Privacy Program Manager

4 Responsibilities of a Privacy Program Manager

A Privacy Program Manager is responsible for managing and operationalizing a corporate privacy program across the company. Their most important responsibility is to be ACCOUNTABLE for the safekeeping and responsible use of personal information - not just to investors and regulators but to the everyday consumer, vendors, partners and employees.

4 key responsibilities include;

  1. Identify privacy obligations for the company

  2. Identify business, employee and customer privacy risks

  3. Identify existing documentation, policies and procedures.

  4. Create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program that is aligned with corporate strategy. Dont forget that your corporate policies have a lifecycle -

    • Draft - inward facing policies, aligned and consistent across the organization

    • Approved - from decision makers and stakeholders

    • Disseminate and train all employees

    • Review and revise policies regularly. In all our clients this process is done in a quarterly basis or immediately after a breach or the business changes for example a merger or acquisition.

  5. Continuously maintain and improve the privacy program

5 Goals of a Privacy Program

A successful privacy program will integrate privacy requirements and procedures into the functional areas across and organization.

  1. Demonstrate compliance with applicable laws and regulations

  2. Promote customer trust and confidence

  3. Enhance an organization’s reputation

  4. Facilitate privacy program awareness with employees, customers, partners and service providers.

  5. Respond to privacy breaches

Do you have a privacy governance model?

To manage privacy in your company you need a team. Obviously this varies by organizational size, however there is flexibility around this team structure depending on your organization structure and goals. Regardless of size, an organization MUST have a contact for privacy and designated “first responders” to privacy incidents.

While there is no perfect privacy governance model, these are the three most popular ways to organize such a team;

1) Hybrid

This model combines a centralized and decentralized (local) team. We have seen this work well. Generally there is one organization responsible for privacy, usually a Data Protection and Privacy Office [DPPO] owns all the privacy processes in a company (heavily supported by a legal team). Each functional organization then has a person or sub-team responsible for that function and that has a dotted reporting line into the DPPO. In our experience for a large organization this is the best way to structure your teams for optimal compliance and communication as long as your employees are empowered to make decisions. Even in a smaller organization where one person is assigned to lead privacy in addition to their other responsibilities - we have see this scenario work well.

2) Localized/Decentralized

Privacy decision making is delegated to the lower levels of an organization.

3) Centralized

Just one team is responsible for all privacy related actions. In our experience this one comes with significant issues. In large organizations where we saw this in practice, many of the functions felt isolated and unaware of what contribution they were supposed to make and when to the privacy program, it caused a significant amount of confusion and inability to plan.

The DPO Role

EU-GDPR requires all public authorities in the EU and many private organizations to appoint a Data Protection Officer. Private organizations that must hire a DPO are ones that process personal data in high volumes or consistently process highly sensitive data. Article 29 working party state that companies should err on the side of caution.

We previously wrote a blog on the topic of the DPO and you can read more here.

6 elements to include in your Privacy Program Scope and Charter

  1. Business teams and their requirements

  2. Global and local laws, regulations and standards driving compliance

  3. Risk tolerance levels, cultural expectations and perspectives - values regarding privacy

  4. Types of personal information collected, stored and processed

  5. Regulatory changes that need to be observed (for example in USA, this would be state law changes)

  6. Privacy challenges

Now you have a Privacy Program Scope, next create a Privacy Strategy

A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.

Generally this strategy crossed multiple functions in your company therefore it is important to consider;

  1. Business alignment of goals

  2. Data governance of personal information

Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **

Now you have a Privacy Strategy, next create a Privacy Framework

A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.

3 elements of a privacy framework are;

  1. Laws, legal policies, regulations and programs. Laws you need to be aware of are;

    • PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.

    • APPs - Australian Privacy Principles

    • EU-GDPR - European General Data Protection Regulation

    • EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).

    • HIPAA - Health Insurance Portability and Accountability Act.

    • Example of a local legal framework is CNIL, France’s Commission.

  2. Principles, standards and guidelines. Examples of principles and standards you need to know about are;

    • Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.

    • The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.

    • The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.

    • The Canadian Standards Association [CSA].

    • The APEC Privacy Framework, enables Asia-Pacific data transfers.

    • Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.

  3. Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;

    • Privacy By Design - ensures privacy protection at every stage of product development

    • The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.

    • AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.

    • Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.

  4. Organization communication plan to ensure continuous alignment to laws and regulations

The benefits of a privacy framework are;

  1. Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.

  2. Helps to sustain market value and reputation of your company

  3. Provides measurements/metrics for compliance to the law, regulation and standards.