Privacy Governance Guide

Interactive Guide to Privacy Program Management

An exploration of the core components required to build and maintain a successful privacy program.

Foundations

This section covers the strategic starting point for any privacy program. A strong foundation begins with defining what privacy means to your organization and articulating that vision through clear mission statements. This aligns the entire organization and sets the stage for all subsequent governance activities.

Introduction to Privacy Governance

Building a strong privacy program begins with establishing appropriate governance. Privacy governance refers to the components that guide a privacy function toward compliance with privacy laws and regulations. This structure is essential for supporting an organization's broader business objectives and goals. Key components include creating an organizational privacy vision, defining the program's scope, selecting a suitable framework, developing a strategy, and structuring the privacy team.

Vision and Mission Statements

A privacy vision and/or mission statement is a critical first step, as it lays the groundwork for the entire privacy program. This statement should align with the organization's broader purpose and business objectives. A well-crafted privacy mission statement describes the program's purpose and core ideas in just a few sentences, ideally taking less than 30 seconds to read.

Microsoft:

"Empower every person and organization on the planet to achieve more, maintaining the timeless value of privacy and preserving the ability for you to control your data."

Apple:

"Privacy is a fundamental human right and a core value; Apple products protect user privacy and give control over information."

Strategy & Scope

Once the foundational vision is set, the next critical phase involves defining the program's strategy and scope. This means understanding exactly what personal data your organization handles, which laws apply to that data, and how to build a strategic approach that gains executive buy-in and fosters internal partnerships for successful implementation.

Defining Program Scope

A typical approach involves two key steps:

Step 1: Identify Personal Information

Know what data your organization collects, uses, stores, and processes through data inventories, mapping, and interviews.

Step 2: Identify Applicable Laws

Determine privacy obligations related to that data. Best practice is to adopt the most restrictive policies for broad compliance.

Global Approaches to Privacy Protection

Approaches to privacy protection vary significantly across the globe. Understanding these models is key to defining a global strategy.

This model regulates privacy by industry sector, with specific laws for healthcare (HIPAA), finance (GLBA), and other areas. It can create a complex patchwork of regulations.

This approach establishes a single, overarching data protection law (like the GDPR) that governs the processing of personal data across most sectors, providing a unified set of rules.

Co-regulatory models (e.g., Australia) involve collaboration between government and industry bodies. Self-regulatory models (e.g., Japan, Singapore) rely on industries to create their own standards, often with government oversight.

Implementation

With a clear strategy, the focus shifts to implementation. This involves selecting an operational framework, embedding principles like Privacy by Design into your processes, and leveraging technology to manage compliance. This is where the theoretical becomes practical, turning policy into protective measures.

Privacy Frameworks

Frameworks provide the structure to operationalize controls and achieve compliance. They are used for various processes, templates, tools, laws, and standards that guide the privacy professional. Different frameworks vary based on business needs, communal grouping, legal/regulatory aspects, and government affiliations. Here are some key principles and standards to consider:

  • Fair Information Practices (FIPs): Basic privacy principles central to several modern frameworks, laws, and regulations.
  • Generally Accepted Privacy Principles (GAPP): Guide organizations in developing and managing privacy programs.
  • NIST Privacy Framework: A voluntary tool adaptable to various organizations, sectors, and jurisdictions for managing privacy risks.
  • Other Standards: Include the Canadian Standards Association (CSA) Privacy Code, APEC Privacy Framework, and ETSI.

Privacy by Design (PbD)

A core concept in modern privacy is embedding privacy considerations into the design of systems and processes from the very beginning. Explore the seven foundational principles of PbD below.

People & Structure

A privacy program is only as effective as the people who run it and the structure that supports them. This final section explores how to organize your privacy team, comparing different governance models and defining the key roles and responsibilities, such as the crucial Data Protection Officer (DPO).

Governance Models

Choosing the right governance model is key to formalizing your organization's approach to privacy. Compare the three primary models to see which best fits your needs.

Centralized Model

Decision-making is handled by a single corporate group, typically led by a Chief Privacy Officer (CPO). Fits well in organizations with single-channel functions.

  • Offers streamlined processes and efficiency.
  • May reduce employee ownership and local adaptability.