How to choose the right Privacy Governance Model

There are many aspects of the compliance process, however, this article will focus closely on choosing the right Privacy Governance Model. We will answer the most pressing questions like:

1. How to divide responsibilities between different roles and different departments?
2. How to start your privacy program?
3. How to structure a privacy team?
4. Identifying key stakeholders
5. Types of privacy governance model
6. What is the role of a Data Protection Officer in this process (it is not what you think)?
7. How to implement a privacy program?

1.Defining responsibilities

When organizations face regulatory changes, like the one imposed by the GDPR or the CCPA, it is always initially challenging to set expectations around responsibilities within the organization.

There can be a number of employees from multiple organizational roles included in the process of compliance maintenance which can complicate the process.

To anyone who has ever been a part of a complex initiative within the business, it is clear that the program can’t be successful if there is no clear segregation of duties. Even an average household needs a division of duties.

There are three key steps that need to be addressed in order to implement a proactive privacy program:

• Defining your organizations’ privacy vision and mission statement
• Defining your privacy strategy
• Structuring your privacy team

We will be focusing on step three because the program’s efficiency heavily depends on the efficiency and visibility of the core privacy team.

2.Starting with your privacy program

Privacy professionals understand that building a privacy strategy means changing the mindset and perspective of an entire organization.

Effectively protecting personal information within the organization requires every member of the organization to do their share.

Most organizations have done their due diligence and have thoroughly analyzed and even changed some of their business processes, by creating and documenting procedures or defining how to reconcile their daily operations with personal data protection.

These procedures include checklists for releasing a new product or a service, changing vendors or IT systems, or keeping existing data processing inventories up-to-date.

It should be clear that management needs to approve funding to resource and equip your privacy team, fund privacy software, support privacy training and awareness, and hold employees accountable for following privacy policies and procedures.

Marketing and sales must secure business contact data and respect the choices of these individuals.

IT must incorporate adequate security controls, build safe websites, and create solutions that require the collection or use of only that data necessary to accomplish the purpose.

In short, all employees have to understand and employ the fundamental practices required to protect personal data. Everyone in your organization has a role to play in protecting the personal information you collect, use, and disclose.

3.How to structure your privacy team?

To align with the defined privacy strategy, an organization needs to structure a privacy team. How the organization structures the privacy team usually determines the organization’s privacy governance model.

Your organization should also consider employing more people for privacy management if the privacy team is understaffed. When adding new members to the team, it is essential to know what their responsibilities will be.

Even if your organization does not grow in numbers, existing staff will eventually have to switch between roles and get new data protection responsibilities alongside their current responsibilities.

The privacy team can be structured in a number of ways:

• defining the role of each team member
• positioning within the organization (under legal, or IT, or other)
• through management support
• or even by geographical location for international organizations

Ideally, the privacy team should create helpful checklists, promote privacy awareness, and define tasks within their responsibility. Every product or service line within the company needs to have records of processing activities that need to be up-to-date.

For both large and small organizations, the team should be familiar with the operations and privacy needs of the following offices:

• Chief privacy officer
• Privacy manager
• Privacy analyst
• Business line privacy leaders
• First responders- incident response and security computer incident response team
• Data Protection Officers

4.Identifying Key Stakeholders

Key stakeholders are people upon whose engagement depends the success of the privacy program.

Data Protection Officers and privacy experts within the organization are usually very engaged by default. However, organizations typically fail when it comes to the involvement of business owners.

Business owners’ primary focus is not privacy, even when their business model depends on data processing. They care about their KPIs, later translated to income and profit. They can care more or less about privacy. 

It is the responsibility of the privacy team to make allies with business owners and build a business line privacy leader role within the organization.

Once key stakeholders are identified, they need to be educated about the importance of data protection and also about the organizations’ privacy strategy, policies, and procedures. 

5.Types of privacy governance model

Decentralized Privacy Model

The most common privacy governance model is the decentralized or local model. In the decentralized model, business owners within an organization bear responsibility for data protection matters within their scope of operations.

They need to be educated about general GDPR requirements and trust the organization’s privacy team to help them achieve their goals and stay compliant, by giving the right advice and being proactive when solving issues.

Centralized Privacy Model

Another privacy governance model is a Centralized model. It is a common model that fits well in organizations used to utilizing single-channel functions with planning and decision making completed by one team.

A centralized Privacy Governance model will leave one team or person responsible for privacy-related affairs, and this person is usually a DPO. This means that all GDPR related matters will flow through this single point.

6.What is the organizational position of the DPO?

Throughout this article, we wrote about privacy experts and privacy teams. Where does the DPO fit in?

Some organizations have the DPO as a part of the privacy team. In others, the DPO is the team, and sometimes the DPO role is more independent, having the privacy team to do the fieldwork while DPO monitors overall GDPR compliance.

The DPO can be an employee of the organization. However, the role can also be externalized.

The GDPR provides that DPOs “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks set out in the Regulation.”

There are no particular qualifications or certifications specified in the GDPR, but organizations should consider the necessary skills and expertise to include:

• expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
• the apprehension of the processing operations carried out;
• understanding of information technologies and data security;
• insight into the business sector and the organization; ability to promote a data protection culture within the organization.

The role of the DPO may be contracted out to an external service provider and a natural person or a legal person (e.g., a limited company). In the latter case, the WP29 recommends that for reasons of legal clarity and good organization, the contractor should designate a named person as the lead contact for the organization.

The DPOs’ primary concern should be enabling GDPR compliance, where DPO has other duties, these cannot be incompatible with the DPO functions.

Examples given by the European Data Protection Board Working Party 29 of roles that would conflict with the DPO’s responsibilities include:

• Chief Executive Officer
• Chief Operating Officer
• Chief Financial Officer
• Chief Medical Officer
• Head of Marketing
• Head of Human Resources
• Head of IT

You should position the DPO in line with the following criteria:

1. DPO reports directly to our highest level of management and is given the required independence to perform their tasks
2. DPO is involved in all issues relating to the protection of personal data
3. DPO is sufficiently well resourced to perform tasks
4. DPO is not penalized for performing their duties
5. Any other tasks or duties do not result in a conflict of interest with their role as a DPO

7.Recommendation for implementing the right privacy program

Centralized governance models are usually implemented in a way so the DPO is responsible for creating and maintaining the inventory, initiating and doing privacy impact assessments, managing privacy assets, etc.

We strongly discourage complex organizations from relying on a centralized model of privacy management and try to decentralize privacy management as much as possible.

The centralized model usually means a lot more fieldwork for the DPO, blurring DPOs’ vision of the overall compliance and disabling DPO from effectively building partnerships with business and promoting data protection in the organization.

The only way an Organization can achieve and maintain GDPR compliance is by implementing a holistic privacy program. Implementing a privacy program means identifying key stakeholders and usually forming a privacy team.

The DPO can be a part of this team but doesn’t have to. Once you build your privacy team and position it in the organizational structure, every member of the team must have clear responsibilities.

And it is not just the privacy team that should be aware and actively work on GDPR compliance. It is also the business owners and upper management.

The business owners should be or should appoint, business line privacy leaders. They should make sure that the privacy policies and procedures are followed in every step of the business process.