Privacy Governance

I must admit that, sometimes I have exactly the same feelings described in the image published below (once again, thank you for the sticker IAPP).

CIPM Real Life

Privacy Pro real-life experience

Let’s imagine the situation:

  • I’ve been assigned the task of leading the privacy program for a company;
  • I meet the Boarding Members for the first time, explaining them how I will accomplish my task;
  • I start asking which are the core values of the entity, regarding to the privacy.

This is the moment when, normally, the stakeholders look each others dazed and confused: it seems that I’ve been speaking in Greek (I should I could).

Vision and Mission

«Ok, my bad. Let’s start from scratch«. During my long experience in the data protection and data privacy domains, I have learned that ethereal concepts (like «core values«) can be misinterpreted by your stakeholders. Generally speaking, they prefer to have a solid reference, in order to provide you a clear answer.

This is the reason why I rephrase my question in something more digestible like:

«Why is privacy important for your business? And, please, don’t tell me

that you invest your money in security and the privacy compliance areas because you’re afraid of the fines«.

Statistically, it is unlikable that your company will be fined because of the GDPR. There are literally millions of companies out there and the Data Protection Authorities (aka DPAs) have limited resources. So, unless you do something very bad, you will avoid monetary sanctions that, on the other hand, shouldn’t be the trigger for your privacy program.

Essentially, what I am looking for is the real reason why a company decides to invest in a privacy program. That leads me to understand the famous Vision and Mission statement. Those words should be represented by a short sentence, answering the previous question, in an honest way. If you run out of ideas, you should call us and we will find the right way to rethink about your values and align them with the privacy strategy.

The Scope

Basically, defining the scope means:

  • To inventory the personal data processed;
  • To identify the laws, regulations, contract obligations and sector best practices and standards (if any) applicable.

Of course, I have my personal view about the inventory of personal data processed. There are several tools that (they say) can scan all your repositories and found all the personal data stored in them. It’s ok to have those (expensive? maybe) tools. But the point, in my opinion, is: if you need a software to scan and understand what you should have understood by default, you might have a serious privacy problem. Using tool like the mentioned above is admitting that your organization doesn’t even know what kind of personal information it has.

Franckly, it doesn’t look like a promising starting point. But, still, it is a start…

 

The Framework

For instance, if you are a company based in Europe, you may use, the ISO 27701 standard, from the ISO 27001 family (I know, I know, frameworks and standards are different…).

On the other hand, if you are an American company you may be interested in the NIST Privacy framework. But, if you really want to play the big game, take a close to the COBIT framework. Which one is my favourite? Although all of them are well accepted guides, I have my own way of work; but I’m always keen on listening to your needs and see what suits your company best. Fancy a virtual cup of tea/coffee?

 

A Governance model

Traditionally, you can opt for one of the following models:

  • Centralized: it works good if you have a hierarchical structure and you are lucky enough to have a direct line of reporting only to the Chief Privacy Officer;
  • Decentralized: very useful if you have different decision-makers for different areas. You can tailor your privacy solutions, according to the specific needs of the final stakeholder. But, be careful: you can easily lose the track of your privacy program and have contradictory solutions;
  • Hybrid: a Frankenstein combination of the previous one.

 

Subsequently, you can choose whatever Governance model you want, as long as:

  • it suits the company you work for;
  • stakeholders have accepted and supported them
  • the model is known by anyone.

If you are not sure about which one suits you better, call us: we’re here to help you.