Many privacy and data protection regulators around the world, including regulators in Canada, France, Australia, Hong Kong and Colombia, have written guideline papers about accountability that promote the building of a privacy-management program. These guideline papers provide the building blocks for a privacy program but do not address how to resource the building and maintain a privacy-management program.
Privacy offices grapple with the challenge of finding enough resources to allocate for privacy management. The challenges include communicating a definitive privacy-management program, leveraging and motivating individuals throughout the organization and justifying the business case to obtain the necessary resources. Even then, how to best allocate the available resources to maximize privacy management has historically been more of an art and less of a systematic approach.
We know that privacy officers can only implement and maintain privacy-management activities based on the resources provided, and as such, we believe a resource-based approach is best. Our research has led to an accountability approach that is based on building an effective privacy-management program by maximizing available resources.
A resource-based approach enables privacy officers to scope the privacy-management program to encompass all organizational activities that involve or affect the processing of personal data. Such activities include not only those maintained by the privacy office but also those maintained by areas that are outside the privacy office within operational and business units that control or influence the processing of personal data—for example, in HR, IT, legal and marketing.
To maximize resources, the privacy office first determines the current status of privacy management by identifying maintained privacy-management activities throughout the organization. Doing so with a systematic approach will also enable a privacy officer to identify available resources in the form of people, processes, technology and tools. The good news is that privacy officers at responsible organizations will find that there are many privacy-management activities implemented in other areas of the organization, for example, in human resources and marketing. Plus, additional resources will be found throughout the organization.
The privacy office then needs to determine an appropriate privacy-management strategy by considering external influencing factors—such as legal and compliance requirements and privacy risk—and align with overall organizational objectives. A strategy, made up of a definitive set of privacy-management activities, then allows for the prioritization of activity-implementation based on available resources. Our research, available in our accountability paper, has found that there are three common strategies:
- The Managed Privacy Strategy: The minimum number of privacy-management activities to manage risk and enable ongoing compliance
- The Advanced Privacy Strategy: Going beyond the minimum by implementing privacy-management activities that further embedding privacy and data protection throughout the organization
- The Demonstrate Accountability and Compliance Strategy: A privacy-management program strategy for organizations with the business case to stand ready to demonstrate accountability and/or compliance on demand
To prioritize the resources, no matter which strategy is selected, our research has found three ways for getting started based on available resources:
- Low resources, privacy policy first: Start with an organization-wide privacy policy; train employees on their obligations under the policy. Communicate the practices to data subjects via a privacy notice and ongoing management reporting. A privacy policy-first approach is best suited for organizations with low resources available.
- Medium resources, governance first: Start with governance-based privacy management activities including formal assignment of responsibility, processes for interacting with data subjects and third-party data processors and sign-off procedures that involve the privacy office. A governance-first approach is best suited for organizations with moderate resources available.
- High resources, inventory first: Start with more resource-intensive privacy-management activities such as inventory of all personal data and design policies and procedures that are embedded throughout the organization, enterprise privacy-risk assessment, integrate data privacy into business-risk assessments and conduct PIAs for new programs, systems and processes. This approach is most often favoured in textbooks and training materials as it does not take into consideration resource constraints.
Allocation of resources can be a challenge, but in most cases, the justification of resources for privacy management is even harder, and as such Nymity has launched a series of free global privacy-management workshops to be held later this year. These workshops and our accountability paper help privacy officers create a definitive privacy-management program, justify additional resources and best allocate the resources to achieve the privacy-management strategy established by the privacy office.