Do you have a privacy governance model?

To manage privacy in your company you need a team. Obviously this varies by organizational size, however there is flexibility around this team structure depending on your organization structure and goals. Regardless of size, an organization MUST have a contact for privacy and designated “first responders” to privacy incidents.

While there is no perfect privacy governance model, these are the three most popular ways to organize such a team;

1) Hybrid

This model combines a centralized and decentralized (local) team. We have seen this work well. Generally there is one organization responsible for privacy, usually a Data Protection and Privacy Office [DPPO] owns all the privacy processes in a company (heavily supported by a legal team). Each functional organization then has a person or sub-team responsible for that function and that has a dotted reporting line into the DPPO. In our experience for a large organization this is the best way to structure your teams for optimal compliance and communication as long as your employees are empowered to make decisions. Even in a smaller organization where one person is assigned to lead privacy in addition to their other responsibilities - we have see this scenario work well.

2) Localized/Decentralized

Privacy decision making is delegated to the lower levels of an organization.

3) Centralized

Just one team is responsible for all privacy related actions. In our experience this one comes with significant issues. In large organizations where we saw this in practice, many of the functions felt isolated and unaware of what contribution they were supposed to make and when to the privacy program, it caused a significant amount of confusion and inability to plan.

The DPO Role

EU-GDPR requires all public authorities in the EU and many private organizations to appoint a Data Protection Officer. Private organizations that must hire a DPO are ones that process personal data in high volumes or consistently process highly sensitive data. Article 29 working party state that companies should err on the side of caution.

We previously wrote a blog on the topic of the DPO and you can read more here.