What is Privacy Program Management?

Posted on July 14, 2021 - by Kyle Hankins - in Building Your InfoSec Program

Privacy Program Management

Privacy Program Management is a growing field that encompasses the management of privacy concepts, policies, procedures, and programs at the organizational level. It begins with establishing a privacy program framework and considers the vast responsibilities of the Privacy Program Manager. 

A Privacy Program Manager’s primary function is to manage a privacy program that adheres to data protection regulations relevant to the organization. Today Securicy looks at what Privacy Program Management is and gives you insight into the role of the Privacy Program Manager. 

Why does an organization need a privacy program?

A privacy program is about more than just legal compliance and ensuring adherence to a good privacy policy. A well-managed privacy program helps to embed privacy into the overall business practices of the organization and can serve many functions including maintaining quality and value of data, enhancing brand reputation, meeting consumer expectations, safeguarding data against attacks and threats, meeting the expectations of business partners and clients, and meeting regulatory compliance. 

Most importantly a privacy program serves to help the Privacy Program Manager do their due diligence in protecting the privacy of consumers and clients by offering a framework for data protection. 

What does a Privacy Program Manager do?

A privacy program manager is tasked with establishing a privacy team that is in charge of not only ensuring data privacy and upholding the rights of data subjects. They must also create and maintain policies, enforce adherence to legal compliance, and come up with organizational strategies for governance of the program.

Privacy management may also be covered by an information security team, which takes on those additional responsibilities.

Who can maintain the role of Privacy Program Manager?

So does your company need to designate or even hire someone as a Privacy Program Manager? Actually, anyone can take up the role of Privacy Manager. The person who fills this role doesn’t necessarily need to have “privacy” in their official job title. 

But here are some professional roles that may often serve as Privacy Managers:

  • Security Officer
  • Data Protection Officer
  • Chief Privacy Officer
  • Compliance Officer
  • Data Privacy Specialist
  • Privacy Analyst
  • Global Privacy Officer
  • Business-line Privacy Leader

What are some of the key responsibilities of the Privacy Program Manager?

The duties of a privacy program manager will vary depending on the size and complexity of the organization. This will start with the creation of a privacy program and defining how that program will be implemented. 

Some key responsibilities include the development of policies and procedures with regard to privacy, privacy-related awareness training, development of a privacy staff as mentioned above, investigations, and so on. (For many of these responsibilities we’ve built tools in Securicy that can simplify tasks and save time.) A privacy program manager may also be in charge of assessments and auditing schedules as well as incident response in the event of a data breach.

The most important of a privacy manager’s responsibilities is accountability. Privacy accountability is all about evidence and responsibility. When we collect data or personal information we need to be responsible for its proper use. Accountability gives evidence as to how an organization is going to be compliant with privacy obligations. Privacy program managers are not only accountable to compliance regulators but also to their workforce, consumers, and the general public.

How to Establish a Privacy Program?

Scope: Beyond settling for the mission and vision of your program, you will need to understand its scope which means recognizing which data protection laws and regulations your organization’s privacy program and policies will align with. When considering scope, you’ll want to look at local and international laws that apply to your organization and how they affect the data that you process. Don’t forget about contracts you have that may include requirements for data privacy and security. Keep in mind the types of data that your organization collects and stores and regulatory challenges that you might encounter. This may require you to consult with your legal counsel. 

Data Inventory: To start, a data inventory can help you determine where in your organization and how personal information is stored and processed. A data inventory can also help you determine the flow of data within and outside of your organization. 

Privacy Strategy: Once you have a data inventory underway, you can plot out a privacy strategy that outlines the goals of your organization’s privacy program. According to the IAPP, forerunners in Privacy Program Management, this process will involve various stakeholders and consider business alignment, data governance of personal information, and procedures for handling inquiries. 

Privacy and Policy Framework: Now that you have an understanding of the laws and regulations that align with your organization’s data protection goals, it is important to establish a framework of controls under which personal information is protected. A framework is a roadmap that guides the organization’s policies, standards, and program activities within the privacy program. 

Governance: This is all about creating your privacy program team leadership structure which depends on the size and complexity of your organization. Privacy program governance structure is usually based on the existing organizational structure as is, so may have one of three different types of governance. A centralized governance structure usually has a team or leader which offers command from above in a top-down single-channel approach. In a de-centralized or localized structure, leadership comes from a bottom-up perspective in which decision-making is done at the lower levels of the organization. The third governance structure takes a hybrid approach that combines the prior two. 

Structure of The Privacy Team: In larger organizations, the team may have many members and incident responders, while a smaller organization may only have one privacy officer who manages the privacy program in addition to their other tasks (such as security or HR) within the organization. 

Stakeholder Buy-in: One of the most important parts of establishing your privacy program is ensuring that there is sufficient stakeholder buy-in. This means building awareness and pitching your privacy interests within the organization in order to gain traction. 

Consider answering the question: How can protecting personal information save the organization money and cut costs? Find a way to pitch these ideas both formally and informally. A formal pitch might look like a presentation of privacy program design to upper management while informal discussions might occur in the break room.

Whether you are trying to win over executives or employees to establish your privacy program, you’ll need all the key stakeholders on board to make your privacy program effective.

These are just a few of the components necessary to build your organization’s privacy program. If you are looking at designating a privacy program manager or building a program for your company, consider contacting Securicy for all of your privacy program needs.