4 Considerations for Privacy Governance
In our previous article, we shared our thoughts on the importance of baseline training and why it should be the first step in data privacy compliance. Along the same line, this week we look at the significance of establishing a governance framework for your privacy compliance program.
Why privacy governance?
Crafting an appropriate governance framework for your privacy program is essential to safeguarding personal data in your organisation. Some benefits of having a sound privacy governance framework are:
a. Facilitating data protection compliance
An efficient governance framework guarantees that your organisation meets all its legal obligations under the current data protection laws. Through this framework your organisation can outline its compliance obligations and map out a path to compliance. Furthermore, you can set out a privacy accountability framework to ingrain a culture of data protection within the organisation.
b. Promoting brand reputation
An efficient privacy program also enhances your organisation’s reputation. If you misuse customer data you run the risk of severe backlash from your clients which in turn dents your corporate image. A case example is the 2016 data breach and subsequent cover-up at Uber Technologies Inc. which saw its customer perception rating drop by 141.3%. A large part of this market share was lost to rival company Lyft Inc. An elaborate privacy governance framework would shield your organisation against such risks.
c. Adopting a proactive approach to data protection
Merely adhering to the mandated data protection laws and regulations is a simplistic approach to privacy. Where an efficient governance framework is in place, the organisation advances from simply reacting to the laws to actively embracing data privacy and using it to your advantage. A proactive approach to data protection tailors your compliance strategy to the realities of your business. In addition, it allows you to foresee potential data risks and employ relevant mitigation strategies.
d. Improving operational efficiency
Another benefit of good privacy governance is improved operational efficiency in all functions that process data in the business. A privacy team is perfectly placed to identify and minimise unnecessary costs that arise from inefficient data processing. They can do this by minimising the duplication of roles, eliminating duplicated data that drives up storage costs etc. In doing so, the team would not only save your business money, but also optimise work flow.
Key Considerations for your Privacy governance structure
1. The privacy vision and mission
A privacy vision statement is an aspirational statement that articulates what the organisation would like to achieve regarding data protection. Through the vision statement, the company’s leadership communicates core privacy values to other stakeholders in the organisation.
A mission statement is a succinct statement describing why a data privacy framework exists and the overall goals of the framework. ,Moreover, it describes some of the core principles embodied in the framework.
Both these statements embed a culture of privacy within the organisation that enables compliance. When stated in outward-facing communications like privacy policies, they demonstrate to the public a care for their personal information thus reaping the benefits of trust and loyalty.
A perfect example of this is Apple’s privacy mission statement which reads as follows:
“Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.”
2. Data governance
When crafting your privacy governance framework, you should deeply consider your organisation’s data governance system. Data governance is a system which defines what type of data is handled in your business, how it is handled, by whom, how it flows throughout the organisation etc. Personal data is the central focus of privacy compliance therefore your privacy governance framework should demonstrate a keen understanding of the data processing operations of your business. Using data maps and similar data tracking tools you can document the footprint of data from when it is collected and recorded to when it is erased and disposed. As a result, you paint a holistic picture of your organisation’s interaction with personal data which guides your privacy governance program.
3. Positioning the privacy governance function
In addition, consider how your privacy function will fit within your current internal and external reporting structures. Privacy governance needs to be strategically domiciled in the business to oversee crucial data processing operations. To illustrate, complex organisations with several department heads may need decentralise privacy compliance so as to incorporate all the departments that process personal data in the organisation. Conversely, a small or mid-sized enterprise might centralise the function by assigning it one person such as the CEO. In so doing, any policies, protocols or orders that are issued can be easily tracked and implemented throughout the enterprise.
Moreover, organisations with stringent statutory requirements like government agencies and multinational corporations will need to align their privacy framework to their legal reporting obligations.
Basically, establishing a privacy governance framework requires a broad understanding of the upstream and downstream interaction of stakeholders and the process of decision-making and issue resolution within your organisation.
4. Resourcing your privacy governance function
a) Appointment of a Privacy Team
Once you have conceptualised the privacy governance framework and defined its objectives, the next step is to appoint a team. Depending on the organisation’s needs, a single individual may manage the entire function or an all-inclusive team may take it up. The team may comprise of individuals skilled in data protection or of data privacy champions from different departments.
The Data Protection Act recommends the appointment of a data protection officer(DPO) for organisations that regularly or systematically process personal data or for those that handle sensitive personal data. However, any organisation may appoint a DPO to facilitate the privacy compliance process. The DPO must have relevant academic or professional qualifications in matters relating to data protection. This individual may be a staff member who handles other duties but they must not directly interact with personal data. This prevents any blatant conflicts of interest. Further, group entities can appoint a single DPO depending on their organisational structure.
b) Prescribing roles and responsibilities to the privacy governance team
Another key consideration is the roles and responsibilities of your privacy team. It is important to describe the roles and responsibilities of the data privacy team to avoid any oversights or mix-ups moving forward, the cost of which can be ruinous to the business. Like the structure, the roles and responsibilities of the privacy team are unique to every business. Some basic responsibilities include:
- Legal scoping assessments – fact-finding exercise on the extent of data processing within the organisation
- Data-mapping – showing how data flows within the organisation, including data storage, disposal, transfer, and sharing procedures
- Gaps assessment – identifying any compliance gaps identified from the data map and making recommendations
- Implementation of the data compliance roadmap – including registration with the Data Commissioner, Ensuring ICT security measures, instituting data protection policies and procedures etc.
- Advising the organisation on existing and arising data processing requirements
- Governance and strategy – Establishing and maintaining a data privacy governance model and strategy to respond to the changing landscape
- Facilitate capacity-building of staff involved in data processing through training and sensitisation
- Act as a liaison between the organisation and the Office of the Data Commissioner – for breach reporting, registration renewal, complaint handling etc.
- Liaise with data subjects – to facilitate their rights, receive requests, handle complaints etc.
c) Budget considerations
You also need to consider the financing of your privacy program. Management needs to approve funding to resource and equip the privacy governance framework. Some budget items may include funding privacy software, supporting privacy training and awareness, incorporating accountability measures for privacy policies and procedures etc. An assessment of the threat landscape of your organisation’s data processing activities would guide the budget allocation for the privacy team (i.e. more finances would go to a privacy team that manages high risk data processing).
Data protection compliance is not a one-off expense therefore budget allocations need to be regular and flexible to cater to emerging needs.
Embarking on a privacy compliance journey without a governance plan in place is futile, however, the governance framework adopted must be well structured and properly tailored to your organisation for the best compliance results.
Next week’s article will give more insight to organisations looking to comply with data protection laws in Kenya by exploring the process of data mapping.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.