Privacy considerations exist throughout many areas of an organization. Privacy is not just a natural human right or the adherence to set legislations. Privacy is about how organizations value the data they collect and how they treat and protect the subjects of those records.
These privacy requirements create urgency for a cross-functional privacy team. In the digital world, far too many risk vectors exist for one single department or in some cases, person, to manage privacy for an organization. This approach is a risk in and of itself.
One Size Does Not Fit All
Every organization has their own nuances. These nuances and requirements will dictate the best structure for your privacy team. To find your key team members or privacy champions, it is best to start with the key activities and processes included within the privacy program’s purview.
• Those within the data identification date protection domain
• Those involved with risk assessment, management and identification
• Those involved with operationalizing and strategically implementing the risk findings and their mitigations
• Regulatory and compliance management
• Those creating and owning privacy by design processes
Privacy and the Organization: A Scenario
The driving point of this article is simple: while there is an “I” in privacy, there isn’t and “I” in team. Every aspect of a well-designed privacy program requires coordination and collaboration.
To further emphasize this need, let’s look at a scenario: a large SaaS company is looking into expanding a product offering into the European Union. The organization has enough experience and understands what is required to introduce, scale, grow and maintain the product, but there are concerns with the new marketplace and newly released regulation: GDPR.
To calm any fears and approach the new operating region with strength and confidence, the company’s leadership decides to run through an analysis of their current infrastructure that will then be replicated in the EU.
First, they decide to better understand the data within the environment and its dependencies.
This data identification process alone requires the engagement of multiple teams:
• Infrastructure teams
• Business and technical operations
• Product owners
• Subject matter experts
In the next discovery phase, potential risk exposures are evaluated. Each privacy risk contains multiple elements that contribute to its risk score and mitigation. Multiple teams are needed to support and complete this effort:
• Risk management
• Compliance, legal, and privacy
As the evaluation ends, the stewards of the privacy assessment compile the findings and work to define a strategy to operationalize what has been identified.
Operationalizing involves decisions as to whether data will remain, be purged, anonymized or migrated to alternative databases and regions. The Infrastructure and information security teams will weigh any performance, feasibility (budget, technical) and the security options before implementing.
In concert, the legal, compliance and risk management practitioners will evaluate how the final decision complies with GDPR and how to mitigate any potential risk with insurance or other hedging tactics.
As you can see, a privacy team is a make-up of diverse entities. In a best-case scenario, the privacy team has a day-to-day manager, who guides and initiates these requirements, but they don’t do this alone. They have a committee of privacy champions. These champions come from all areas of the business; they provide the committee with a comprehensive view of what is occurring throughout the organization, what data is being collected and how privacy may be affected.
The natural inclination is to place the responsibility of privacy on the legal department, assign risk management to risk, security to security and so on, defining silos that may or may not collaborate. In our dynamic, connected world, this is not feasible.
Moving to a cross-functional team and committee is the best scenario and one that all organizations should look to employ. Privacy is truly a team sport.
About the Authors
Christina Whiting is the managing director of enterprise risk and compliance at Tevora.
David Grazer is the privacy practice lead for enterprise risk and compliance at Tevora.