CIPM

4 Responsibilities of a Privacy Program Manager

A Privacy Program Manager is responsible for managing and operationalizing a corporate privacy program across the company. Their most important responsibility is to be ACCOUNTABLE for the safekeeping and responsible use of personal information - not just to investors and regulators but to the everyday consumer, vendors, partners and employees.

4 key responsibilities include;

  1. Identify privacy obligations for the company

  2. Identify business, employee and customer privacy risks

  3. Identify existing documentation, policies and procedures.

  4. Create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program that is aligned with corporate strategy. Dont forget that your corporate policies have a lifecycle -

    • Draft - inward facing policies, aligned and consistent across the organization

    • Approved - from decision makers and stakeholders

    • Disseminate and train all employees

    • Review and revise policies regularly. In all our clients this process is done in a quarterly basis or immediately after a breach or the business changes for example a merger or acquisition.

  5. Continuously maintain and improve the privacy program

5 Goals of a Privacy Program

A successful privacy program will integrate privacy requirements and procedures into the functional areas across and organization.

  1. Demonstrate compliance with applicable laws and regulations

  2. Promote customer trust and confidence

  3. Enhance an organization’s reputation

  4. Facilitate privacy program awareness with employees, customers, partners and service providers.

  5. Respond to privacy breaches

Do you have a privacy governance model?

To manage privacy in your company you need a team. Obviously this varies by organizational size, however there is flexibility around this team structure depending on your organization structure and goals. Regardless of size, an organization MUST have a contact for privacy and designated “first responders” to privacy incidents.

While there is no perfect privacy governance model, these are the three most popular ways to organize such a team;

1) Hybrid

This model combines a centralized and decentralized (local) team. We have seen this work well. Generally there is one organization responsible for privacy, usually a Data Protection and Privacy Office [DPPO] owns all the privacy processes in a company (heavily supported by a legal team). Each functional organization then has a person or sub-team responsible for that function and that has a dotted reporting line into the DPPO. In our experience for a large organization this is the best way to structure your teams for optimal compliance and communication as long as your employees are empowered to make decisions. Even in a smaller organization where one person is assigned to lead privacy in addition to their other responsibilities - we have see this scenario work well.

2) Localized/Decentralized

Privacy decision making is delegated to the lower levels of an organization.

3) Centralized

Just one team is responsible for all privacy related actions. In our experience this one comes with significant issues. In large organizations where we saw this in practice, many of the functions felt isolated and unaware of what contribution they were supposed to make and when to the privacy program, it caused a significant amount of confusion and inability to plan.

The DPO Role

EU-GDPR requires all public authorities in the EU and many private organizations to appoint a Data Protection Officer. Private organizations that must hire a DPO are ones that process personal data in high volumes or consistently process highly sensitive data. Article 29 working party state that companies should err on the side of caution.

We previously wrote a blog on the topic of the DPO and you can read more here.

How does your organization title its privacy leaders?

iAPP.org states that the title an organization used to denote its privacy leaders may tell a lot about its approach to privacy. They state the most popular 5 terms are;

1) Privacy Officer

2) Chief of Privacy, or Chief Privacy Officer

3) Counsel

4) Security Director

5) Vice President of Privacy

So you have a privacy leader, where do they fit within your organization?

While iAPP states there is no standard organization structure for privacy across organizations, Natuvion’s GDPR or transformation projects have consistently worked with 3 business functions; a legal or DPPO team, business analyst team and technical team (IT). The GDPR project itself was driven by Legal or a DPPO [Data Protection and Privacy Office], with each function running a sub-project for their related actions.

So you have a privacy leader, do you have privacy vision?

A privacy mission statement or vision document has the goal of communicating your company’s privacy position to all stakeholders and is always used in company wide education too.

Elements of a privacy vision

1) Value or privacy to the organization

2) Organizational objectives

3) Strategies to achieve intended outcomes

4) Roles and responsibilities - for example, only trained and authorized employees will have permission to work with personal data.