Skip Repeated Content

This article was first published on PDP Journals (subscription required)


Though perhaps falling short of being a universally accept­ed one, it is a truth that any organisation processing per­sonal data needs a privacy programme. But how best should an internal compli­ance framework be structured in order to keep apace with the rapid rate of change and remain relevant (if not necessarily interesting)?

As more countries are enacting comprehensive data protection laws for the first time, the question becomes increasingly relevant. Even the US appeared close to passing a Federal data protection law earlier in 2022, whilst other countries (for example, Australia, the UK and Switzerland) are in the process of updating existing leg­islation and/or introducing complemen­tary legislation. The EU also continues to generate new laws, a good example being the EU’s Digital Services and Artificial Intelligence Acts.

So is it realistic for organisations with operations in multiple jurisdictions to attempt to construct global programmes which serve their current requirements consistently, avoid jurisdictional silos and yet allow sufficient flexibility to re­main ‘vital’? This article discusses some of the features and approaches which organisations may be able to deploy in service of such an aim.

Where to start

The main components of an evergreen programme are likely to be the same as for any organisation-wide privacy programme, with some additional areas of focus.

The Information Commissioner’s Office’s (‘ICOs’) Accountability Framework (‘the Framework’) serves as a helpful starting place for potential components. Indeed, the Framework itself explicitly notes that it can be used for a number of purposes, including creating a comprehensive privacy management programme, checking existing practices against the ICO’s expectations, considering wheth­er existing practices can be improved, understanding ways to demonstrate compliance, recording, tracking and reporting on progress, or increasing senior management engagement and privacy awareness across an organisa­tion. It identifies eight different areas of compliance programmes. These are not independent areas and in order to maximise effectiveness, there needs to be a degree of inter-connectivity between them, for example, between governance and risk assessment/ monitoring.

A dynamic approach to internal compliance will likely necessitate a larger budget. As with any compliance programme, there also needs to be a continuous, consistent investment of resources in order for it to remain effec­tive and relevant. Although it is relative­ly inexpensive to purchase a set of tem­plate policies, write privacy policies and adopt standard processing contracts for suppliers, such efforts alone do not make for effective privacy programmes. Given that the support of the senior leadership is key to success, some attention also needs to be given to how to ensure such support.

How to win (management) friends and influence people

Many readers will recall the intense lead up to the GDPR’s entry into force on 25th May 2018. The imminent introduction of sanctions and potential fines on such an unprecedented scale provided a large boost to data protec­tion professionals pitching global data privacy compliance programmes to cor­porate leadership. However, although the sanctions ‘stick’ was undeniably a good incentive, an alarm-based ap­proach tends to fatigue after a while, with data privacy ‘fires’ being overshad­owed by the next big regulatory inferno.

An antidote to this is for internal privacy teams to position themselves as harbin­gers of good news rather than doom. To be able to recount a positive story about the virtues of an embedded and functional privacy culture inspires rather than alarms. Such an approach tends to be characteristic of the most successful data privacy functions within organisa­tions, where privacy professionals have forged a ‘trusted advisor’ role that has helped engender a culture of respect towards personal data usage, as well as the empowerment of colleagues outside of privacy teams.

Main programme pillars Components Evergreen factors
Leadership, oversight and resources

DPOs/Data Protection Managers with appropriate internal reporting line to C-suite; designation of responsibility for data privacy within the leadership team; and group/committee oversight and direction.

  • Make your privacy function wider than the privacy team. Develop champions at the grass root level as well as at leader-ship level.
  • Ensure there are data privacy sub-specialists if needed within field, for example in digital marketing.
  • Set up a process to stay on top of relevant legal developments, especially multijurisdictional (internal team responsibility, sup-ported by external resource).
  • Update management stakeholders and other business units as relevant, for example, proposals for data localisation in relevant jurisdictions. Some people are interested in data privacy news even if it’s not their job — they can become sleeper agents for data privacy.

Accountability

Inventory (Record of Processing Activities); data mapping; written policies and procedures; and records of lawful processing grounds (being able to prove processes are in place).

  • Privacy by design: can you introduce a workflow process, supported by digital tools?
  • Link policy updates to significant organisational changes, not just annual, for example, Bring Your Own Device and system authentication changes.
Transparency and awareness

Notices to data subjects; consent; training staff; ROPAs; LIAs; documenting other lawful grounds for processing; and age verification.

  • Consider whether you need a customer consent refresh pro-cess.
  • Refresh training and awareness.
  • Link projects to DPIA and empower the relevant project teams (the data privacy function risks becoming an obstruction if it be-comes responsible for all DPIAs). Use a triage process so that only most risky/significant get escalated for sign off by the data privacy function).
  • Link privacy notice updates to process/product updates. Build prompts into DPIAs.
Data sharing, transfers and contracts

Restricted international transfers, policies and procedures to sharing and relevant agree­ments, processor due diligence and GDPR Article 28 provisions.

  • Processor ongoing compliance checks.
  • Process to revisit international transfers (are Transfer Risk Assessment updates needed)?
Risk assessment and monitoring

Security, breach detecting and monitoring; internal/external audit; business continuity; and DPIAs.

