Staffing your Data Privacy and Protection Program

Welcome to a three-part series for establishing and maintain a Data Privacy and Protection Program. This series will cover the People, Processes, and Technology considerations for your program. This article focuses on the People consideration.

Data Privacy and Protection has moved beyond being just a compliance requirement and to a business need that establishes trust among all stakeholders. Over ten (10) Caribbean islands have implemented data protection legislations, at various levels of enforcement, which shows their commitment to encouraging good data protection practices. Companies that collect, store, or process personal data must implement controls that meet these legal requirements on an ongoing basis. To accomplish that, consideration should be given to establishing a Data Privacy and Protection Program that will continuously mature data privacy and protection within the company.

What is a Data Privacy and Protection Program?

Like any other program within the company, a Data Privacy and Protection Program is the structure for managing Data Privacy and Protection throughout the company. It will govern how data is protected throughout its lifecycle and control processes for meeting legal requirements. A good program will have a mission, vision, defined scope, and framework to guide its operation.

Data Privacy and Protection Team

The Data Privacy and Protection Program will need a team dedicated to managing and improving the program. While data privacy and protection is everyone’s responsibility and not every organization will be able to dedicate personnel solely to this program, there is still a need to clearly define roles and responsibilities and assign them to individuals. This team will be separate from your Data Protection/Privacy Officer(s) (DPO) as the DPO will need to maintain independence from privacy and protection operations.

Let’s first consider the structure of the team. There are three general options/models:

  • Centralized – Decision making, and governance permeates from a single point in the organization.

  • Decentralized – Decision making, and governance are handled locally from multiple key points.

  • Hybrid – Combination of centralized and decentralized.

Each model has their advantages and disadvantages, which should be evaluated when choosing the right structure for you. The best fit will be determined by your organizational culture, your type of business, strategic objectives, and jurisdictions that you operate in. For example, if your organization operates in multiple jurisdictions and has strategic objectives customized to each jurisdiction, then a decentralized or hybrid team may be the right fit for you. Alternatively, if your organization operates in multiple jurisdictions and has a single strategy for all markets, then a centralized team may be more suitable. The IAPP-EY Annual Privacy Governance Report 2021 shows that 48% of firms (that responded to the annual survey) have a global privacy strategy. The remaining 52% were either unsure of their strategy or had some form of localized strategy based on their data subject’s jurisdiction.

Number of personnel and responsibilities

The number of personnel needed for your program will be driven by the level of data privacy and protection risk associated with your organization and company size. The IAPP-EY Annual Privacy Governance Report 2021 also shows that the average privacy staff complement is 18 (7 full-time and 11 part-time). This may sound like a lot of personnel for more Caribbean companies as the average budget for privacy spend in the same report was identified as US$873,000, with a major part of that being staff salaries. So, let’s look at some key responsibilities for Data Privacy and Protection personnel that will manage your program:

  • Privacy policies, procedures, and governance

  • Awareness and Training

  • Breach/Incident Response

  • Legal compliance

  • Data Protection Impact Assessments and Privacy Impact Assessments

  • Privacy Communications and Executive Reporting

  • Implementation of Privacy Controls

  • Responding to Data Subject Requests

  • Privacy Investigations

As can be imagined, these responsibilities will require some dedication as Privacy becomes more embedded in the organization. A Responsibility Assignment Matrix/RACI Chart should be developed to clearly show who needs a part of each responsibility and training provided to all personnel on their role. When selecting personnel to staff this program, consideration should be given to identifying the skills necessary to meet the responsibilities listed above. At a minimum, persons should understand relevant privacy obligations, have an appreciation for information security, and the ability to identify and evaluate privacy risks.

Where do we start?

To start, organizations may consider forming with a privacy committee comprised of existing personnel, with the focus on identifying privacy obligations and implementing a program to meet these obligations. This committee should include representation from across the organization and include both management and staff to gain insights at all levels. Consideration may also be given to employing the support of an experienced, external consultant to evaluate the current environment and establishing this program. A combination of the two is also an option and would show the most commitment to data privacy and protect.