How to Structure Your Privacy Team
We revealed in our December 2021 Privacy Jobs Report that larger organisations are increasingly implementing privacy teams (as opposed to the individual privacy professionals we’ve seen in the past). We also highlighted that more businesses appear to be turning to privacy consultancies for help. As a result, it seemed timely to share our insights into how organisations can structure privacy teams to meet today’s changing privacy demands.
Implement an Agile Privacy Team Structure
With privacy and security requirements consistently growing, both fields are becoming more specialised. As a result, we’re seeing organisations looking to hire privacy professionals with broad privacy knowledge, skills and experience to cover more bases, so to speak. The work requiring more specialised knowledge is then typically outsourced.
This is similar to how we’ve seen in-house legal departments develop. General counsel are broadly aware of relevant legal obligations and risk. However, they outsource more specialised work as required until it becomes more cost efficient to bring that specialist in-house too.
For smaller businesses it most likely will be more cost effective to outsource the privacy function entirely until they have grown to a point where privacy can be brought in-house either as a stand-alone role or in conjunction with other compliance or legal functions. This strategy can ensure businesses in early growth phases maintain compliance and begin the important process of embedding privacy into the company culture early in their evolution.
Finding suitably qualified privacy staff to fill your team can also be a challenge. From our regular job surveys, we have seen a marked increase in the number of ads for privacy professionals this year. We have also noted that some professional consulting firms are advertising almost continuously, indicating that the number of organisations in Australia outsourcing privacy work is growing and perhaps that business, in general, is becoming more aware of the importance of managing privacy well. It might also indicate that there is a skills shortage when it comes to privacy professionals in Australia, especially at the senior level. Adding weight to this conclusion is the fact that 36% of all privacy jobs are being re-advertised, with some senior roles being advertised multiple times, one up to 6 times.
Align Accountabilities with Your Legal and Organisational Risks
As your organisation grows, so will the legal, financial, and reputational risks it faces related to privacy and security. It’s essential that your privacy team is structured in a way that assigns accountabilities to relevant team members as this risk grows.
In large organisations, oversight of this would typically be assigned to a Chief Data Officer. They would then allocate specific responsibilities to department managers.
Smaller organisations will need to develop processes to ensure accountabilities are effectively allocated across their teams. This may look like compliance being assigned to a particular in-house counsel and security being assigned to an IT manager.
Adding to the difficulties in aligning your privacy team is the lack of consistency around job titles, skills and experience requirements and salary expectations. Many organisations take the view that privacy is essentially a legal function, others that it belongs in risk and compliance, and some see it as being more closely aligned to cyber security or IT. This can lead to a quite disparate lists of skills, knowledge and experience requirements even for roles with the same or similar titles. This makes it difficult for the profession to attract and retain staff as there is no clear pathway to becoming a privacy professional. It may be necessary to think laterally about potential candidates, recognizing that privacy is a multi-disciplinary area and candidates from different backgrounds might be suitable to fill roles, especially with the support of an external or internal mentor.
Embed Privacy Champions Across Your Organisation
Cross-department cooperation is key to developing a strong privacy framework. Consider how much more information and insight would come from the inter-departmental cooperation between your marketing, IT, product development, customer service, and legal teams compared to a privacy professional (or even a team of privacy professionals) working in a silo.
Privacy champions are individuals who are tasked with promoting awareness of privacy and security within their department. These workers do not need to have a deep understanding of the intricacies of privacy. Instead, they are trained on relevant aspects of privacy. They then commit to liaising with management and key privacy professionals to promote organisational privacy.
By embedding privacy champions in strategic positions across your organisation, you can promote inter-departmental collaboration on achieving better privacy outcomes.
Outsourcing Privacy & Security Remains a Key Strategy
It’s unrealistic for a singular privacy professional, or even a small team, to be familiar with all elements of privacy and security as the number of jurisdictions enacting and enforcing privacy laws increases. Given the dynamic and increasingly specialised nature of privacy and data security, outsourcing certain privacy and security tasks is a key risk management strategy.
More than merely meeting your compliance obligations, outsourcing elements of implementing privacy programs or training team members gives your organisation access to greater expertise and diverse perspectives and experiences.
If your organisation needs assistance meeting its privacy and security obligations, reach out.