Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
article

Privacy Program Management: Buy-In, Governance, and Hierarchy

Paul Iagnocco Head, Customer Enablement & Principal, Data Privacy, TrustArc

Privacy PowerUp Series #9

Storytelling is a key skill in building and managing a privacy program. Stories allow us to take the reader on a journey, tugging on our emotions while conveying a specific message in the end. Like any story, you need to “hook” the reader early, keep them engaged, and deliver a memorable end.

Before you start rattling off about changing data privacy laws, the growth in regulations, increasing fines, and customer expectations, STOP and take time to build your story around data privacy within your organization. Remember, we are also consumers in the global economy.

Below are the steps to getting senior management buy-in for a data privacy program and the ongoing need to manage it effectively within the community.

Know your audience

Senior management today is rewarded based on revenue growth. Mere compliance as the primary focus doesn’t work for most organizations.

  • Know the organization’s current strategic goals. Are there opportunities for privacy to drive, participate in, or support these goals?
  • Remove ambiguities and unknowns. Refrain from using data privacy jargon, especially acronyms.
  • Benchmark against competitors. You’ll be asked what your competitors are doing or not doing. Use benchmark reports to show privacy investment by verticals.
  • Focus on engagement, not overwhelm. Instead of bombarding them with privacy facts, news, and details, aim to hook them with your story. Focus on the next immediate step and the needed support to test or prove the demand to formalize a privacy program.

Identify key evangelists

Typically, the most likely evangelists in your organization will be the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Human Resources (HR) lead, and General Counsel. Additionally, there may be influential voices who command respect when they speak, even without C-Suite titles.

  • Determine their script. Decide whether they all evangelize from a common script or have specific aspects of the story they’ll need to convey.
  • Engage with them. Meet with these key people, tell them the story (keep it very simple), and be clear on the ask.
  • Incorporate feedback. Listen to their feedback and incorporate it into your story. Collaboration strengthens the narrative.
  • Get their support. Your primary objective at this time is to have them say, “Yes, I can help tell your story.”

Define your approach

Be prepared to address strategy, structure, process, and people.

  • Collaborate for strategic goals. Highlight areas where privacy can help achieve organizational strategic goals. For example, privacy teams can help InfoSec focus resources where personal data exists, saving time and unnecessary security expense.
  • Use a risk-based model. Build your program based on actual risks categorized as high, medium, or low. Data should define your future.

Identify personal data processing activities and collection requirements

Think of this step as a “proof of concept.” Identify areas where personal data processing likely occurs and conduct a data discovery.

  • Select activities. Look across the enterprise in areas like talent recruitment, digital marketing, customer service, sales teams, and others.
  • Conduct data discovery. Gather at least the minimum requirements to comply with data privacy regulations.
  • Be transparent. Empathetically address pushback and set clear expectations. Your objective is to obtain a statistical data sample.

Analyze data as a story

Using privacy software or spreadsheets, categorize processing activities as high, medium, or low risks to the organization.

  • Add details to the storyline. What does the data reveal? What are the initial inherent risks? Are there glaring compliance issues? Are we aligning with best practices and data privacy principles?
  • Show data-defined stories. Use the data inventory exercise to define and illustrate the story.

PowerUp evangelist network

Refine your initial storyline as needed.

  • Share findings with evangelists. Again, ensure they have a simple script to follow.
  • Leverage meetings. Plot specific functions processing personal data and get on established team meeting agendas to tell the story.

Gain senior management buy-in

Work with your evangelists, especially those in the C-Suite, to get time with senior leadership.

  • Refine the story. Ensure you have enough information (about four PowerPoint slides) to accomplish your objective.
  • Present the story. When ready, present the story to senior management.

Implement governance structure

Now that you have some level of senior management buy-in, put in place a broader governance structure.

  • Build a cross-functional coalition. Privacy is a team sport; you cannot (and you shouldn’t) do this alone.
  • Choose the right governance model. There are typically three structures in data privacy:
    • Central-out model: A global privacy office is accountable for strategy, operations, insights, and training.
    • Decentralized model: Local privacy functions handle strategy, operations, and training for specific jurisdictions.
    • Hybrid model: A central function provides the global strategy and training, while local teams manage operations.

Focusing on the hybrid model, there are typically two tiers:

  1. Working Committee: Data stewards who provide practical advice and experience.
  2. Executive Committee: Executives who oversee the functions and provide strategic advice and budget authority.

Crafting a strategic privacy program: Align, engage, and govern for lasting success

By following these steps, you’ll be well on your way to creating a robust privacy program that aligns with your organization’s strategic goals.

At the end of the day, building a privacy program is about crafting a compelling story that resonates with your audience, gaining buy-in from key stakeholders, and implementing a governance structure that supports ongoing management and compliance.

With PrivacyCentral, you can easily build out and manage your privacy and compliance governance program. Easily identify gaps, manage tasks, and streamline evidence tracking and reporting to save you time and help ensure compliance.

PrivacyCentral’s library includes over 130 global privacy and security laws and standards – continuously updated by a team of privacy and legal experts.

Start automating your privacy operations today
Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

Eight Steps to Privacy Program Management

Follow these eight steps to establish a privacy program and gain buy-in from senior executives.

View now

PowerUp Your Privacy

Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.

Watch now

Read the last article in this series: #10 Managing Privacy Across the Organization.

Read more from the Privacy PowerUp Series:

  1. Getting Started in Privacy
  2. Data Collection, Minimization, Retention, Deletion, and Necessity
  3. Data Inventories, Mapping, and Records of Process
  4. Understanding Data Subject Rights (Individual Rights) and Their Importance)
  5. The Foundation of Privacy Contracting
  6. Choice and Consent: Key Strategies for Data Privacy
  7. Managing the Complexities of International Data Transfers and Onward Transfers
  8. Emerging Technologies in Privacy: AI and Machine Learning
  9. Privacy Program Management: Buy-in, Governance, and Hierarchy
  10. Managing Privacy Across the Organization
Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top