How to build a successful privacy program
When you think about the activities of your Organization and you try to build a privacy compliant program from the scratch, you first look into the countries where you operate, to identify the legal framework that applies to you; but it’s not until you organize and structure your intentions with the program, that you can start to make progresses.
For me, there are three important areas of every privacy program: (I) awareness and training, (II) accountability and governance and (III) monitoring and support.
Without proper awareness and training initiatives, it’s impossible to implement a compliant privacy program, as you cannot do it alone. In order for your program to be successful, you need to explain why privacy is relevant, why the Organizations need to be compliant and why every single employee has a role to play. I usually say, people only support what they understand, and with Privacy that couldn’t be truer.
In addition to this, another area that is very important to the success of a privacy program, are the tasks related to accountability and governance. GDPR imposes some accountability obligations but without independence of legal obligations, accountability and governance provide structure to the privacy program and allows privacy managers to track the evolution and maturity level of the program. It’s like a map of intentions and a map of results. It’s where the SOPs and business guidelines sit. Nothing is complete if not being written down.
Last, is the monitoring and support. Every Organization needs to be monitored and practices need to be improved regularly. Privacy laws and regulators guidelines are constantly being reviewed and discussed; so it’s necessary to keep the privacy program alive and improve some procedures and practices. It’s also important to provide support to a business that is growing fast and it is evolving to a more virtual space. Digital solutions are there to catch but the privacy challenges are multiple. To be supportive of your Organization you must not only reply when you are asked, but you need to anticipate and bring some topics to the table that you identify as future requests from your customers.
Now that you have structured the privacy program, you can build a plan, if you’re a global Organization subject to multiple laws from different regions, it’s important to identify all those and the differences comparing to a particular framework. It’s common to identify the GDPR as the legal framework to serve as the basis to build a global privacy program, but based on the different applicable laws we must create deviations to the standard program, because in certain jurisdictions compliant with GDPR means extra care, but for others may mean being below the required compliance level.
Lastly, once you have a plan and you identify the road you want to walk, to pass from intentions to reality, you need a resourceful team to support your program. The size of the Organization is not always a reflex of the size of the privacy team, what is more relevant here is the type of activities your Organization performs, as if they are heavily impacted by privacy obligations, naturally the privacy team needs to be bigger and has more resources.
To conclude, privacy is here and it’s only growing in importance and ruling. Nowadays, companies that don’t take privacy seriously are not seen as trustworthy, not because they aren’t great in doing what they do, but because they didn’t recognise and anticipate an important change in the industry and they didn’t adapt and embrace the new challenges and developments that are here to last. If you are a DPO or a leader of a privacy team, make sure your Organization hears you, be collaborative and supportive but don’t be afraid of sharing what you know and what is for you the right path to compliance, only then you fulfil your purpose and you Organization evolves and matures.
DCA
