top of page

The Keys to Build a Successful Privacy Program

Updated: May 22

A privacy program plays a vital role in safeguarding individual and organizational data, ensuring compliance with privacy regulations, and maintaining trust among stakeholders. It serves as a proactive framework that outlines policies, practices, and procedures to protect personal information from unauthorized access, use, or disclosure. It can also come with big challenges. We sat down with Rachael Ormiston, Head of Privacy at Osano, to discuss how organizations can navigate the complexities of building a privacy program.

Rachael Ormiston

What are the key steps to building a privacy program from scratch?

Though no one-size-fits-all data privacy program exists, you can take several steps to guide your program’s development. First, identify your privacy program’s drivers, including business-related risks, and how those drivers will influence your program. Then, with those drivers in mind, develop a compliance strategy. You may not have all the answers yet, but outlining your plan provides direction. While you develop a strategy that

prioritizes higher-risk items, you will also want to consider any “quick wins.”

Getting “quick wins” in place will help drive momentum, and hopefully obtain

organizational buy-in, especially from leadership.

Once you’ve gotten your team on board with an agreed strategy, find all the

personal data that may have spread across different parts of your organization in

siloed systems or databases. Classify and record that data — either by creating a

data inventory or a record of processing activities (RoPA). You may not be able

to, or even want to, do all of this at once, so focus on bitesize pieces — perhaps

take it by department or function.

Once you’ve completed the inventory or RoPA, begin reviewing the processing

activities to understand whether there are any privacy risks, and assess those

risks so you can plan to mitigate or remediate any gaps. Use the insight into

your privacy drivers, risks and data processing to develop actionable goals and a

plan for implementing your program. Compliance is not one-and-done. Building

and maintaining a privacy program is an ongoing strategy and an investment in

resources. Prioritizing those gaps will be important as you build out your strategy

to target higher risks as requiring quicker resolution.

Finally, put your plan into action, measure its effectiveness and find ways to

improve. Don’t be afraid to pivot. Try things out and know that you can evolve as

needed. This could be trialing new ways of sharing information, such as via a

Slack or Teams channel to share privacy developments, or piloting new training

programs. Data privacy constantly evolves, so monitor and update your program

regularly to comply with new regulations and keep up with organizational


What are some common challenges faced when growing a privacy program, and

how can they be overcome?

Many organizations fail to sustain their privacy program once they’ve implemented it.

They view it as a set-it-and-forget-it project rather than an ongoing process that must be

continually nursed to ensure it remains up-to-date and compliant. Or, they may try and

attempt to build everything at once rather than taking things in bitesize pieces to achieve

success gradually instead of overnight. This may result in strategy fatigue and embolden

the “one and done” mindset instead of building a compliance culture. To prevent this

pitfall, empower those responsible for your privacy program by providing them with the

necessary tools — including sufficient staff and resources — to maintain it.

However, obtaining those resources and staff can present another obstacle. Despite the

importance of a data privacy program, leaders often view it as an unnecessary expense

— not a crucial business requirement. Present a convincing argument by clearly identifying your program’s goals and needs and include your organization’s privacy risks,

gaps and actionable plans to mitigate these problems.

One such plan might include investing in a data privacy platform like Osano to

streamline processes and automate tasks like consent management and vendor

assessments. An external platform reduces the burdens on your privacy team, moving

away from hard-to-maintain spreadsheets and evolving the program to one that can