Privacy Governance Model

GDPR compliance

There are many aspects of the compliance process, and the GDPR (as any other piece of the legislature) is a complex and perplexing subject. In this article, we will be focusing closely on the important part of your compliance journey – the Privacy Governance Model.

•How to divide responsibilities between different roles and different departments?
• What is the role of the DPO in this process (it is not what you think)?
•Where does the DPO fit in? How to implement a privacy program?

You can also download the entire article and read it later.

Download this article

What are the organizations’ GDPR responsibilities?

When Organizations face a big regulatory change, like the GDPR, it is always initially challenging to set expectations around responsibilities within the Organization.

As with any compliance, there are many employees from multiple organizational roles included in the process of compliance maintenance. With the GDPR especially, as there are many departments that base their business models upon processing of personal data.

To anyone who was ever a part of any complex initiative within the business, it is clear that no program can be successful within the Organizations if there is no clear segregation of duties.

For example, even an average household with a family of four needs division of duties.

Typically, one of the adults needs to be in charge of paying the bills, servicing the car, feeding the cat, talking to teachers at school, etc.

Some families like to be flexible and agree on responsibilities every morning, depending on individuals’ obligations for the day.

Some families prefer clear division where the father takes kids to school every day and services the car. The mother pays the bills and feeds the cat. Kids take out the trash, clean the garage, etc.

Comparing the household example to the GDPR compliance for a big Organization should paint a clear picture of the necessity of having a clear division of responsibilities within the Organization.

Just switch cleaning with data minimization, taking out the trash with data removal, servicing the car with keeping records of processing up-to-date, etc. Also, switch a family of 4 with an Organization of 50, 100, 500, 1000, or more employees and that’s it. Well, not quite…

Get 14-days Free Data Privacy Manager Trial

How to implement the right GDPR privacy program?

There are three key steps necessary to implement a proactive privacy program:

• defining your organization’s privacy vision and mission statement
defining your privacy strategy
• structuring your privacy team

Step three is most important when talking about GDPR responsibilities because the efficiency of the program heavily depends on the efficiency and visibility of the core privacy team.

Privacy vision and mission statements are out of scope for this article, as is privacy strategy. However, let’s briefly think about how much the structure of the privacy team, and definition of privacy responsibilities depend upon the Organization’s privacy strategy.

Most of the privacy professionals understand that building a privacy strategy may mean changing the mindset and perspective of an entire organization.

Effectively protecting personal information within an organization requires every member of the organization to do his or her share.

what is most important when creating privacy model

Most organizations have done their due diligence and have thoroughly analyzed and even changed some of their business processes.

They have created and documented procedures defining how to reconcile their daily operations with personal data protection. These procedures include checklists for releasing a new product or a service, changing vendors or IT systems, or even keeping existing data processing inventories up-to-date.

It should be clear that management needs to approve funding to resource and equip your privacy team, fund privacy software, support privacy training and awareness, and hold employees accountable for following privacy policies and procedures.

Marketing and sales must secure business contact data and respect the choices of these individuals.

IT must incorporate adequate security controls, build safe websites, and create solutions that require the collection or use of only that data necessary to accomplish the purpose.

In short, all employees must understand and employ the fundamental practices required to protect personal data—from secure methods to collect, store and transmit personal data through to secure methods of data retention and data removal.

Everyone in your organization has a role to play in protecting the personal information it collects, uses, and discloses.

When talking about GDPR compliance, there is one common problem with new procedures: they are still not integrated into daily business. The most important reason being that privacy responsibilities are not defined correctly or not put in practice.

Privacy responsibilities

The reasons for that may be that your organization is in the early stages of implementing a holistic privacy program, and your privacy team is still under-staffed or lacks visibility to core business owners.

How to structure your privacy team?

To align with the defined privacy strategy, an organization needs to structure a privacy team. How the organization structures the privacy team usually determines an organization’s privacy governance model.

Unlike a typical family of four, who will not be able to increase their numbers to comply with a new law, your Organization will have to employ more people for privacy management if the privacy team is understaffed.

When adding new members to the team, it is essential to know what will be their responsibilities.

Even if your organization does not grow in numbers, existing staff will eventually switch between roles and get new data protection responsibilities alongside their current responsibilities.

The privacy team can be structured in a number of ways:

• defining the role of each team member,
• positioning within the organization (under legal, or IT, or other),
management support,
• or even geographical location for international organizations.

One of the best ways to start is for the privacy team to identify key stakeholders. Key stakeholders are people upon whose engagement, the success of the privacy program depends. Data Protection Officers and privacy experts within the organization are usually very engaged by default.

However, organizations typically fail when it comes to the involvement of business owners.

