PRIVACY PROGRAM MANAGEMENT

ONLINE TRAINING TRANSCRIPT

MODULE 2: PRIVACY PROGRAM FRAMEWORK:
PRIVACY GOVERNANCE

Introduction

Module introduction

For most major organizational initiatives to be successful, there must be structure, consistency and buy-in
at the highest levels. Privacy governance is no different. Successful privacy program management
requires a structured team, thoughtful strategy and supporting stakeholders who remain committed
throughout the program’s life cycle.

This module will help you understand the key components of privacy governance within the organization,
as well as how to position them for success.

Defining a privacy program and strategy

Learning objectives

• Define privacy governance and identify its components

• Analyze the components of a privacy vision/privacy mission statement

• Summarize considerations for defining the scope and charter of a privacy program

• Explain the purpose of a privacy strategy

Privacy governance

Building a strong privacy program starts with establishing the appropriate governance of the program.
Privacy governance refers to the components guiding a privacy function toward compliance with privacy
laws and regulations and enabling them to support the organization’s broader business goals.

These components include:

• Creating the organizational privacy vision and mission statement
• Defining the scope of the privacy program
• Selecting an appropriate privacy framework
• Developing the organizational privacy strategy
• Structuring the privacy team

Where does the privacy program fit within your organization?

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 2

When positioning privacy within an organization, you may wish to consider:

• Which department has the most influence with the business?

• Which has global scope?
• Which is the best funded?
• Which executes enterprise projects the best?
• Which is the strongest supporter of privacy?

There is no standard organizational structure for privacy across organizations. As these survey results
from the Annual Privacy Governance Report show, the privacy function may live within legal, regulatory
compliance, privacy and data protection, information security, corporate ethics, information technology or
elsewhere.

What is your organization’s privacy vision and mission?

The privacy vision or privacy mission statement of an organization concisely communicates its privacy
stance to all stakeholders.

A mission statement should define what you do to protect individuals’ privacy in a tangible way. It should
be easy to understand and actionable by the organization.

A vision statement is a values statement regarding what the organization hopes to achieve.

This requires:

• Acquiring knowledge on privacy approaches

• Evaluating the intended objective
• Gaining executive sponsor approval

Do you know the privacy vision or privacy mission statement of your organization?

Examples:

https://www.apple.com/privacy/

https://www.omeda.com/aboutus/privacy-mission-vision/

Common elements of a privacy vision and mission

Mission: what we do, who we do it for, and how we do it different or better

Vision: description of what we believe or want to achieve

Click on the highlighted phrases in the text below to see elements of a company privacy vision or privacy
mission statement.

“The Australian Banking Association (‘ABA’) and its member banks believe that an individual's right to
privacy of their personal information is very important, and are committed to protecting and maintaining
the privacy, accuracy and security of an individual’s personal and financial information. Every ABA
member bank has a Privacy Policy, which generally can be found on their website home pages.”
- Australian Banking Association (https://www.ausbanking.org.au/privacy-policy/)

Value of privacy to the organization

Organizational objectives

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 3

“We respect your privacy and we promise:

• to implement computer, physical and procedural safeguards to protect the security and
confidentiality of the personal data we collect
• to limit the personal data collected to the minimum required to provide services requested by you
• to permit only our properly trained, authorized employees to access personal data
• not to disclose your personal data to external parties unless you have agreed, we are required by
law or we have previously informed you.”
- Hong Kong Trade Development Council (HKTDC) (https://home.hktdc.com/en/s/privacy-policy-
statement)

Strategies to achieve intended outcomes

Roles and responsibilities

Defining program scope and charter

Mary is in the process of defining her privacy program’s scope and charter. What are some of the high-
level elements she should consider? Brainstorm your ideas, then click “Submit” to reveal the items on her
list.

Mary’s list:

• Global and local laws, regulations and standards

• Cultural expectations and perspectives, including risk acceptance
• Business-sector requirements
• Types of personal information the organization collects/stores and how it is used
• Regulatory challenges

Basics of a privacy strategy

Once Mary knows what she will need to consider in defining her program’s scope and charter, she can
start thinking about the basics of her organization’s privacy strategy.

A privacy strategy should lay out the goals of an organization’s privacy program. Development of this
strategy may be complex and challenging, as the process may involve several stakeholders with
potentially disparate objectives. Key considerations for developing a privacy strategy include business
alignment, data governance of personal information and procedures for handling inquiries or complaints.

Read the task lists below and determine whether they relate to business alignment, data governance or
inquiry- and complaint-handling procedures. (Note that these are not exhaustive lists.)

