The Privacy Program Playbook Part I — How to design a winning privacy roadmap

Operationalising privacy is hard. Here’s how to design, plan and implement a successful privacy program (with your sanity intact).

Image by storyset — www.freepik.com

In this three-part series, I’ll be sharing my top tips on how to build a world-class privacy program from scratch. Part I below focuses on the initial discovery and design phase that will help you create a winning privacy roadmap.

Why operationalising privacy is hard

Companies are generating immense and ever-increasing amounts of data; the global privacy regulatory landscape is becoming ever more complex, burdensome and expensive; and consumers today expect a whole new level of transparency, accountability and ethics from brands that collect their data.

Additionally, Big Tech is making its own privacy rules. Google, Apple and Facebook have recently declared that the future is private. Tech giants are reimagining a “privacy-first” web — a significant move that will impact the entire digital ecosystem — from third-party cookies to profiling, behavioural advertising, digital marketing and App Store listings.

It’s a perfect storm with regulatory origins but an impact that stretches well beyond legal and compliance teams. This new “age of privacy” is increasing complexity across a multitude of functions that utilise data to do their jobs - engineering, product management, data management, security, legal, sales, data science, marketing and branding all need to take heed of the fast shifting privacy landscape.

Organisations today — of all sizes and across all industries — need to achieve a trifecta of privacy operational excellence, legal compliance and trustworthiness in their customer relationships.

Having worked on early GDPR implementations back in 2016 (as lawyers across Europe and the UK were fretting about the new and not straightforward 90–page privacy legislation and preparing for its go-live date in May 2018), I can attest that designing and implementing an effective privacy program is no small feat. The traps and pitfalls are many and it’s definitely not a simple check-box compliance exercise.

While you’ll need to have a broad and deep understanding of global privacy regulations, it will also require a solid understanding of data and the technologies that drive it.

Privacy is often described as a legal problem or risk but it’s actually a broader challenge that involves engineering, data management, product design, UX, security and marketing considerations, cross-functional collaboration, operational and technical skills as well as a host of back-end internal processes, tools and systems.

Here are a few tips and pointers on how to set up a privacy program from scratch, which should point you in the right direction. There’s no single right way to roll out a privacy program and this is merely a suggested playbook which can of course be adapted to your specific needs.

Privacy Program Key Steps

Just like a product roadmap, a privacy roadmap should include the following two steps:

1. Discovery - This step can take one to three months and involves: (a) assessing your current privacy state/maturity and key potential exposures based on an evaluation of your product, people, systems and processes; (b) reporting on identified privacy gaps, risks & recommendations; and (c) developing a privacy program, including initial privacy initiatives for the next 6-12 months. This will involve considering any relevant dependencies and required resources (such as staff, technology tools and support from other teams).
2. Design & Implementation - This involves leading, designing, planning and rolling out the key initiatives, processes and projects outlined in your privacy plan, in a priority order that makes sense, depending on product or commercial priorities. Timelines will obviously vary but you will want to hit a few milestones in the first six to 12 months.

Remember — privacy programs are a team sport and will require cross-functional collaboration and leadership buy-in to succeed. Much will depend on the product roadmap, any data or technology initiatives on the cards, business plans such as international expansion or strategic partnerships etc.

Privacy Program Discovery

1. Assess current privacy state and evaluate risks

Meet with the leadership/team leads (Product, Engineering, Marketing, AI, Data Governance, Legal, Customer Support, Security) to understand the company’s privacy maturity level and potential risks. Best practice privacy maturity frameworks such as the GAPP privacy maturity model and the UK ICO’s Accountability Framework may come in handy.

In particular, consider:

• Product - current and new features and potential privacy implications, product roadmap, who are the users and are they in a particularly vulnerable class (such as children or patients), the data collected at a high level and the use cases. You may want to join stand-ups and other key meetings to better understand high level product and technology issues, processes etc.
• Business priorities - what are leadership’s key commercial and privacy priorities? Are there any existing privacy issues you’ll need to prioritise?
• Leadership & oversight - understand existing privacy, legal, data and security roles and responsibilities across the company.
• Policies & procedures - what are the existing privacy policies, processes & systems in place?
• Transparency - get to know the existing Privacy Policy, website Ts&Cs, how the company provides users with information about data practices, what are the current user data rights and controls?
• Training & awareness - what is the general level of privacy awareness and culture across the board?
• Risk & PIAs - are there any past Privacy Impact Assessments? Was any legal analysis or advice received regarding privacy or data management? What are the company’s risk management processes when it comes to data?
• User rights - what are common user privacy requests?; how are they received, handled and recorded?
• Third party contracts - who are the key vendors/partners for both outsourcing and insourcing data (including any APIs, CRM, SaaS vendors, cloud providers, marketing tech, data management platform used etc)? Are there standard /typical contractual protections regarding data and privacy in the relevant contracts?
• Breach response & monitoring - what are existing security policies, systems and controls?; does the company have an incident response plan?
• Data governance - what are the existing systems, processes and responsibilities for data management, data quality, data security/access, data retention and disposal?

