A privacy program plays a vital role in safeguarding individual and organizational data, ensuring compliance with privacy regulations, and maintaining trust among stakeholders. It serves as a proactive framework that outlines policies, practices, and procedures to protect personal information from unauthorized access, use, or disclosure. It can also come with big challenges. We sat down with Rachael Ormiston, Head of Privacy at Osano, to discuss how organizations can navigate the complexities of building a privacy program.
What are the key steps to building a privacy program from scratch?
Though no one-size-fits-all data privacy program exists, you can take several steps to guide your program’s development. First, identify your privacy program’s drivers, including business-related risks, and how those drivers will influence your program. Then, with those drivers in mind, develop a compliance strategy. You may not have all the answers yet, but outlining your plan provides direction. While you develop a strategy that
prioritizes higher-risk items, you will also want to consider any “quick wins.”
Getting “quick wins” in place will help drive momentum, and hopefully obtain
organizational buy-in, especially from leadership.
Once you’ve gotten your team on board with an agreed strategy, find all the
personal data that may have spread across different parts of your organization in
siloed systems or databases. Classify and record that data — either by creating a
data inventory or a record of processing activities (RoPA). You may not be able
to, or even want to, do all of this at once, so focus on bitesize pieces — perhaps
take it by department or function.
Once you’ve completed the inventory or RoPA, begin reviewing the processing
activities to understand whether there are any privacy risks, and assess those
risks so you can plan to mitigate or remediate any gaps. Use the insight into
your privacy drivers, risks and data processing to develop actionable goals and a
plan for implementing your program. Compliance is not one-and-done. Building
and maintaining a privacy program is an ongoing strategy and an investment in
resources. Prioritizing those gaps will be important as you build out your strategy
to target higher risks as requiring quicker resolution.
Finally, put your plan into action, measure its effectiveness and find ways to
improve. Don’t be afraid to pivot. Try things out and know that you can evolve as
needed. This could be trialing new ways of sharing information, such as via a
Slack or Teams channel to share privacy developments, or piloting new training
programs. Data privacy constantly evolves, so monitor and update your program
regularly to comply with new regulations and keep up with organizational
What are some common challenges faced when growing a privacy program, and
how can they be overcome?
Many organizations fail to sustain their privacy program once they’ve implemented it.
They view it as a set-it-and-forget-it project rather than an ongoing process that must be
continually nursed to ensure it remains up-to-date and compliant. Or, they may try and
attempt to build everything at once rather than taking things in bitesize pieces to achieve
success gradually instead of overnight. This may result in strategy fatigue and embolden
the “one and done” mindset instead of building a compliance culture. To prevent this
pitfall, empower those responsible for your privacy program by providing them with the
necessary tools — including sufficient staff and resources — to maintain it.
However, obtaining those resources and staff can present another obstacle. Despite the
importance of a data privacy program, leaders often view it as an unnecessary expense
— not a crucial business requirement. Present a convincing argument by clearly identifying your program’s goals and needs and include your organization’s privacy risks,
gaps and actionable plans to mitigate these problems.
One such plan might include investing in a data privacy platform like Osano to
streamline processes and automate tasks like consent management and vendor
assessments. An external platform reduces the burdens on your privacy team, moving
away from hard-to-maintain spreadsheets and evolving the program to one that can