Privacy considerations are present throughout many different areas of an organization. What many don’t realize is that privacy isn’t just a human right or adhering to set legislation. Privacy is all about how organizations value the information and data they collect and how they work to protect the subjects of the records they have.
These types of privacy requirements create a sense of urgency for any cross-functional privacy team. In the digital realm, there are a large number of risk vectors that exist for a single department that manages the privacy of an organization. This type of approach is a risk in itself.
One Size Doesn’t Fit All
Each organization has its own, unique nuances. These requirements and nuances dictate the best structure for any company’s privacy team. To determine who your key team members or your biggest privacy champions are, it’s wise to begin with the key processes and activities that are included in the privacy program’s purview. These include:
Those that are in the data identification date protection domain
Those that are creating and owning privacy by the design processes
Those that are involved with the risk management, identification, and assessment
Compliance and regulatory management
Those who are involved with the process of strategically implementing the actual risk findings and the mitigations
Your Organization and Privacy: A Helpful Scenario
The main point of the information found here is actually pretty simple. Even though there is an “I” in the word privacy, there is no “I” in team (chances are you have heard that before!). Every one of the aspects of any well-designed privacy program requires the proper collaboration and coordination. To help and further emphasize the need, consider this scenario:
A large SaaS company is actively looking to expand their product offering into the EU (European Union). The organization in question has plenty of experience and fully understands what is needed to introduce, to scale, to grow and to maintain the product; however, there are some concerns with the new marketplace being targeted, as well as the new regulation – the GDPR.
To help calm fears and to approach the new operating region with a sense of confidence and strength, the company’s leadership will decide to run through an analysis of the current infrastructure that will then be repeated in the EU.
First, they make the decision to better understand the data in the environment, along with the dependencies. This specific data identification process on its own requires the use and engagement of several teams:
Subject matter experts
Technical and business operations
During the next discovery phase, all possible risk exposures are evaluated. Each of the privacy risks contains several elements that contribute to the risk score, as well as the mitigation. Several teams are necessary to both support and to complete this effort, which includes:
Privacy, legal, and compliance
When the evaluation ends, the stewards of the privacy assessment will compile all of the findings and then work to create a strategy to help operationalize what’s been identified.
The process of operationalizing will involve decisions on whether or not data is going to remain, or if it is going to be anonymized, purged or migrated to another database or region. The information and infrastructure security team will weigh all performance, security, and feasibility options before they begin to implement any solutions.
It is clear that any privacy team is made up of diverse entities. In the very best scenario, this team has a day-to-day manager that will be responsible for guiding and initiating the requirements, but they aren’t doing this alone. There is a committee of privacy champions. These are people who come from all different parts of the business and provide the committee with a more comprehensive view of what’s going on in the organization, what type of data is collected, and how issues related to privacy may arise.
In most cases, the natural inclination is to actually place the privacy responsibility on the legal department; however, in the connected world, this is no longer a feasible option.
Hire with Diversity in Mind
You're going to need a diverse team to conquer your privacy situation, and we know just where to find them. Contact ICS below to get in touch with our staffing experts. We know how to look for the people you need and deliver on exactly what you want in a team. Just click below to make the first move towards success.