Staffing your Data Privacy and Protection Program
Welcome to part two of a four-part series for establishing and maintaining a Data Privacy and Protection Program. This article focuses on staffing your data privacy and protection program.
Data Privacy and Protection Team
The Data Privacy and Protection Program will need a team of people dedicated to managing, monitoring, and improving the program. While data privacy and protection are everyone’s responsibility, not every organization will be able to dedicate personnel solely to this program. However, there is still a need to clearly define roles and responsibilities and assign them to individuals. This team will be separate from your Data Protection/Privacy Officer(s) (DPO) as the DPO will need to maintain independence from privacy and protection operations.
There are benefits to assigning these responsibilities to existing personnel, as they will already understand the business needs and can quickly adopt privacy requirements. However, they may not have the capacity to take on additional responsibilities and therefore not make privacy a priority. Considerations may also have to be given to adjusting their compensation to reflect their new roles. Alternatively, hiring new personnel or re-assigning employees allows personnel to prioritize data privacy and protection responsibilities but may be a bit more costly and slower to adopt. Each option should be evaluated based on the level of risk associated with data privacy and protection to determine the level of commitment required to mitigate those risks.
Let’s first consider the structure of the team. There are three general options/models:
• Centralized – Decision-making and governance permeates from a single point in the organization.
• Decentralized/local – Decision-making and governance are handled locally from multiple key points.
• Hybrid – Combination of centralized and decentralized.
Each model has its advantages and disadvantages, which should be evaluated when choosing the right structure for you. The best fit will be determined by your organizational culture, your type of business, strategic objectives, and jurisdictions in which you operate. For example, if your organization operates in multiple jurisdictions and has strategic objectives customized to each jurisdiction, then a decentralized or hybrid team may be the right fit for you. Alternatively, if your organization operates in multiple jurisdictions and has a single strategy for all markets, then a centralized team may be more suitable. The IAPP-EY Annual Privacy Governance Report 2021 shows that 48% of firms (that responded to the annual survey) have a global privacy strategy. The remaining 52% were either unsure of their strategy or had some form of localized strategy based on their data subject’s jurisdiction.
Number of personnel and responsibilities
The number of personnel needed for your program will be driven by the level of data privacy and protection risk associated with your organization and company size. The IAPP-EY Annual Privacy Governance Report 2021 also shows that the average privacy staff complement is 18 (7 full-time and 11 part-time). This may sound like a lot of personnel for some Caribbean companies as the average budget for privacy spent in the same report was identified as US$873,000, with a major part of that being staff salaries. So, let’s look at some key responsibilities of Data Privacy and Protection personnel that will manage your program:
Privacy policies, procedures, and governance
Awareness and Training
Data Protection Impact Assessments and Privacy Impact Assessments
Privacy Communications and Executive Reporting
Implementation of Privacy Controls
Responding to Data Subject Requests
As can be imagined, these responsibilities will require some dedication as Privacy becomes more embedded in the organization. A Responsibility Assignment Matrix/RACI Chart should be developed to clearly show each person their responsibility and provide training to all personnel on their respective roles. When selecting personnel to staff this program, consideration should be given to identifying the skills necessary to meet the responsibilities listed above. At a minimum, persons should understand relevant privacy obligations, have an appreciation for information security, and have the ability to identify and evaluate privacy risks.