2. Understand and map your data

Understanding the company’s data flows is crucial.

• Understand how data flows through various apps and systems.
• Create an inventory of what data categories are collected, by what team, the data’s sources, who has access to the data, how is it shared/with whom, retention and deletion policies, data location, is data transferred cross border etc.
• Obtain an up to date data map or create one if you don’t.

3. Determine what laws, standards and frameworks apply

To achieve global privacy best practices you will need to consider:

• All the jurisdictions in which the company operates.
• Where and from whom the company collects data — this could be the same as the countries in which the company operates or broader. Data could be personal, sensitive (e.g. medical, related to children or under 18s), location based etc. In many countries, privacy laws also include specific and separate regulation of medical, financial and childern’s data.
• What key laws and regulations the company should comply with, such as the EU’s General Data Protection Regulation (GDPR) - currently the global data protection gold standard, the California Consumer Privacy Act (CCPA), soon to be amended by the California Privacy Rights Act (CPRA), China’s PIPL, Australia’s Privacy Act (soon to be amended) or any other applicable regulation.
• Industry-standard privacy risk management and operational frameworks such as IAPP and NIST (both of which are GDPR- and CCPA-compatible).

Remember that most privacy laws are often extraterritorial, meaning they tend to apply to any company that collects citizens’ or consumers’ data even if the company isn’t based or has formal operations in the relevant country. Apps or software products that are available globally or in a variety of countries would likely be impacted by global privacy legislation, regardless of where the company’s offices or staff are currently located.

Also, if the company is planning an international expansion or acquisition, you will need to consider and comply with any applicable privacy regulations before entering or launching products in any new markets as non-compliance could lead to hefty financial penalties. And privacy regulations may also impact product design and features, privacy disclosures on your website, App Store disclosures etc.

4. Document current baseline and key gaps/risks

You may want to prepare a brief report on the Discovery findings, including any emerging gaps/risks you have identified and your recommendations for any high-risk items and easily implementable items that should be prioritised. This would serve as a handy guide for initiative creation and prioritisation as well as something you could present to leadership for buy-in and communication.

5. Develop a Privacy Program

• Create a privacy vision, mission & high-level goals - this can help your team focus on the roadmap and communicate your mission to the rest of the company (see Apple, Microsoft, Google, Meta by way of example). Make sure you get leadership input, approval and sponsorship for the vision and mission and share these more widely once approved.
• Establish a privacy governance model - this could be ‘centralised’ (i.e. one person or team responsible for privacy compliance) vs. ‘hybrid’ (i.e. privacy is managed by a central team/person plus privacy champions distributed across various business units/teams.
• Define Privacy Program scope - clearly establish what is in scope: What jurisdictions, laws and regulations you’ll need to comply with, e.g. GDPR, CCPA, PIPL? What data is covered by your program - e.g. users’ PII, employees’ PII? What are the company’s key data flows - main data sources, categories, uses/purposes, sharing, location etc. Ensure that you obtain input from Legal, Product, Engineering, Data, Marketing, Security and other relevant teams on all of the above.
• Structure the privacy team & budget - determine your resourcing requirements (roles, responsibilities, reporting lines). You may need a Data Protection Officer, Privacy Analysts, Privacy Program Managers, Privacy Engineers etc.
• Choose a privacy framework - this will ensure you adhere to global best practices - e.g. NIST, IAPP.
• Define the key objectives, initiatives, projects and processes on the privacy roadmap for next 6-12 months, prioritising based on your earlier Discovery risk analysis. This should amount to a strategic (rather than tactical) roadmap, focusing on high level privacy milestones and goals. Get Leadership approval and sponsorship for the privacy roadmap as well as input from the Execs, and Engineering, Product, Data, Marketing and Legal teams. Remember that privacy initiatives should align with business strategy, goals and priorities and will often need to be weaved into the product roadmap and individual sprints or marketing campaigns. You’ll want to share your plan to all relevant stakeholders and ensure everyone is on board.
• Communicate - once your privacy program is agreed, create internal and external awareness of your program’s vision, mission and high level goals. You may want to: issue a company-wide email announcement to share the new privacy vision with all employees; run privacy workshops to educate and answer any questions or concerns; issue a press release and/or blog post on the company’s website to announce the company’s privacy vision to customers, users, partners etc.

This should all set up your privacy program for success. In part II, we’ll discuss how to build a privacy-first culture and gain the elusive executive buy-in. Stay tuned!