  • Breach logs. What can they tell you? Are there upwards or downward trends? Is there an under-investment in technology or training?
  • What do completed DPIAs reveal? Number and types, quality/ understanding? Do you need to refresh training?
  • Bring in a process for staying updated on data privacy legal developments. Can you team up with legal/compliance teams to do this?
Response and enforcement

Breach reporting processes, individuals rights (managing and logging/tracking responses).

  • Data subject request responses and KPIs. Is the number rising/ falling? Is there a clear reason for this?

 

It is all too easy for data protection to suffer from image problems within organisations, particularly in the private sector. Avoiding being viewed as the internal ‘data police’, becoming the ‘can do’ rather than the ‘can’t do’ advisors is helpful on the path to­wards gaining allies and ultimately being involved in shaping corporate strategy. Further, by making friends at the grass roots levels, data protection teams can acquire advocates from across the organisation (for example, from information security, legal, com­pliance, product development, HR and marketing teams). Through tak­ing a constructive approach, privacy professionals can aspire to influence and inspire the C-suite in a more sus­tainable way, and not just at the out­set of programmes. Such a construc­tive approach includes celebrating the wins with the rest of the organisation, resulting in a reduction in customer complaints.

The evergreen paradigm

Like an evergreen tree which stays fresh from season to season, the de­fining feature of an evergreen privacy programme is its flexibility when it encounters change. A good, resilient programme also takes into account changes in the future direction of the organisation, including new product and service offerings, organic and inorganic growth (for example, acquiring new group companies or businesses) or a changed geographic footprint.

Most organisations will have some form of framework already estab­lished. However, established pro­grammes can still be adapted and improved.

Key to the evergreen paradigm is building in ongoing monitoring of the performance of a programme. Often, monitoring is interpreted as meaning incident management, with the possible addition of data subject request response Key Performance Indicators. Although important, these activities fall far short of constituting a meaningful assessment of an organisation’s programme. Measuring the performance of the programme

means being able to validate its success and vindicate its investment both to date and prospectively. It should also allow a ‘course correct’ before things diverge too far, for ex­ample, if no Data Protection Impact Assessments (‘DPIAs’) are being car­ried out. More fundamental questions, for example, whether programmes designed to meet the requirements of the GDPR are still the correct bench­mark, may also need to be revisited over time.

Performance monitoring needs to be done in a manner that guards against complacency. Paradoxically, if a programme is going “too well” then the current economic environ­ment may trigger pressure to reduce the resources allocated to privacy compliance. Where an internal privacy programme is concerned, savings should be achieved through increasing efficiencies (for example, digital tools to save employee time on repetitive tasks, supporting the DPIA, Legitimate Interests Assess­ments (‘LIAs’) and data subject response processes) and not by re­ducing the scope of the programme.

The demand for experienced data privacy professionals is well-documented. However, it is not just a question of finding individuals with the correct skillsets; organisa­tions need to find the correct person­ality fit. Apocryphal accounts abound of conflict between Data Protection Officers (‘DPOs’) and their organisa­tions due to poor cultural fits or a lack of understanding of the role (on both sides). Privacy teams needs to be attuned to the product development process and help those teams to operationalise privacy by design for the organisation.

It should never be underestimated just how important the communication style and softer skills of the privacy team leadership can be. It’s interest­ing to reflect on the increase in skills diversity in the privacy profession. An in-house privacy specialist may have a background in IT, risk and compliance, HR, marketing or law to name a few. Like the programme itself, recruitment into the organisation’s privacy function should be flexible in order to attract and retain people from non-conventional backgrounds, especially those with good communication skills and a broader perspective.

Pulling it together

The table above aims to bring together the various pieces and high­light factors important for achieving an evergreen programme.

Even though establishing and running a flexible programme will need more investment than a com­paratively static one, the evergreen approach will reap more benefits in the medium and longer term. In fact, such adaptability is likely to save money in the long run, as it avoids the need to replace a programme which has become irrelevant and no longer fit for purpose. By being more rele­vant, timely and effective, evergreen programmes offer greater protection for the organisation from the most significant risks associated with non­compliance (i.e. fines, litigation and brand/reputation damage).

Fundamentally, achieving an evergreen global privacy programme is not about big budgets, regular steering group meetings, cutting edge digital tools or even partnering with experienced external privacy counsel. It boils down to one thing: the internal privacy function. It is this which determines the success, flexibility and relevance of privacy programmes.

Reading the cultural runes of the internal corporate environment and external sectoral shifts, understanding management strategy and aligning with it where possible (and seeking to shape it where it throws up significant privacy risks), and communicating the value of data privacy with imagination and persistence will all reap benefits.


The author and Amy de La Lama, Chair, Global Data Privacy & Security group, led a panel on this topic in Brussels at the IAPP Congress in November 2022 with guest panellists Delphine Charlot, Senior Managing Counsel, Privacy and Data Protection at MasterCard and Anne-Cecile Colas, Group CPO of Sodexo.

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.