Skip to Main Content
Main Menu
Article

Simply Irresistible: How to Build a Privacy Program That Actually Works

July 16, 2026

If you’ve ever found yourself buried under a 47-page audit remediation report, convinced that your privacy program is somehow uniquely broken, Ryan Boos has a message for you: you’re not alone. And more importantly, you’re probably overcomplicating it.

In a recent episode of the award-winning Serious Privacy podcast, TrustArc Field Privacy Strategist Ryan Boos joined hosts Dr. K Royal and Ralph O’Brien to talk about one of the most persistent challenges in privacy: building programs that are actually operational, sustainable, and right-sized for the organization they serve.

The GDPR Panic and Its Lasting Fallout

Cast your mind back to 2018. GDPR had just gone live, audit firms were in high demand, and organizations across every industry were scrambling to get compliant. The resulting reports were thorough, sometimes painfully so. Lengthy lists of remediations landed on the desks of privacy professionals who had neither the resources nor the time to tackle them all at once.

The instinct, understandably, was to treat those reports like checklists. Tick every box. Build every process. Document everything. The result, in many cases, was massive, unwieldy privacy programs that consumed enormous energy while delivering questionable returns.

“You can very easily have a huge, massive privacy program with very little privacy risk. You can’t let perfect be the enemy of good.”

Ryan Boos, TrustArc Field Privacy Strategist

That insight sits at the heart of what Boos calls the simplification of privacy programs, and it’s an argument that deserves a much wider audience than it typically gets.

Right-Sizing: The Most Important Concept You’re Not Talking About

During his six years building and running GE Aerospace’s privacy program, Boos noticed a pattern. A significant portion of his week was spent in software development lifecycle calls asking three questions: What data do you have? Why should I care? And what are we doing about it? The answer, 90% of the time, was first name, last name, email, and SSO credentials.

“I’m not changing my security schema based on that information,” he said. “We were B2B. We’re not really collecting consumer data. I’m spending a lot of time writing PIAs and doing assessments for information that we’re really not ever going to have a regulator look at.”

This is the crux of right-sizing. It’s not about cutting corners, it’s about doing the honest analytical work of asking: given our business model, our data flows, our regulatory exposure, and our actual risk, where should our limited resources go?

Boos and his team approached this by examining the TrustArc Privacy Management Accountability Framework, a structured approach to understanding what a privacy program actually needs to accomplish, and then making deliberate decisions about which components applied to their specific context. They blended some areas, cut others, added new ones, and arrived at six core pillars that reflected the actual risk profile of the organization.

The PMAF is the same structured blueprint Ryan’s team used to right-size their program, and it’s yours to use, too.

Request the PMAF

The Risk-to-the-Individual Question

Ralph O’Brien raised a point that often gets lost in compliance-focused conversations: what about the risk to the individual whose data you’re processing?

It’s a fair challenge. When privacy programs are built defensively, designed to generate documentation that will satisfy a regulator, the actual human beings whose data is at stake can become secondary. DPIAs get filed on shelves. Legitimate interests assessments get completed but not acted upon. The means becomes the end.

Boos’s response was practical. Individual rights were woven into the security posture from the start. Data minimization was applied at the design stage. Access controls were questioned at every turn. When HR wanted access to security footage, they had to justify it. They couldn’t.

“When did the means become the end?” O’Brien asked. It’s a question every privacy team should put to themselves periodically. Compliance documentation is necessary. But that is not the point.

Cross-Functionality Is Not Optional

One of the clearest themes throughout the conversation was the danger of siloing privacy within a single function, whether that’s legal, IT, or compliance.

Boos noted that legal professionals often excel at proportionality and minimization arguments but may not fully understand what it means for data to sit on a server in Ireland versus one in Tasmania. IT professionals understand the controls but may not think through individual rights implications. Neither perspective alone is sufficient.

Privacy programs that work are cross-functional by design. They bring together legal, IT, security, HR, and business functions as an integrated operating model.

Teaching People to Fish

Boos now sits in an advisory role at TrustArc, and the shift from practitioner to advisor has sharpened his perspective on what organizations actually need. More often than not, it isn’t more vendors or more contractors filling out forms. It’s a clearer view of their own risk profile, and a realistic plan for addressing it with the resources they have.

“Let’s get you in a place where your current resources are enough to satisfy what you need,” he said. “And if they’re not enough, let’s build a justification for how you get more resources.”

That framing, building the business case for privacy investment, is something many programs still struggle with. But it’s far more sustainable than quietly absorbing an impossible workload until something breaks.

Multi-year planning matters here too. Privacy ecosystems change. Laws evolve. Teams grow and shrink. A good program plan builds in the flexibility to shift priorities as the environment shifts, rather than locking into a rigid three-year roadmap that becomes obsolete within six months.

You Are Not Alone (Even When It Feels That Way)

Perhaps the most humanizing moment in the conversation came when Boos reflected on what he hears again and again from privacy professionals: a sense of isolation. The feeling that everyone else has figured it out, and you’re the only one struggling with resource constraints, competing priorities, and leadership that doesn’t quite understand why any of this matters.

“Every privacy program, no matter where you’re at on the maturity scale, has these similar issues,” he said.

Dr. K Royal offered her own version of this: years of running effective global privacy programs with essentially no budget beyond her own salary. Ralph O’Brien compared privacy professional gatherings to therapy sessions; a room full of people relieved to discover they’re not uniquely broken.

The simplification of privacy programs is an acknowledgment that most privacy professionals are working with imperfect resources in complex environments, and that good enough (thoughtfully defined, risk-calibrated, and consistently executed) is genuinely good.

Not sure if your program is right-sized or just overbuilt?

Talk to a TrustArc Privacy Advisor

Get the latest resources sent to your inbox

Subscribe
Back to Top