Business owners’ primary focus is not privacy, even when their data model depends on data processing. They care about their KPI’s, later translated to income and profit. They can care more or less about privacy. 

It is the responsibility of the privacy team to make allies with business owners and build a business line privacy leader role within the organization.

Once key stakeholders are identified, they need to be educated about the importance of data protection and also about the organization’s privacy strategy, policies, and procedures

Ideally, the privacy team should create helpful checklists, promote privacy awareness, and define tasks within their responsibility. Every product or service line within the company needs to have records of processing activities that need to be up-to-date.

The privacy team should consider the organizational structure as related to strategy, operations, and management for responsibilities and reporting.

For both large and small organizations, the team should be familiar with the operations and privacy needs of the following offices:

•Chief privacy officer
•Privacy manager
•Privacy analyst
•Business line privacy leaders
•„First responders,“ incident response and security computer incident response team
Data Protection Officers

The responsibility of keeping them up to date is one of the business owners.

It is the most common privacy governance model, usually called Decentralized or Local. With this structure, business owners within your organizations are aware and bear responsibility for data protection matters within their scope of operations.

They need to be educated about general GDPR requirements. Moreover, they need to understand how to reconcile their business with the regulation.

They also need to trust the organization’s privacy team to help them do their business and stay GDPR compliant, by giving the right advice and being proactive when solving issues.

Another privacy governance model that we see is a Centralized model. It is a common model that fits well in organizations used to utilizing single-channel functions with planning and decision making completed by one team.

A centralized Privacy Governance model will leave one team or person responsible for privacy-related affairs, and this person is usually a DPO. This means that all GDPR related matters will flow through this single point.

Privacy governance model 

What is the organizational position of the DPO?

Throughout this article, we wrote about privacy experts and privacy teams. Where does the DPO fit in?

Some organizations have the DPO as a part of the privacy team. In others, the DPO is the team, and sometimes the DPO role is more independent, having the privacy team do the fieldwork and DPO monitor overall GDPR compliance.

The DPO can be an employee of the organization. However, the role can also be externalized.

The GDPR provides that DPOs “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks set out in the Regulation.

There are no particular qualifications or certifications specified in the GDPR, but organizations should consider the necessary skills and expertise to include:

•expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
•the apprehension of the processing operations carried out;
•understanding of information technologies and data security;
•insight into the business sector and the organization;
•ability to promote a data protection culture within the organization.

Read more about the DPO role here.

The role of the DPO may be contracted out to an external service provider and a natural person or a legal person (e.g., a limited company). In the latter case, the WP29 recommends that for reasons of legal clarity and good organization, the contractor should designate a named person as the lead contact for the organization.

The DPO’s primary concern should be enabling GDPR compliance, and having sufficient time to devote to DPO tasks is paramount. Where DPOs have other duties, these cannot be incompatible with their DPO functions.

Examples given by the European Data Protection Board Working Party 29 of roles which would conflict with the DPO’s responsibilities include:

Chief Executive Officer;
Chief Operating Officer;
Chief Financial Officer;
Chief Medical Officer;
Head of Marketing;
Head of Human Resources;
Head of IT.

You should position the DPO in line with the following criteria:

•Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.
• We involve our DPO, promptly, in all issues relating to the protection of personal data.
• Our DPO is sufficiently well resourced to be able to perform their tasks.
• We do not penalize the DPO for performing their duties.
• We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interest with their role as a DPO.

 Read the blog: Top 10 tasks of a Data Protection Officer

How to maintain the Records of processing activities in different privacy governance models?

A good indication of the organization’s privacy maturity and governance model is how it governs it’s processing inventory.

Centralized governance models are usually implemented in a way that the DPO is responsible for creating and maintaining the inventory, initiating and doing privacy impact assessments, managing privacy assets, etc.

decentralized privacy model

We strongly discourage complex Organizations from using Centralized models of privacy management and try to decentralize privacy management as much as possible.

The reason is that this is usually just the right amount of fieldwork for the DPO, blurring his/her vision of the overall compliance and disabling him/her from effectively building partnerships with business and promoting data protection in the organization.

Recommendation for implementing privacy program

The only way an Organization can achieve and maintain it’s GDPR compliance is by implementing a holistic privacy program. Implementing a privacy program means identifying key stakeholders and usually forming a privacy team.

The DPO can be a part of this team but doesn’t have to. Once you build your privacy team and position them within the boundaries of organizational structure, every member of the team must have clear responsibilities for maintaining GDPR compliance.

And it is not just the privacy team who should be aware and actively work on GDPR compliance. It is also the business owners and high management. The business owners should be or should appoint, business line privacy leaders.

Their responsibilities are in the domain of making sure that the organization’s privacy policies and procedures are followed in every step of the business process

New call-to-action