Business alignment

Make an operational business case for privacy

Obtain budget for privacy and the privacy team
Identify stakeholders and internal partnerships
Make connections and foster relationships
Create a privacy committee for interfacing within the organization
Align organizational culture and privacy objectives

Data governance of personal information

List applicable privacy laws, regulations and standards
Design an approach to handling and protecting personal information
Consider the entire data life cycle: collection, use, access, sharing, transferring, security and
destruction

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 4

Inquiry/complaint-handling procedures
Consider processes for regulators, customers and employees
Train individuals handling requests
Explore the use of technology to increase efficiency of responses

From an expert: Creating a privacy strategy

Liisa Thomas, Partner and Lead, Privacy and Cybersecurity Practice, Sheppard Mullin

One the of things people often worry about is creating a privacy strategy, and how do we create a privacy
strategy, and really what does that mean, and do we all have the same impression about privacy strategy.
So, if we think about Mary, who’s sitting in the privacy office trying to put together her company’s
approach for privacy, one of the first things that I want Mary to think about, but may not be something
that people think about, are: What is our company’s underlying strategy? What are the goals of the
organization? Because Mary’s got to convince all these people within the organization—different
stakeholders, different groups, people who may feel threatened by the things that Mary wants to do—
she’s going to have to convince them to implement the compliance perspective, the policies, the
procedures, that she wants them to do in order to address privacy laws.

So, I like to think about what is it that the company is trying to achieve? So, let’s take—I’m sitting here
with furniture that some people may recognize from a store that you may recognize, and so my fictitious
store, this is not really this store—might have as its underlying mission that it wants to provide affordable
furniture to the masses. Style-y, design-y, affordable furniture. So, if that’s the company’s underlying goal
and underlying mission, if we think about privacy from a value-add approach, and privacy from a strategic
approach, our question is, how can privacy compliance help that goal?

And we can sort of brainstorm about this in this virtual world where you’re hearing me, but I don’t see
you, and you might come up with a bunch of different things that might make sense. But if you’re Mary
and you’re sitting there in the privacy office, you’re probably going to want to go out and talk to people
about, “How could we help you? What are you looking for? How would you like to use consumer
information?” And kind of take off your compliance hat and just have conversations with people about
what are they trying to achieve. Maybe if they knew more about consumers and the way they use their
furniture, the different things that furniture did during the day—it’s the dining table at one point, it’s the
office at another table, some people work in really small spaces, some people need to spread out into
larger spaces—understanding that information, understanding who’s in the house, all those kinds of
things, those are, that’s personal information and it might be a lot of personal information. But, knowing
that and collecting that information in a way that that information can be used and in a way that’s
compliant with the law can really align your privacy office and align your privacy function in a way that
you can support the mission of the organization.

So, to me, that’s that missing piece and it’s the part that is really misunderstood about how we put
together a strategy. We in the privacy office or privacy compliance lawyers, compliance function, we can’t
do that without really thinking about who we are in our organization. So, let’s say Mary used to be at a
healthcare company and she had a really clear approach about how she wanted to deal with privacy
strategy at that company. That’s not going to work at our affordable furniture company. Cause they’re
very different organizations. There are things in her toolkit that she may be able to use in this new
organization, but we want her to take a step back and think about what does this company need, and
what is this company trying to accomplish?

So, we’re working on putting together a privacy compliance approach for our organization. We’re sitting
down and we’ve got policies that maybe we’ve inherited, policies that need to be updated, procedures.
We’ve got business teams that are, frankly, feeling a little bit threatened by the things that we’re trying to
do and not sure what this change is going to mean for them. Does that mean that they can’t use the
consumers’ information anymore?

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 5

You may not have experienced this yet, or you may be an old hat at sitting down with the business team
asking a question and everybody getting really defensive. And, so, I will share you with my tip, which is,
for those of you have sat in a room with me before, you know I will say, “This is just a question. I’m just
trying to get background. I don’t mean to imply that anything you’re doing is wrong. That is not where
we’re going. I just want to understand what it is that you’re doing and what you’re trying to accomplish.”
People feel really threatened by these things and so we have to remember that.

So, we’ve got all of those different pieces that are happening, and we want to think about ourselves in
listen mode. And it is so hard, because our job is to solve things, is to fix things and is to get things done.
But, when we’re trying to bring these pieces together, it’s so important to put ourselves into the mode of
hearing and listening—not just what people are saying, but what they might actually need. Ask as many
questions as you can. “How will this help?” In a positive way. Not in a negative way, like, “How will that
help you?” But, “How will that help you? What would you be able to accomplish? Tell me more about that.
That’s really interesting. I’m really interested in that.” Get all of that information and feel free to take a
step, take a step back, whatever you need to do to take a breath. Think through, and maybe you don’t do
it in that same meeting, but, “You know, these are really important things that you’re raising. I hear you
and I hear your needs. Let me think about ways that we can achieve this.”

Once you get to that point, you want to work with your business team to ask questions about, “I’ve been
thinking more about that need that you identified, and I would love to know, what do you think about this
approach for collecting information? Do you think this would work? Do you think this mechanism for
getting consent would work? Wow, it sounds like providing rights and responding to rights the way you
have data structured right now could be really complicated. These are five different ways that I’ve seen
other organizations approach this. Does that make sense for you? Do any of these make sense? Let’s
iterate together.”

Another thing we like to use, and one of my favorite catch phrases, is design thinking. Pilots, testing, let’s
just give it a try. It’s interesting in the legal world that we feel very uncomfortable launching anything—
privacy compliance—unless it’s perfect. It’s got to be the best, and the best ever. I don’t know why! No
other part of the organization does that. They say, “Oh, we’re launching this test, we’re going to do this
trial…” Why don’t we do that? Now, I’m not saying that it should be something that doesn’t comply with
the law. Yes. And that doesn’t match our current policies and procedures, but there’s lots of ways that we
can accomplish things and trying things, trialing things, we should feel comfortable doing that. So, just
give it a try and work collaboratively with your business team.

Summary

• Privacy governance refers to components guiding a privacy function toward compliance with
privacy laws and regulations and enabling them to support the organization’s broader
business goals, which are:
o Creating a privacy vision and mission statement
o Defining program scope
o Selecting a privacy framework
o Developing a privacy strategy
o Structuring the privacy team
• There is no standard organizational structure for privacy across organizations. When determining
where privacy will sit in the organization, you may wish to consider which department has the most
influence; has global scope; is the best-funded; best executes enterprise projects; and/or is the
strongest supporter of privacy.

Program and policy frameworks

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 6

Learning objectives

• Define privacy program frameworks

• Discuss common privacy program frameworks

• Outline the phases of the privacy policy life cycle

Privacy program framework: Definition

Once a privacy strategy is confirmed, an organization can move on to determine a privacy framework.
What distinguishes a privacy strategy from a privacy framework?

A privacy strategy can be thought of as the “why”: Why is privacy important to our organization?

A privacy framework can be considered the “what”: What form or structure will our privacy program take?

Privacy program frameworks provide implementation roadmaps that guide the privacy team through
privacy management and prompt them for the details to determine all privacy-relevant decisions for the
organization.

Privacy program frameworks:

• Provide a benchmark to measure your program.

• Generally include policies, procedures and processes to ensure the organization knows how to be
compliant with the framework.

• Offer structure or checklists to guide the privacy team through privacy management, including
controls or statements which need to be operationalized.

• Can be either a standard, a law/regulation, or an industry standard framework. There is no one-

size-fits-all framework. Usually, an organization combines components from multiple sources (for
example, ISO 27001, ISO 27701, GDPR and U.S. state privacy laws) to create their framework.

Connect the statements below to determine some of the benefits of privacy program frameworks.

Reduce… risk

Avoid/plan for… incidents of data loss

Sustain… market value and reputation

Provide… measurements in compliance with laws, regulations and standards

Develop and implement the privacy program/policy framework

Take the time to thoroughly develop your privacy program or policy framework so that it rests on a strong
foundation.

A program framework includes organizational policies, standards and guidelines, as well as clearly defined
program activities.

To implement the developed framework, you must communicate it to internal and external stakeholders
and ensure continuous alignment to applicable laws and regulations.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 7

Current privacy frameworks

The term framework is used broadly for the various processes, templates, tools, laws and standards that
may guide the privacy professional in privacy program management.

Privacy frameworks began emerging in the 1970s. They can be broadly grouped into three categories:
principles and standards; laws, regulations and programs; and privacy program management solutions.

Click on the tabs to learn more about example frameworks listed within each category.

Principles and standards

Fair Information Practices (FIPs), sometimes referred to as Fair Information Practice Principles
(FIPPS), provide basic privacy principles central to several modern frameworks, laws and regulations.
Practices and definitions vary: rights of individuals (notice, choice and consent, data subject access);
controls on information (information security, information quality); information life cycle (collection,
use and retention, disclosure); and management (management and administration, monitoring and
enforcement).

The Organisation for Economic Co-operation and Development (OECD) Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data are the most widely accepted
privacy principles; together with the Council of Europe’s Convention 108, they are the basis for the
EU’s General Data Protection Regulation (GDPR).

The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered
Accountants (CICA), which have formed the AIPCA/CICA Privacy Task Force, developed the
Generally Accepted Privacy Principles (GAPP) to guide organizations in developing,
implementing and managing privacy programs in line with significant privacy laws and best practices.

The Canadian Standards Association (CSA) Privacy Code became a national standard in 1996
and formed the basis for PIPEDA.

The APEC Privacy Framework enables Asia-Pacific data transfers to benefit consumers, businesses
and governments.

ETSI is a nonprofit organization that provides standards related to information and communication
technology, especially in Europe.

ISO is an international standard setting body. Standards 27701, the 8000 series, 15489, the 2700
series and 22301 are particularly relevant to the privacy professional.

Laws, regulations and programs

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and
Australian Privacy Principles (APPs) provide well-developed and current examples of generic privacy
principles implemented through national laws.

EU data protection legislation includes the General Data Protection Regulation (GDPR), which
offers a framework for data protection with increased obligations for organizations and far-reaching
effects.

Brazil’s Lei Geral de Proteção de Dados (LGPD), inspired by the GDPR, creates a new legal
framework for the use of online and offline personal data in Brazil in the private and public sectors.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 8

China’s new law, the Personal Information Protection Law (PIPL), forms an overarching
framework along with the Cybersecurity Law and the Data Security Law to govern data protection,
cybersecurity and data security in China.

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create
national standards for electronic healthcare transactions, among other purposes. HIPAA required the
U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and
security of personal health information. The basic rule is that patients must opt in before their
information can be shared with other organizations—although there are important exceptions, such as
for treatment, payment and healthcare operations.

Local data protection authorities, such as France’s Commission nationale de l’informatique et des
libertés (CNIL), provide guidance on legal frameworks.

Binding corporate rules (BCRs) are legally binding internal corporate privacy rules for transferring
personal information within a corporate group. Article 47 of the GDPR lists minimum requirements of
BCRs (e.g., application of GDPR principles). Under the GDPR, BCRs must be approved by the
appropriate regulators.

Privacy program management solutions

Privacy-by-design (PbD) solutions are built by organizations to ensure consumers’ privacy

protections at every stage in developing their products. These include reasonable security for
consumer data, limited collection and retention of such data, and reasonable procedures to promote
data accuracy.

The National Institute of Standards and Technologies (NIST) has published “An Introduction to
Privacy Engineering and Risk Management in Federal Systems,” introducing concepts of privacy
engineering and risk management for federal systems: a common vocabulary to facilitate better
understanding and communication of privacy risk within federal systems and effective
implementation of privacy principles. Two key components support the application of privacy
engineering and risk management: privacy engineering objectives and a privacy risk model.

NIST also published the “Framework for Improving Critical Infrastructure Cybersecurity,” (April
2018), which enables all types of organizations to apply the principles and best practices of risk
management to improving security and resilience. The framework provides a common organizing
structure for multiple approaches to cybersecurity by assembling effective standards, guidelines and
practices.

The American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered
Accountants (CICA) created WebTrust, now managed by the Chartered Professional Accountants of
Canada (CPA Canada), through which accountants can become certified to conduct privacy
evaluations.

Vendors may provide tools and frameworks for privacy compliance and management.

The policy life cycle

Within an organization, the people involved in privacy governance must understand the privacy policy life
cycle. Doing so will help them keep their policies active, effective and known throughout the organization.

Privacy policies are discussed in more depth in module 6.

Click on each phase of the policy life cycle to learn what is involved.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 9

• Draft inward-facing policies that are practical, simple and easy to understand. Work with legal to
ensure compliance with legal requirements. Make sure policies are aligned and consistent.
• Get approval from decision-makers and stakeholders.
• Disseminate and socialize policies to all employees. Look for formal and informal opportunities to
spread the word.
• Train employees and enforce policies. Consequences of noncompliance should be clear and
consistent.
• Review and revise policies regularly: at least annually, after a breach or another major incident, or
when business circumstances change, such as via an acquisition or merger.

Summary

• Privacy program frameworks provide implementation roadmaps that guide the privacy team
through privacy management and prompt for the details to determine privacy-relevant decisions for
the organization. While strategies provide the why (why privacy is important), frameworks provide
the what (what form the program will take).
• Common privacy program frameworks include principles and standards such as FIPs, OECD
guidelines, GAPP, CSA, the APEC Privacy Framework, ETSI, and ISO; laws, regulations and
programs such as PIPEDA and APPs, the GDPR, HIPAA, CNIL, and BCRs; and privacy program
management solutions such as PbD, NIST, and WebTrust.
• The privacy policy life cycle phases involve:
o Drafting inward-facing policies that are practical, simple and easy to understand
o Getting approval from decision-makers and stakeholders
o Disseminating and socializing policies to all employees
o Training employees and enforcing policies
o Reviewing and revising policies regularly

Governance: Team structure and roles

Learning objectives

• Compare and contrast privacy governance models

• Describe a data protection officer’s (DPO) required skill set and typical responsibilities

• Discover ways to receive buy-in for a privacy program

Privacy governance models (1)

Within an organization, privacy governance may be centralized, localized or a combination of both.

When creating your privacy office governance model, consider the existing organizational structure, any
existing governance models, the position and authority of the privacy team, the maturity of the program,
the involvement level of senior leadership and internal stakeholders and the development of internal
partnerships.

The governance model utilized may change over time.

Click on each governance model to learn more.

Centralized

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 10

In a centralized approach, one team or person is responsible for privacy-related affairs. This model
works best in organizations that use single-channel functions with planning and decision-making
completed by one group.

Localized/decentralized

In a local or decentralized approach, decision-making is delegated to lower levels of the

organization. This model widens the span of control and allows decisions and information to flow
from bottom to top.

Hybrid

The hybrid model combines centralized and local or decentralized governance. It is most common
when a large organization assigns an individual or team responsibility for privacy-related affairs for
the rest of the organization. Local entities support the central governing body.

Privacy governance models (2)

There is no perfect privacy governance model. Review the lists of advantages and disadvantages below,
then match them to the relevant model.

Centralized
Advantages: Streamlined processes and procedures
Disadvantages: Individual employees cannot make decisions

Local
Advantages: Bottom-to-top flow of information
Disadvantages: Lack of centralized process can create duplication of efforts

Hybrid
Advantages: Offers the resources of a larger, centralized organization
Disadvantages: Decentralized decision-making provides less big-picture vision

Structure the privacy team

The structure of the privacy team will also vary by organization size. In a large organization, the team
may include a chief privacy officer, global privacy officer, privacy manager and analysts, business line
privacy leaders and designated “first responders” to a privacy incident.

Small organizations may designate a single privacy officer who manages privacy in addition to his or her
other duties. Regardless of size, it is important that an organization has a point of contact for privacy
issues. The organization should consider using project or program management resources to orchestrate
the program, especially during program initiation.

Some legislation requires organizations to appoint a data protection officer under certain circumstances.
Even if an organization does not need to appoint a DPO, it is good practice to review this requirement
periodically.

Privacy champions, executives who serve as privacy program sponsors and act as advocates to further
foster privacy as a core organizational concept, are also crucial to an organization’s privacy team.

The DPO role

The European Union’s General Data Protection Regulation, or GDPR, requires all public authorities in the
EU, and many private organizations within and outside the EU, to appoint a data protection officer.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 11

Organizations that fall under the scope of the GDPR, whose core activities involve processing personal
data on a large scale, or who consistently process highly sensitive data, must appoint a DPO. Further, the
Article 29 Working Party recommended that most organizations err on the side of caution by appointing a
DPO, whether or not strictly obligated to by law. Voluntarily appointed DPOs will also be subject to GDPR
compliance.

The DPO position is a professional role with many responsibilities. According to Article 37(5) of the GDPR,
it must be filled with someone “designated on the basis of professional qualities” with “expert knowledge
of data protection law and practices.”

Click on the “Continue” buttons to reveal the tasks and skills required of a DPO.

DPO Job Description

Tasks

• Work closely with regulators and advise stakeholders to work toward compliance
• Ensure organizations are aware of their training and awareness obligations
• Keep up with changes in law and technology
• Build, implement and manage privacy programs

Skills

• Risk/IT: Experience assessing risk and best practice mitigation

• Legal expertise/independence: Knowledge of relevant laws and regulations (including
outsourcing activities)
• Communication: Interpersonal flexibility and ability to effectively communicate with
business functions (legal, IT, etc.)
• Leadership/broad exposure: Project management and ability to manage own professional
development
• Self-starter/board level: Able to fulfill the role autonomously
• Common touch/teaching: Able to speak to citizens, handle requests/complaints and train
others to assist data subjects
• Credible/no conflicts of interest

Operationalizing the DPO role (1)

One Earth Medical has placed Mary in charge of hiring its first DPO. She must review the following
responsibilities of the DPO, and those of the organization as well, which are set out by the GDPR and
further explained by the Article 29 Working Party’s* “Guidelines on Data Protection Officers.”

Click “Continue” to review these responsibilities.

*Upon enactment of the GDPR, May 25, 2018, the Article 29 Working Party was replaced by the European
Data Protection Board. However, the opinions from the Working Party are still valid.

DPO Job Description

DPO’s responsibilities

• Working with regulators: The DPO should be acquainted with relevant regulators (in
jurisdictions where the organization does business) and have a positive working relationship
with them
• Accessibility to data subjects: The Article 29 Working Party stressed the importance of DPOs
being available to answer data subjects’ questions

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 12

• Assessing privacy risk: Privacy impact assessments or data protection impact assessments
should be conducted to understand and mitigate privacy and data protection risks to
individuals whose personal data is being collected. It is also a requirement under GDPR and
other privacy regulations. The DPO should provide advice regarding when and how these
are conducted.

Organization’s responsibilities

• DPO independence: The DPO may hold another position within the organization as long as
that position’s functions do not conflict with that of the DPO and is not a position, such as
the CEO, that makes decisions about the means of processing personal data
• DPO involvement: The organization must ensure open communication with the DPO and
involvement of the DPO in all issues related to personal data protection
• DPO resources: The DPO must be provided with all necessary resources to carry out the
tasks required of the role, including:
o Access to personal data and processing operations
o Sufficient time to fulfill duties
o Financial resources
o Continuous training
• DPO reporting structure: The DPO should report to the highest levels of management
• DPO dismissal and penalties: A DPO may not be dismissed or penalized for performing DPO-
related duties

Operationalizing the DPO role (2)

Mary’s supervisor approaches her with some concerns about the DPO role.

Click on the speech bubbles to follow Mary’s conversation with her supervisor. But before revealing Mary’s
answers, consider each question using your own existing knowledge.

Does the individual in this position need to be located in Europe?

The Article 29 Working Party’s “Guidelines on DPOs” recommended the DPO be located in Europe.
Logistics, such as ability to communicate with data subjects and regulators, should be of top
importance. In addition, we must keep in mind that this individual should be involved in all issues
related to the protection of personal data and be in a position to communicate important issues to
the highest level of management.

How can we ensure the DPO is not in a position that poses a conflict of interest?

While the DPO may hold another position within the company, the Article 29 Working Party
recommended against appointing someone with a role that requires determining the “the means of
the processing of personal data.” This includes most senior management roles, as well as others.

Would it be possible for us to contract with an external service provider to fulfill this role?

Yes. According to the Article 29 Working Party, a DPO may be an internal staff member or external
provider. If external, there should be a lead designated contact, and tasks of the DPO’s team
should be clearly allocated.

Can we appoint the same DPO to serve all divisions of One Earth Medical?

The Article 29 Working Party stated, “A group of undertakings may designate a single DPO.” Yet we
need to ensure the DPO is accessible to the data subjects, supervisory authorities and One Earth
Medical employees. This includes the ability to communicate in appropriate languages. A team may
be required to help the DPO with these responsibilities.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 13

Could the DPO be held personally responsible for noncompliance with the GDPR?

No. The Article 29 Working Party clearly stated that it would be the organization, acting as the data
controller or processor, that would be held responsible for noncompliance with the GDPR.

Receiving buy-in for a privacy program

Building a privacy strategy may mean changing the mindset and perspective of an entire organization.

Get buy-in by building relationships and finding a champion outside the privacy office. Pitch privacy both
formally and informally. For example, you will need to demonstrate where and how privacy can both
generate revenue and cut costs. Stakeholders should be mobilized across functions by creating steering
groups, designating responsibilities and following up on discussions and decisions.

View the IAPP series, “The Privacy Imperative,” for more on developing a culture of privacy in your
organization and explicating the need to elevate privacy as a business asset:
https://iapp.org/train/imperative/.

Communication and awareness

Once your privacy program has been established, you must create awareness of the program both
internally and externally.

Building privacy awareness and generating support for the organization’s privacy program involves
communicating that privacy success can only happen with organization-wide effort. Each department
needs to know that its activities have actual, lasting impacts on data protection.

In an era of increasing regulation, advanced privacy programs can help protect consumer data and create
the trusting and intimate customer relationships that marketers want. Communicating your privacy
program externally can help build customer confidence in your organization and deliver measurable
returns.

From an expert: Collaborating across the organization

Kulwinder Johal, Group Data Protection Officer, Severn Trent PLC

The “ivory tower.” I think a lot of DPOs are lawyers. Not all, but a lot are. And I think that feels a lot
trickier to navigate to a lot of individuals and companies because they don’t always feel like they’re able to
approach someone in the legal team.

I think the other aspect is that the ivory tower syndrome comes from, as a DPO or as a privacy manager,
you don’t have that proper engagement, don’t take time out to listen to other individuals, you don’t go
and sit face-to-face with people, I think. If you just send emails, if you don’t pick up the phone when
people call you, I think they’re the symptoms of being “ivory tower/unapproachable,” always saying no. I
have people who joke with me about, “Well, I’m going to ask you something and I’m pretty sure you’re
going to say no.”

And that’s how they start the conversation. And halfway through when they realize—actually, either I’ve
given them a more practical solution or actually agreed that in this instance they actually needed all of
that data for that purpose and it’s absolutely fine. But we need to put in some actions to make sure that
we remove the risk as far as possible. I think once people have gone through that, they feel that, actually,
it is ok. There isn’t always going to be a no. It’s always about helping them to think more clearly about
what they really need and why. And then asking for the support on the data protection elements; of
actions and approach and practicality, really. So, I think, that’s what I like to think I’ve been able to
provide, is that, sort of. I’ve been the conscience of the organization. And people have actually said that

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 14

to me now. Because I have challenged. I haven’t always said no. And I do always make sure that people
can approach me, whether it’s walking down the corridor, or whether it’s calling or messaging. And
actually, tend not to use email a lot because I find it quite formal. And I think other people find it formal.
And they have a different perception of you. I think you just have to be a real person who is contactable.

Certainly, from the perspective of working in a company with 7,000 employees, it’s difficult sometimes
when people call you, but it’s also making time to answer those calls. And a lot of people tend to be quite
shocked when you answer, because they don’t think you’re going to. And even when it’s 8 o’clock on a
Friday night, which is generally when most breaches happen. So, I’m not saying that it’s a 24-hour hotline
but, I think on the odd occasions when people call at those sort of times, I think if you don’t answer, they
stop trying to reach out to you. And the minute they stop trying to reach out to you there’s a real chance
that they’re either not doing the right thing, or they found an easier way to do it, which is probably not
compliant. So, building that rapport, having those relationships makes it far easier for you. Either as DPO
or even as privacy manager to make sure that things continue to run compliantly. And that when
something is wrong, that you are told about it sooner rather than later. And I think by not being
approachable the real issue that you’ll have is that you don’t find out about a breach until it’s too late. And
with only 72 hours to report the breach, it makes it very, very difficult when you’ve just found out about it
in the 71st hour. So, I think certainly my experience has been I tend to find out about any sort of incident
usually within half an hour of it happening, rather than at the end of the time frame. And it gives you a lot
more options about what you need to do. It gives you time to do assessments. It gives you a good feeling
really about people trusting the process and reporting as soon as possible to help mitigate any risks that
may make either for them individually, for you as a DPO, or even for the organization. And I think that
shows the seriousness with which people take data protection.

Having been in the role of running a privacy program as privacy manager, it’s absolutely essential to work
with the DPO. And I think I’ve been really lucky to have that experience where I have worked together. I
think the key aspects of being able to work together have been around building that rapport. But also
having the transparency and making sure there’s clear governance around the deliverables, around the
program, and in terms of the transparency, to make it really clear, what has been done, what hasn’t been
done, the time frames but also that the obstacles and what support is required. I think the difficulty with
some elements with the privacy program are that it can be quite tricky to get everything delivered on time
because there are lots of parallels; work streams and timeframes are pretty much the same probably for
all of them. And you’re probably relying on very similar people to get things delivered. So, there will
always be some tension, there’ll always be some issues on timeframe or resources. And I think by making
it really clear what the priorities are, getting that stakeholder engagement, above and below actually, and
getting the DPO to help with that, I think that’s been a real key to delivering the priorities.

But I think you also have to look at what are the essential deliverables and focus on those. And sometimes
as a privacy manager there is so much to do that you try and juggle all those plates at once and try and
deliver it, but then you actually end up not doing any of those successfully. So, by carving out the top
three, working through those and then adding more in as you can. Because otherwise, as a privacy
manager, you’re also quite stretched and you won’t have the time to assess things properly, monitor,
intervene when you need to. And more importantly, the stakeholder engagement and communications,
which to me was one of the key pieces, it made it not only the biggest part of the role in terms of
deliverables. Because if you can get that bit right, the other bits come easy. But also, just making sure
that, again, that approachable nature sort of comes out and makes it easier for people to come up to you
when there is a problem; to tell you when they aren’t able to do something; to ask the “stupid questions”
and say, “I really don’t understand this,” or, “I need more help,” or, “I need you to define this more
clearly for me.” Whatever it is. I think if you don’t have that sort of engagement and communication skill,
it makes delivering any program far more difficult.

Summary

• The privacy governance models are centralized, localized/decentralized, or hybrid (a combination of

both).
• In the centralized model, one team or person is responsible for privacy-related affairs.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 15

• In the local/decentralized model, decision-making is delegated to lower levels of the organization,

allowing decisions and information to flow from bottom to top.
• The hybrid model combines the centralized and local models and is most common when a large
organization makes an individual or team responsible for privacy-related affairs for the rest of the
organization.
• The DPO position is a professional role with many responsibilities. Examples of the skills a DPO
needs include:
o Experience assessing risk and best practice mitigation
o Knowledge of relevant laws and regulations
o Interpersonal flexibility; effective communication with business functions
o Project management and ability to manage own professional development
o Ability to fulfill the role autonomously
o Ability to handle requests/complaints and train others to help data subjects
o Credibility/no conflicts of interest
• Getting buy-in for a privacy strategy may mean changing an organization’s mindset.
Recommendations include building relationships and finding a champion outside the privacy office;
pitching privacy; and creating steering groups of stakeholders.
• Once your privacy program has been established, you must create awareness of the program both
internally and externally.

Other program contributors and vendors

Learning objectives

• Review considerations for keeping a record of ownership

• Explore ways key functional areas are involved in creating and enforcing privacy policies

• Analyze considerations for choosing a privacy technology product

Keeping a record of ownership

Once the importance of the program has been established, key internal stakeholders may form a steering
committee to ensure clear ownership of assets and responsibilities. Keep a record of these discussions as
a tool for communication and to ensure stakeholders can refer to what was decided.

A RACI matrix can be a useful tool to embed responsibilities and to identify:

• Who is responsible
• Who is accountable
• Who needs to be consulted, and
• Who needs to be informed

A spreadsheet, such as the one shown here, can help document stakeholder ownership. With your own
organization in mind, check off which party is responsible for each task. There are no right or wrong
answers.

Legal DPO CPO Information Information

Technology Security

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 16

Manage the
data privacy
program

Classify data

Develop and
maintain
privacy policies

Monitor and
audit policy
compliance

Investigate
data breaches

Ongoing involvement of key functional areas

Key functional areas help create and enforce the privacy program on an ongoing basis. For example, a
marketing privacy manager should advise and sign off on new marketing initiatives and email campaigns
from a privacy perspective.

Match the following groups within an organization to roles they may play in creating and enforcing a
privacy program.

Learning and development

Translates policies and procedures into teachable content to help contextualize privacy principles
into tangible operations and processes

Communications

Publishes periodic intranet content, email, posters and other collateral that reinforce good privacy
practices

IT

Enhances the effectiveness of the privacy program by adding processes and controls that support
privacy principles

Procurement

Helps ensure contracts are in place with third-party service providers who process personal
information on behalf of the organization

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 17

Internal audit and risk management functions

Auditing and analyzing performance of a governance structure is essential to its success.

The internal audit (IA) and risk management functions review and analyze operations across all
departments within an organization and are responsible for communicating those results.

IA typically reports to an audit committee, and its independence from management helps ensure unbiased
reporting. Its tasks include evaluating the organization’s risk management culture and identifying risk
factors within all systems, processes and procedures; evaluating control design and implementation; and
testing controls to ensure the proper operation.

Risk management ensures business and regulatory requirements are met through detailed market, credit,
trade and counterparty analysis. It then communicates risk and issues throughout the organization.

Considerations for choosing the right privacy tech vendor

Some organizations choose to use privacy tech vendors to help them achieve compliance. A privacy tech
vendor may offer a range of solutions, from assessment management to data mapping to deidentification
and incident response.

Note that a product itself cannot be compliant, but if it is used as part of a properly thought-out privacy
program, then it may help the organization achieve compliance.

Click on the images to reveal items an organization may want to consider when selecting a privacy tech
vendor.

“Privacy pain points”: The need for architectural, policy and technical controls
Organizational needs
Costs vs. savings, risks vs. benefits
Need to “vet” vendors (stability, reputation)
Usability and ability to customize
Contract negotiations
Implementation and training needs

Categories of privacy tech vendors

Privacy tech vendors in the category of privacy program management typically work directly with the
privacy office. They include:

• Privacy assessment management

• Consent management
• Data mapping
• Data subject request management
• Incident response
• Privacy information management
• Website scanning and cookie compliance tools

Enterprise program management services provide solutions designed to support the needs of the privacy
office alongside the overall business needs of an organization. They include:

• Data discovery
• Activity monitoring
• Deidentification or pseudonymization
• Enterprise communications

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 18

Why is privacy technology experiencing rapid growth?

Click to reveal

Countries are increasingly enacting comprehensive data protection laws and privacy regulations that
include strict requirements and significant fines for noncompliance. In addition to the GDPR, other laws,
such as CCPA, CPRA and HIPAA in the U.S., the EU’s ePrivacy Regulation, Canada’s PIPEDA, and China’s
PIPL, will continue to drive the market for privacy technologies.

Growing consumer awareness of data breaches and increasing demands that organizations protect their
information are also, in part, driving development, as is a rise in capital investments in privacy tech
vendors.

GRC tools

Governance, risk management, and compliance, or GRC, is an umbrella term whose scope touches the
privacy office as well as other departments, including HR, IT, compliance and the C-suite.

GRC tools aim to synchronize various internal functions toward “principled performance”—integrating the
governance, management and assurance of performance, risk and compliance activities.

Summary

• It is important to document the ownership of internal stakeholders’ assets and

responsibilities. Some organizations use a RACI matrix, a tool used to embed responsibilities and
identify:
o Who is responsible
o Who is accountable
o Who needs to be consulted
o Who needs to be informed
• Key functional areas help create and enforce the privacy program on an ongoing basis.
Examples of these areas include marketing, learning and development, communications, IT and
procurement.
• Auditing and analyzing a governance structure’s performance is essential to its success. The internal
audit (IA) and risk management functions review and analyze operations across all
departments and communicate their results. IA typically reports to an audit committee, helping to
ensure it remains unbiased. Risk management ensures business and regulatory requirements are met
through detailed analysis.
• Some organizations use privacy tech vendors to help achieve compliance. Solutions may relate
to areas such as assessment management, data mapping, deidentification and incident response.
• Privacy technology is experiencing rapid growth. Reasons for this include the emergence of
comprehensive data protection laws and privacy regulations along with strict requirements
and significant fines for noncompliance under many privacy laws, such as the GDPR. Another factor
is growing consumer awareness of data breaches and increasing demands that organizations
protect their information.

Quiz

1. The chief privacy officer for a telecommunications company wants to revise its privacy mission
statement. What steps would be involved in this process? Select all that apply.

Evaluating the intended objective

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 19

Acquiring knowledge on privacy approaches

Gaining executive sponsor approval

Communicating the organization’s privacy stance to all stakeholders

Monitoring compliance with the company’s privacy policies

2. In differentiating between a privacy strategy and a privacy framework, how can strategy be defined?

As the why

As the what

3. True or false? A law or regulation may constitute a privacy framework.

True

False

4. What type of privacy governance model is defined by a one-team or one-person approach?

Localized/decentralized

Centralized

Hybrid

5. True or false? The privacy team should always comprise more than one person.

True

False

6. Which business function ensures business and regulatory requirements are met through detailed
market, credit, trade and counterparty analysis?

Internal audit

Procurement

Learning and development

Risk management

Closing slide

You have completed Module 2: Privacy program framework: Privacy governance.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.
 20

Quiz answers

1. All responses are correct EXCEPT “Monitoring compliance with the company’s privacy policies”
2. As the “why.” Privacy strategies answer the question of why privacy is important to an organization.
3. True
4. Centralized
5. False
6. Risk management

*Quiz questions are intended to help reinforce key topics covered in the module. They are not meant to
represent actual certification exam questions.

©2023, International Association of Privacy Professionals, Inc. (IAPP). Not for reproduction, distribution or republication.