Practical Advice for Privacy Program Management
By Axiom Law
The privacy landscape is everchanging and regularly growing more complex. The General Data Protection Regulation (GDPR) is the most recognized and urgent example of constant privacy evolution. In order to remain compliant with GDPR, by December 27, 2022, all previously executed standard contractual clauses (SCCs) must be replaced with new SCCs regarding the transfer of personal data to third countries. But, regardless of where a company is headquartered, new and proliferating privacy regulations present increasingly critical operational challenges for in-house legal departments worldwide.
Just a few years ago, many large companies didn’t even have privacy departments. But since GDPR was adopted in 2018, and with over 120 countries and various states in the U.S. adopting their own data privacy regulations, the need for well-managed data privacy programs has never been greater.
The smartest and most innovative in-house legal teams now recognize that privacy program implementation is not enough; companies’ privacy programs must be well-managed and regularly updated in order to avoid hefty fines for their companies and, arguably more importantly, to keep the trust of their customers. Simply put, getting it wrong is expensive – fiscally and reputationally. While privacy program implementation and management can put a strain on already overburdened legal departments, crafting a strategic plan of action and implementing that plan using the right kind of privacy resources and legal talent can make it far less overwhelming.
Building a privacy program, introducing new compliance efforts
Start-ups or newer businesses working on getting their privacy programs off the ground and those introducing new compliance efforts to existing programs to align with the upcoming SCC deadline should start by examining the framework through which their company views privacy. Data privacy program implementation and management isn’t just about compliance – it’s about doing the right thing.
The first question data privacy leaders must ask is, “Why does this matter to our business?” In addition to fines, an ineffective data privacy program can lead to business disruptions, a loss of productivity across the company, and a significant reputational impact. Then, it’s important to effectively and regularly communicate that why to their teams.
Though it may seem daunting, taking a comprehensive approach, or looking at the bigger picture before the smaller details, is beneficial when it comes to data privacy, particularly for companies that operate on a global scale. This doesn’t mean you can’t customize certain aspects of the program, when appropriate, from one country to another. In fact, you often must. However, keeping data siloed to a particular location can create more work. This is especially true for companies that operate on a global scale.
Where should you start when building a privacy program or introducing new compliance efforts?
Whether your company is just now launching a privacy program or building onto an existing program, the first step after defining the “why” should be determining who will own the privacy program and identifying its key stakeholders. Strategic, effective privacy programs involve team members from almost every department, not just the in-house legal department. For example, stakeholders should be pulled from risk management, quality assurance, compliance, data, human resources, records management, and information technology, to name just a few.
Given the complexity of a cross-functional team, it’s important to understand how your organization operates before determining how the privacy program will fit into its existing structure. Part of understanding that structure is identifying which needs or skillsets will need to be met by an external partner. You might find you don’t have all the resources in-house to stand up a privacy program, or don’t have all the resources in-house to fully support ongoing program management. You might also find that even if you could hire all the privacy experts needed for a given regulation, the permanence of those full-time hires is not warranted, as privacy needs ebb and flow over time, and acute specialty needs will vary depending on specific regulatory challenges.
A top-down approach to buy-in
Winning company buy-in requires a top-down approach. Meeting with leadership at the beginning and throughout the process can both keep them engaged and help to keep the privacy program management team accountable. Importantly, it allows them the opportunity to provide invaluable, strategic input.
When speaking with leadership, it’s better to overcommunicate the risks of non-compliance. Fines and penalties are just the tip of the iceberg when it comes to the pitfalls of failing to effectively implement new regulations. Reputational damage can be catastrophic. Identify exactly what this would mean for your organization so you can best translate it well and reiterate it regularly.
Keeping senior management apprised of the plan and your progress is imperative, too. Even if you’re doing all the right things and have it all under control, if they aren’t kept updated, they’ll likely have concerns.
Hold a kickoff meeting to create team buy-in, identify stakeholders
An effective way to identify stakeholders and increase organizational awareness is by holding a kickoff meeting. In this meeting, you can go over the requirements and educate stakeholders in all departments about the program. The more they know and understand about your efforts, the more invested they will be in the success of the program. The kickoff meeting is also an effective way to identify those stakeholders who will be heavily involved in privacy program management.
During the meeting and in all communications about the program, avoid using legalese and summarize the program’s goals in language that will be easy to understand, regardless of each stakeholder’s background and area of expertise. You might also consider preemptively compiling a list of frequently asked questions and answers and tailoring your message and tone when speaking with stakeholders in different departments.
Thorough and effective training is imperative to create buy-in. Creating a video team members can go back and refer to that explains the purpose of the program can be helpful. Be sure to include real examples, what the program might end up looking like, and how it will work, and of course, reiterate the “why.”
Identify quick, easy wins to boost morale
Identifying and sharing quick, easy wins throughout the process of setting up a new privacy program or introducing a new compliance effort is an effective way to boost your team’s morale and make the project less daunting. Creating a brief, easy-to-digest newsletter that goes out to the internal team on a regular cadence can keep them apprised of the latest updates. This way, they’re kept in the loop about the progress that’s being made.
The toughest tasks associated with creating a privacy program and introducing new compliance efforts
Globalizing the program - With varying legislation across the world, globalizing your privacy program to ensure universal compliance can be challenging.
Translating foreign legislation to a domestic audience - Educating team members about foreign legislation and its impact on your business can be challenging, too. Stakeholders should understand that sometimes, depending on the specific legislation of a country, they might require an exception.
Implementing legislation with no enforcement history - Newer privacy legislation doesn’t have an enforcement history, making it ambiguous and often difficult for team members to understand.
Getting budgetary approval - Even with a supportive leadership team, you will likely still need to compete for the budget you need to stand up or implement new privacy compliance measures.
Even with an exceptional in-house team, most organizations will need additional support from outside resources when setting up a privacy program or implementing new compliance efforts due to the challenges outlined above. Many organizations need ongoing privacy program management support, too. Axiom’s Core-Bench-Firm (CBF) model offers organizations an agile layer of flexible talent who have experience in each of these areas while remaining more budget-friendly than the typical costs of relying on an outside law firm. These on-demand lawyers with deep privacy law expertise are always at the ready, and can be deployed when and as needed depending on the regulatory landscape in the moment.
When it comes to building a privacy program and privacy program management, the work is never really done, and privacy compliance is an ongoing effort. While the increased utilization of technology and artificial intelligence help us do our jobs more effectively and efficiently, they also bring new risks and privacy challenges. Getting buy-in, identifying and engaging stakeholders, and acknowledging quick, easy wins are good starting points when building a privacy program or introducing new compliance efforts. But your team will likely run into issues that require additional external support, like translating foreign legislation to a domestic audience and implementing legislation that doesn’t have an enforcement history. Preemptively identifying a trusted external partner that can provide additional support as needed at the beginning of the process can help you avoid unanticipated obstacles and keep your privacy program running smoothly and efficiently.
When Do You Really Need the Expense of a Law Firm?* Required
Why Companies Must Make Privacy Central to Their Business Operations
Lawyer Angelo Basu examines the business impact of privacy regulations like GDPR and CCPA.
Preparing for CCPA and Beyond — Axiom Privacy Experts Offer Insight
Data privacy regulations are increasing. Axiom lawyers offer insider advice on how companies can prepare.
Exploring ESG through the Lens of Risk Management: Why and How GCs Should Prioritize ESG in 2023
Navigating ESG poses challenges for GCs and legal leaders but also offers them the opportunity to shape and inform how their organizations respond to ESG requirements.