Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
article

Managing Privacy Across the Organization

Erik Elliot Senior Global Privacy Manager, TrustArc

Privacy PowerUp Series #10

It’s been said by people far wiser than I that “No one person is an island unto themselves,” and nowhere is this truer than in data privacy. As a privacy professional, it can sometimes feel like you are the lone crusader in the quest for a maturing program—but being a privacy Batman is exhausting!

Developing privacy partnerships is the secret ingredient for ensuring privacy has a seat at the table within each department and decision-making process in your organization.

Here are the top five tips for fostering a privacy-forward approach across your organization.

Tip one: Build a privacy culture

Line your privacy program and priorities up for success by setting a strong privacy narrative. Often, there is an untrue assumption that privacy is a time-consuming roadblock and that the privacy team is just there to say “no” to getting things done—but this does not have to be true!

To overcome this assumption, you may need to market privacy internally. How can you demonstrate the many ways privacy can be a lift reducer, problem solver, and a reduction of risk and other general unpleasantness (since nobody likes a regulator knocking on the door of the Batcave)?

Aligning data protection with each team’s goals

Consider how privacy impacts departments and how they can benefit from greater data protection.

  • For example, what role does privacy play in human resources? It might be respecting employee privacy, consent, and data subject rights in benefits administration, tax considerations, and disability leave.
  • For Legal, this could be risk reduction, interactions with regulators and other authorities, or figuring out how to legally transfer data internationally.
  • For information security, this may involve determining which technical controls can best protect personal data and allow the organization to respond to security incidents.

Each department’s priorities will be different, and some good ways to identify these are:

  • Educate yourself on organization structure and department function.
  • Have conversations with departments and decision-makers to hear the details straight from the source.

Next, think about ways the privacy team can support those priorities.

  • From our above example, creating the Employee Privacy Notice can help guide HR.
  • In the Legal example, you could identify adequacy decisions, certification frameworks, or Binding Corporate Rules as good options for transfers.
  • For information security, you could provide support where incidents involve personal information. And so on.

Part of selling folks on privacy hinges on showing them how it can help, and not hinder, accomplishing their goals. Which in turn can encourage them to bake privacy features into their operations from day one.

Tip two: Grow privacy partnerships

Most privacy pros—even those on larger privacy teams—would agree: everyone could use an extra set of hands. Privacy success requires the participation of many different parts of an organization. But it’s easy to forget that any and every department or employee can be a part of your network of privacy champions.

Identify core data roles

You can start by identifying which departments in your organization play core data roles (like Data Governance) or handle large amounts of personal data (like Sales), as well as ‘why’ and ‘how’ they interact with personal information.

  • Ask yourself: Are these departments already part of the ‘privacy conversation’, or will you need to bring them on board?
  • Consider how to support these groups by providing tailored education, guidance, and support, taking into account the special or unique ways they may be using, collecting, or protecting personal information.

Find current privacy acolytes

Next, identify individuals across the organization who are already privacy acolytes or who have an interest in how privacy can help them succeed in their roles. Keep an eye out for opportunities to foster privacy interest and passion, regardless of where in the organization it may come from (more on how you can get people engaged in tip three).

Be aware of privacy pitfalls

Finally, be aware of pain points and privacy pitfalls, such as information siloing, and encourage open lines of communication.

A top-down approach can unite the organization in a common goal for privacy maturity. An executive sponsor or two and the inclusion of privacy in the organization’s mission statement can encourage a privacy trickle-down effect.

In the other direction, regular reporting to the executive team ensures that privacy considerations (and the budget needed for the privacy program) stay on their radar.

Privacy steering committees

Privacy steering committees are another great way to set the organization’s overall privacy tone and to bring together a variety of perspectives and subject matter expertise.

  • Carefully consider who should be included in this group. You will want to ensure representation from core departments that interact with personal data and ideally have a few privacy champions present to energize the group.
  • Details like membership, meeting frequency, reporting, authority, and the dissemination of high-level findings will help you assemble a committee of privacy superheroes.

