A successful privacy program is a complex undertaking. The privacy team needs to stay abreast of regulatory and statutory changes; watch for potential threats from both external and internal sources; assure compliance in existing or emerging business practices; respond to stakeholder inquiries, and provide privacy leadership to their organization to name just a few of their myriad responsibilities. With this many balls to keep in the air, how can you quickly explain the key attributes of a successful program?
This is the second article in a series suggesting there are three “A”s that answer this question: alignment, accountability and adaptability. This article focuses on alignment.
A privacy program needs to be aligned with the needs of multiple constituencies. There are various ways to categorize these groups, but for simplicity let’s divide them into external and internal groups.
External constituencies
External groups tend to provide requirements for your privacy program. The first that probably comes to your mind are regulators. Regulators' guidance may come in the form of written regulations, published interpretations of the regulations, or interpretation of enforcement actions.
There are other external stakeholders who should also influence your privacy program. Customers, investors, and industry watchdog groups, to name a few, all have perspectives on privacy that require consideration. Employees should also be included in this group since, as data subjects, they may be viewed similarly to customers for the purposes of your program.
These stakeholders provide their expectations of a privacy program through their actions. Purchasing, investment, staying with or leaving the organization, and statements to the media are all examples of how external stakeholders can express their satisfaction with your program.
In some cases, you may have some influence over the perspectives of these external constituencies, but ultimately they provide requirements for your program. Being unaligned with these groups may result in fines or oversight from regulators, lost revenue from customers, increased public relations and other operational costs, or higher costs for capital.
Internal constituencies
Achieving alignment with external groups provides the foundation for defining the alignment requirements for internal groups. A well-positioned privacy program has the opportunity to not only gather requirements from internal groups, but also has the ability to influence those groups.
Organizational alignment
Consider organizational alignment. During the IAPP’s Principles of Privacy Program Management course, organizational alignment is discussed in terms of the privacy program supporting business strategies, objectives, and goals. A successful privacy program’s policies and procedures will be crafted to support this organizational vision. However, a truly effective privacy program goes further.
A privacy officer can use the insight gathered from the external constituencies to influence an organization’s vision. For example, we are often faced with the use of new technologies that regulators have not yet addressed. A recent example of this is the use of drones.
A few years ago one of my clients was discussing the use of drones at the senior levels of their organization. The privacy team had their collective fingers on the pulse of their customers as well as reasonable regulatory prespective to have an understanding of what external privacy requirements may evolve for this technology. Using this knowledge, the privacy officer was able to influence the adoption and use of drones for their organization.
Operational alignment
Operational alignment goes one step deeper into the enterprise. When successfully aligned, all departments in an organization are aware of the responsibilities they have been delegated within the privacy program and are effectively executing the related activities.
There are three steps to consider to achieve operational alignment. The first is to identify the activities for which the privacy program is being held accountable. One approach to identifying activities is to start with one of the many privacy frameworks that are available. By using an industry accepted framework you get an independent view of what activities should be included in a comprehensive privacy program. If there are activities in the framework that are not part of your program, you now have a chance to decide if that activity is applicable and should be brought into the program at some future time.
The next step is to identify the responsible operational area within your organization for executing each activity you have selected. Often more than one operational area has responsibility albeit with a different scope.
For example, an activity such as “Define procedures for protecting personal information when transferring data outside your organization” may involve IT for electronic transfers, but may also involve individual business units for the transportation of hardcopy documents.
Of course the privacy team may also be involved in defining the minimum standards to be met by the operational groups when executing these activities. These standards should not be dictated to the groups by the privacy office, but the privacy office should engage with the operational areas to determine the impact the standards may have on an operation’s efficiency. You may not, for example, want to impact operational efficiency by adding a privacy control that takes two minutes to execute for an operation that only takes five minutes without the control.
Finally, with the activities identified and responsibilities assigned, a comprehensive list of activity responsibilities may be created and communicated for each operational area. I would recommend that the activities be presented in a meeting with each area so that any clarification of the activities may be provided to the operational team. A meeting will also provide an opportunity for the operational team to raise any concerns they have with some of the assigned responsibilities. Ultimately, you will want to get a formal acceptance of the assigned responsibilities from the operational team.
On-going alignment
Achieving alignment is not a one-time effort. The external requirements change as may some of the internal requirements. A privacy office should repeat an alignment exercise at least annually.
Additionally, monitoring of the privacy activities delegated to the operational areas need to be monitored. This is where the other two “A”s, Accountability and Adaptability, apply.
Look for part three of this series in next month's edition of The Privacy Advisor.