4 Responsibilities of a Privacy Program Manager

A Privacy Program Manager is responsible for managing and operationalizing a corporate privacy program across the company. Their most important responsibility is to be ACCOUNTABLE for the safekeeping and responsible use of personal information - not just to investors and regulators but to the everyday consumer, vendors, partners and employees.

4 key responsibilities include;

  1. Identify privacy obligations for the company

  2. Identify business, employee and customer privacy risks

  3. Identify existing documentation, policies and procedures.

  4. Create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program that is aligned with corporate strategy. Dont forget that your corporate policies have a lifecycle -

    • Draft - inward facing policies, aligned and consistent across the organization

    • Approved - from decision makers and stakeholders

    • Disseminate and train all employees

    • Review and revise policies regularly. In all our clients this process is done in a quarterly basis or immediately after a breach or the business changes for example a merger or acquisition.

  5. Continuously maintain and improve the privacy program

5 Goals of a Privacy Program

A successful privacy program will integrate privacy requirements and procedures into the functional areas across and organization.

  1. Demonstrate compliance with applicable laws and regulations

  2. Promote customer trust and confidence

  3. Enhance an organization’s reputation

  4. Facilitate privacy program awareness with employees, customers, partners and service providers.

  5. Respond to privacy breaches

6 elements to include in your Privacy Program Scope and Charter

  1. Business teams and their requirements

  2. Global and local laws, regulations and standards driving compliance

  3. Risk tolerance levels, cultural expectations and perspectives - values regarding privacy

  4. Types of personal information collected, stored and processed

  5. Regulatory changes that need to be observed (for example in USA, this would be state law changes)

  6. Privacy challenges

Now you have a Privacy Program Scope, next create a Privacy Strategy

A privacy strategy lays out your organization’s privacy program. The privacy strategy explains WHY is privacy important to your organization.

Generally this strategy crossed multiple functions in your company therefore it is important to consider;

  1. Business alignment of goals

  2. Data governance of personal information

Often missed but CRITICAL - procedures for handling inquiries or complaints. ** We recommend you review our DSR App to help automate, track and simplify this process for you **

Now you have a Privacy Strategy, next create a Privacy Framework

A Privacy Framework is the structure that the privacy program will take. The framework provides a series of implementation road-maps that guide the privacy teams through privacy management. This framework also prompts and reminds them for all the details required for each privacy relevant decision.

3 elements of a privacy framework are;

  1. Laws, legal policies, regulations and programs. Laws you need to be aware of are;

    • PIPEDA - Candadian Personal Information Protection and Electronics Documents Act.

    • APPs - Australian Privacy Principles

    • EU-GDPR - European General Data Protection Regulation

    • EU-U.S. - Privacy Shield (a data transfer mechanism that replaced the safe harbor framework).

    • HIPAA - Health Insurance Portability and Accountability Act.

    • Example of a local legal framework is CNIL, France’s Commission.

  2. Principles, standards and guidelines. Examples of principles and standards you need to know about are;

    • Fair Information Practice [FIPS] - these provide basic privacy principles that cross several modern frameworks such as EU-GDPR e.g. Rights of individuals, Controls on Information, Information Lifecycle and Management.

    • The organization for economic cooperation and development [OECD], protection of privacy and transborder flows of personal data.

    • The American Institute of Certified Public Accountants [AICPA], have a privacy task force and created the GAPP - Generally Accepted Privacy Principles.

    • The Canadian Standards Association [CSA].

    • The APEC Privacy Framework, enables Asia-Pacific data transfers.

    • Finally a topic we have focused on previously in our blog - BINDING CORPORATE RULES.

  3. Privacy Program activities - program plans (and sub-plans and tasks). Examples of solutions you need to be aware of are;

    • Privacy By Design - ensures privacy protection at every stage of product development

    • The National Institute of Standards and Technologies [NIST] - provides the concept of privacy in engineering and risk management in federal systems.

    • AICPA and CICA created WebTrust, once an accountant is certified they can conduct privacy evaluations.

    • Natuvion has a set of processes and templates that span the 99 articles to help with rapid program management and implementation of compliance both in your core SAP systems but also through a transformation program to S/4HANA.

  4. Organization communication plan to ensure continuous alignment to laws and regulations

The benefits of a privacy framework are;

  1. Risk Reduction - Avoid or plan for the risk of data loss, plan for an audit.

  2. Helps to sustain market value and reputation of your company

  3. Provides measurements/metrics for compliance to the law, regulation and standards.

How does your organization title its privacy leaders?

iAPP.org states that the title an organization used to denote its privacy leaders may tell a lot about its approach to privacy. They state the most popular 5 terms are;

1) Privacy Officer

2) Chief of Privacy, or Chief Privacy Officer

3) Counsel

4) Security Director

5) Vice President of Privacy

So you have a privacy leader, where do they fit within your organization?

While iAPP states there is no standard organization structure for privacy across organizations, Natuvion’s GDPR or transformation projects have consistently worked with 3 business functions; a legal or DPPO team, business analyst team and technical team (IT). The GDPR project itself was driven by Legal or a DPPO [Data Protection and Privacy Office], with each function running a sub-project for their related actions.

So you have a privacy leader, do you have privacy vision?

A privacy mission statement or vision document has the goal of communicating your company’s privacy position to all stakeholders and is always used in company wide education too.

Elements of a privacy vision

1) Value or privacy to the organization

2) Organizational objectives

3) Strategies to achieve intended outcomes

4) Roles and responsibilities - for example, only trained and authorized employees will have permission to work with personal data.