Five Core Elements of a Successful Privacy Program

At Privacy 108, we’ve spent decades helping organisations grapple with challenges that come with the ever-changing privacy landscape. We routinely help organisations manage data overcollection and retention, poor privacy hygiene, lack of transparency, ineffective security measures, and heightened customer and regulator scrutiny. Along the way, we’ve noticed some trends in organisations that more successfully embed privacy into the fabric of its operations. We’ve also had the chance to review and consider various guidance from Australian and international regulators as well as standards organisations such as ISO and NIST.

We’re sharing those core elements of a successful organisational privacy program in this post. 

5 Core Elements of a Successful Privacy Program

Before we dig in, the underlying theme among these elements is that a privacy program must be comprehensive and cohesive, and continually evolving, not just a set of disparate ‘activities’ or checkboxes. 

Keep that in mind as you read through the five elements we’ve identified based on various guidance documents, privacy frameworks and our own observations from organisations with successful privacy programs. 

Privacy Vision and Strategic Direction

Organisations do best when they have a clear vision and strategic direction for the privacy program. These need to be concise, well defined and documented, and (ideally) memorable to catch on among team members at every level in the organisation. 

A good privacy vision will explain (concisely) why your organisation cares about privacy – is it retaining and supporting customer trust, ethical use of data, brand reputation, market differentiation, risk mitigation, or some combination of these? 

Then, your strategic direction document will outline how your privacy vision aligns with the overall objectives in your organisation. This is generated from the top down, but should be relevant at every level. 

Senior Ownership of Privacy

This element of a successful privacy program means that someone in a leadership role owns the privacy program, with cross-business support. The senior organisational leader should be formally allocated accountability and responsibility for the organisation’s adoption, implementation and maintenance of its privacy program – and ultimately ensuring that the privacy program remains aligned to and achieves both its stated objectives and the organisation’s strategic direction. 

It’s an element that, in our experience, is overlooked – but when someone is accountable for organisational privacy, particularly someone senior, it tends to give momentum and teeth to the program and ensures that privacy is seen as an important strategic program. 

Beyond this senior owner, there should be a clear allocation of responsibilities across the organisation. Legal counsel, information security and IT should be involved, since these departments will play a pivotal role, but HR, marketing, and customer service may also need to be involved – depending on your operations. Compliance and Risk as well as Internal Audit may also have important roles in supporting the program. Clear lines of responsibility should cascade through the organisation. 

Internal Policies Covering Privacy Issues

Your internal policies are the operational blueprint that makes your privacy program scalable and memorable. Without these documented rules, privacy initiatives are not likely to be remembered – let alone implemented. 

From a practical standpoint, you’ll need your policies and processes to cover the data lifecycle. Here are some key areas for your internal policies:

• Privacy Risk Assessment – who is responsible, who is privacy measured and reported, who is responsible for overseeing privacy risk mitigation plans
• Privacy Impact Assessments – when are they needed, who is responsible for doing them, what format should the reports take, what happens to the results
• Data subject requests and Complaint handling – who should receive these requests, what is the process for responding, how are time-lines maintained

Those who work in your organisation should have a clear understanding of the data across its lifespan, and their role in protecting it and meeting the organisation’s privacy obligations. If your policies don’t achieve this, it’s likely time to review and update them! 

Implementing Privacy by Design

In our opinion, privacy by design is where the magic happens. It’s a privacy framework that centres on creating win-win scenarios for organisations when it comes to operationalising privacy. It also offers a structured methodology for organisations to tap into the value of personal information while complying with privacy obligations and building and maintaining community trust. In other words, PbD refers to a proactive approach of embedding privacy into systems, processes, and technologies from the outset. It ensures that privacy is a fundamental consideration throughout the lifecycle of a product or service, rather than an afterthought.

We recently published a downloadable covering Implementing Privacy by Design. Check it out to learn some strategies for implementing privacy by design at key intervals in your organisation. 

Training and Awareness Programs 

The final element might be the most important of all – your training and privacy awareness programs. Your human resources are your organisation’s weakest link and biggest threat, and knowledge really is empowering when it comes to managing privacy. 

The organisations with the most successful privacy programs offer tailored, annual training, as well as continuous learning opportunities when it comes to privacy. They also track key metrics, such as trainings completed and test results, including any phishing or social engineering tests you run. 

The privacy training should be tailored, since one-size-fits-all trainings aren’t likely to resonate across a really broad audience. Tailored trainings mean that customer service personnel know and understand how to manage customer information when dealing with requests or complaints, as well as onboarding. Similarly, marketing teams should know and understand consent requirements, as well as the organisation’s processes for auditing websites, forms, and other digital assets where personal information is collected. At the same time HR should know about the legal requirements when it comes to handling employee personal information in a compliant manner. 

Tying Them Together

Ultimately, implementing any of these five core elements will result in a net improvement to your organisation’s privacy posture. But tying them together can give you a result that’s greater than the sum of its parts. 

Resources

If you want some guidance on designing your own privacy framework, the following may be of use: 

• NIST Privacy Framework
• ISO 27701 Personal Information Management System
• NZ Privacy Regulator privacy management
• OAIC Privacy Foundations Self Assessment Tool 
• OAIC Privacy Management Plan 
• UK ICO Data Protection Audit Framework (this is my favourite). 
• OIC (Qld) Privacy Self Assessment. 

If you’d like assistance developing a more mature privacy program, reach out for an obligation-free consultation. Our team of privacy professionals is available to help. 

And for insights like this in your inbox, subscribe to our newsletter: