In our previous article, we shared our thoughts on the importance of baseline training and why it should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program. Why privacy governance? Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are: a. Facilitating data protection compliance An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation. b. Promoting brand reputation An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks. c. Adopting a proactive approach to data protection Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies. d. Improving operational efficiency Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow. Key Considerations for your Privacy governance structure 1. The privacy vision and mission A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation. A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework. Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty. A perfect example of this is Apple’s privacy mission statement which reads as follows: “Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.” 2. Data governance When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program. 3. Positioning the privacy governance function In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise. Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations. Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation. 4. Resourcing your privacy governance function a) Appointment of a Privacy Team Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments. The Data Protection Act recommends the appointment of a data protection officer(DPO) for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating..