Tip three: Foster privacy education

Providing privacy education and awareness is key to continuing to grow your privacy culture and partnerships. Of course, onboarding and annual training are vital, but the good news is that you can augment additional creative approaches to increase engagement, such as newsletters, presentations, privacy bulletins and updates, and events like Data Privacy Day.

Don’t forget to account for different training needs within different roles and job functions based on when, where, how, and why they touch personal information. These efforts can help departments and employees understand how data privacy impacts their day-to-day and why their role matters for a healthy privacy program.

These activities are great because they can also spark interest in data privacy, encourage curiosity, and create the next batch of ‘privacy champions’ who can help inject privacy into their day-to-day and departmental operations. As we talked about in tip two, these partnerships are essential for spreading the word and encouraging a privacy-by-design approach across relevant departments.

Tip four: Focus on getting from point A to point B with concrete goal setting and coordination

As you’ve seen in our previous tips, privacy philosophy and priorities are vital. But don’t forget about taking the next step—applying and implementing those principles into actionable next steps.

As anyone who does privacy assessments can tell you, identifying gaps is the easy(ish) part. Determining how to take that information and find solutions is the challenging part—you can’t just stop at step one!

Some goals can be categorized by department or job function, but many will have a multidisciplinary focus, needing the cooperation of subject matter experts across different parts of the organization.

All goals should tie the merits of privacy to the organization’s high-level values—customer service, time-saving, risk reduction, consumer trust, product improvement, and business differentiation.

Some goals may be as simple as “Customer service will be trained on the data subject request playbook once a year,” or “Compliance will cc Legal on privacy complaints.” Some goals may be as complex and involve as many stakeholders as obtaining an ISO 27001 certification to measure control effectiveness.

Regardless of complexity, goals that are documented, tracked, and specific enough to be actionable ensure that stakeholders across the organization are aware of their role in achieving these ends.

Tip five: It’s all about perspective

Every individual member of your privacy partnerships has different values, skills, and understandings of data privacy—but all have something to contribute!

Seek to understand these different perspectives and provide them with a seat at the table; you may be surprised at the vital contributions from teams not typically associated with privacy.

For example, the marketing team may have some clever ideas for privacy events or social media campaigns. Web developers can offer input on the best way to implement cookie consent tools and links to the privacy notice or trust center. And IT can monitor the latest and greatest tools to protect company servers and workstations.

Where possible, aim to foster some level of privacy awareness and education throughout the entire organization—encourage privacy enthusiasm! And don’t forget to embrace your own curiosity for problem-solving, creative solutions, and—hopefully—flexibility and a sense of humor.

Enhance your organization’s privacy maturity

I hope these tips will help you on your organization’s journey to privacy maturity by recognizing and celebrating the vital role of cross-departmental collaboration and an interdisciplinary approach. Every department and individual contributor can have a role in your overall privacy program.
With a little creativity and planning, you can bring together subject matter experts from across your organization and work together to elevate privacy principles, tear down information silos, and work towards a shared privacy vision. Best of luck in assembling your all-star privacy Avengers!

Need a privacy program to manage multiple regulations?

Complying with the many (ever-changing) data privacy laws and regulations can require extensive manual effort and high compliance costs.
It’s no surprise that complying with each new data privacy law in the U.S. alone costs a company an average of $15-60k or more. To quickly achieve compliance and maximize auditing efficacy, move away from manual tracking and use specialized privacy and governance software.

Streamline your privacy program today
Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

Five Tips for Managing Privacy Across the Organization

Follow these five tips to foster a team of privacy avengers.

View now

PowerUp Your Privacy

Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.

Watch now

Read more from the Privacy PowerUp Series:

  1. Getting Started in Privacy
  2. Data Collection, Minimization, Retention, Deletion, and Necessity
  3. Data Inventories, Mapping, and Records of Process
  4. Understanding Data Subject Rights (Individual Rights) and Their Importance)
  5. The Foundation of Privacy Contracting
  6. Choice and Consent: Key Strategies for Data Privacy
  7. Managing the Complexities of International Data Transfers and Onward Transfers
  8. Emerging Technologies in Privacy: AI and Machine Learning
  9. Privacy Program Management: Buy-In, Governance, and Hierarchy
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top