerations for each of the three pillars introduced above, “Efficiency”, “Longevity” and “Value”.
The efficient privacy programme
Historically, the combination of the limited availability of effective tools, considerable focus on producing one-off sets of legal documentation and limited focus on the design of new business processes have often resulted in high level internal policies outlining the general requirements from the data protection regulation in question, e.g. GDPR, for the organisation. On the other hand, little attention was often given to the organisational structure that would be required to deliver on these legal requirements, and what systems could best support the organisation in this.
For any comprehensive privacy program to succeed, it requires the involvement of the entire organisation. It necessitates the assignment of several tasks within the organisation, and in particular, the process, system, and contract owners. It entails assigning clear responsibilities to the roles in the organisation, providing clear guidance, and offering the best possible tools to make the management of the day-to-day responsibilities of these operational resources as uncomplicated and effective as possible.
Over the last couple of years, we have witnessed a clear trend towards implementing foundational technological capabilities, to scale, automate, standardise and effectively manage and govern data in the organisation. We can see how organisations that are using state of the art tools to manage their data protection programme are better equipped to demonstrate that they are in control, how it requires less effort to keep their documentation updated, and how it strengthens their monitoring and reporting capabilities. Due to significant increase in data collection and the reasoning over personal data as an intentional business strategy, organisations need to embrace the best possible solutions that are available to effectively manage their data management processes.
The viable privacy programme
Another consequence of a predominantly legally centric approach, is the limited focus on how to ingrain privacy management into the business processes and culture of the organisation. The result of this will be that the privacy programme will be seen as a compliance add-on by the rest of the organisation, rather than as a critical component to be incorporated into existing business processes.
It is very difficult to succeed without having had the strategic discussion with the executive management on the role of data protection for the organisation. This entails defining the target state for privacy for the organisation in question, considering the nature of the business, the risk tolerance level and the various risk implications (commercial, legal, reputational, financial) of various options.
Until the strategic direction has been agreed, and the role of privacy management is understood and aligned with the executive management, it will remain challenging to take the next step and define what this means in practice for the organisation. Without having achieved top-level buy-in, without having a clear direction, without having a commitment to an ambition level, and an understanding of what it will require in practice from an organisational and financial perspective, the intended privacy programme cannot attain the longevity needed to become a success.
The tone from the top is critical for the cultural change that is an essential component for any type of transformational exercise.
The valuable privacy programme
No two organisations are alike. And a one-size-fits-all approach rarely works for privacy programmes. This is one of the primary reasons why we see so many organisations having to redesign their privacy programmes in Europe with a GDPR 2.0 reassurance exercise. This causes lost momentum, the risk of organisational fatigue and added cost.
The objective of every privacy programme needs to represent the purpose and the business of the organisation. Whether you are a global B2B manufacturing company with thousands of employees, a global retailor with millions of customers, or a small national recruitment company, data privacy will have a role to play. But the role will vary – significantly.
It is critical when designing the privacy programme, that the “architect” considers the nature of the business that the programme is going to support. If the privacy programme does not take into consideration the specific objectives of the organisation, but instead attempts to define new stand-alone privacy-centric objectives, the risk of organisational disengagement and possible pushback is significant.
Hence, the privacy programme needs to take its starting point in the overall business strategy of the organisation, and then define the key objectives that it must succeed with to support the business objectives.
For a global B2B organisation with thousands of employees, but limited processing of customer’s personal data, the focus could be on protection of employee data and the smooth onboarding of new business units. For a global retailor with millions of customers and growing online sales, the focus could be to support the online business with privacy friendly processes to successfully grow the new sales channel.
What is important, is that the “architect” understands the landscape on which the privacy programme will be built. By designing a programme that fits the organisation’s needs and supports the organisation in delivering on its strategic objectives, the privacy programme will immediately be perceived as value creating rather than as a cumbersome compliance exercise that the organisation will do its best to circumvent.