Increasing the Impact of the Privacy Office with “Privacy Champions”

With growing changes in data privacy laws and the increased emphasis on data protection, many organizations have been challenged to form a privacy-aware culture that resonates across all functions of the organization. Even organizations with well-designed and robust privacy programs privacy programs are concerned with how to embed privacy awareness into the organization and finding the most effective way to build a bridge between the Privacy Office and the organization.

It is often the responsibility of the Privacy Office to drive privacy-related awareness and communicate the organization’s privacy vision and goals. Privacy Offices have an extensive list of compliance responsibilities, and as such, it can be difficult for them to keep a pulse across the organization to ensure data handling practices are being followed. While many organizations have added more funding to privacy and compliance, many continue to struggle to get sufficient funding for a privacy team that can manage emerging risk to appropriate levels. Privacy Offices often face the challenge of ensuring that existing privacy policies are effectively implemented, finding the right way to communicate initiatives without being overwhelming, and keeping “eyes and ears on the ground” to have the proper understanding of business trends or incidents within the organization and the impacts they have on privacy. Managing all these responsibilities is no easy task for the Privacy Office and requires a strategic approach.

A privacy champions program can be an effective way for organizations to accomplish these tasks and ensure functions across the organization are accountable for the safeguarding and protection of personal information. Privacy champions can help support the Privacy Office in numerous ways and our team explores three benefits of how a privacy champions group can help the Privacy Office create a profound impact on the organization’s privacy goals and program including: (1) training, (2) reporting incidents and issues to the Privacy Office, and (3) monitoring and policy enforcement.

What is a Privacy Champion Network?

Privacy champions are individuals within the organization who act as advocates for the organization’s privacy program and serve as a direct liaison between their departments and the Privacy Office. A network of privacy champions across an organization helps to promote the privacy program and support engagement from a broad range of teams and stakeholders that would be otherwise challenging for the Privacy Office to reach and influence independently. Privacy champions may include representatives from key functions such as IT, Information Security, HR, Marketing, Operations, Product Development, Finance, and Customer Service – particularly those functions interacting with personal data.

Privacy champions can be made responsible for any initiative that the Privacy Office wants to permeate through the organization which typically involves privacy champions engaging with their colleagues, supporting with implementation of privacy initiatives or process changes, communicating ongoing training and awareness campaigns from the Privacy Office to their individual departments, and ensuring that policies and procedures are understood.

The various roles of a privacy champion network may also include reporting back to the organization’s Chief Privacy Officer (CPO) or other appointed privacy leader on the success of privacy initiatives, any issues or incidents in their department for which privacy leadership should be notified, or any process or technology changes within the department that privacy may otherwise not be made aware of.

In addition to supporting with privacy compliance programs, privacy champions may also assist with any heavy lifts required for the implementation of new regulatory requirements, such as those found in the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). They may be instrumental in identifying relevant activities within their departments for implementing practices to respond to Data Subject Access Requests (DSARs), like identifying systems or files where the “right to access” may apply, or they help coordinate updates to the organization’s record of personal data processing activities. Having this collaborative partnership will help improve the Privacy Office’s understanding of how and where personal data is used across the organization and the value that personal data represents to different business functions.

What Makes an Effective Privacy Champion?

An effective privacy champion is typically a trusted and influential individual in their department and someone who can serve as an effective channel of communication for the Privacy Office. A privacy champion may have a certain pre-existing level of privacy training and knowledge, however, this individual can be trained by the Privacy Office in a “train the trainer” approach so that they can apply privacy concepts to the knowledge they have over their department’s processes. Although typically privacy champions may be found at managerial levels and above, the job title of a privacy champion is less significant than their ability to understand privacy concepts and communicate them downstream as a respected figure in their departments.

Benefits of Privacy Champion Program

A privacy champion program offers has many benefits.  We explore three activities that can help organizations leverage a privacy champion network to increase awareness of privacy across all functions.

1. Training and Awareness

The privacy champion network can be used in a “train the trainer” approach to understand key privacy and data protection initiatives, policies, or best practices from the Privacy Office first-hand, before going on to train their teams. Privacy champions can help:

  • Streamline the organization’s training and awareness program by ensuring a broader range of teams and higher number of individuals receive training in an efficient time period;
  • Translate privacy policy requirements into their day-to-day operations and processes – contextualizing it into more tangible examples for organizational teams;  
  • Identify vulnerable employees within their function where targeted training may be required by the Privacy Office (e.g., those who due to the nature of their job role may be vulnerable to phishing attacks or at risk of accidental disclosure of sensitive personal data);
  • Communicate any departmental changes and initiatives (e.g., technology implementation, process enhancements) back to the Privacy Office to ensure proper evaluation and performance of privacy impact assessments; and, 
  • Facilitate training of new privacy regulation requirements. For example, the CCPA requires organizations to ensure that individuals responsible for handling consumer privacy inquiries are informed of the organization’s privacy practices and are knowledgeable on how to direct consumers to exercise their rights.

2. Reporting and Responding to Privacy Incidents

Effective incident response requires a systematic approach and the role of a privacy champion can be key to help ensure an incident or potential breach is identified and reported in a timely manner. Privacy champions may be involved in:

  • Detecting and recognizing when their departments may have been subject to a personal data-related incident (for example, a common incident identified and escalated by a Customer Service privacy champion may be their team’s accidental disclosure of a file via a misdirected email);
  • Documenting and reporting the incident to the organization’s Privacy Office or other risk related functions;
  • Working with affected teams and third parties on behalf of the Privacy Office to implement any required response, such as containing the incident, minimizing the impact or chance of replication at other departments or by other individuals;
  • Gathering any information needed during the investigation process;
  • Identifying individuals who need additional training as a result of the incident; and
  • Identifying critical gaps in the organization’s incident response plan as it pertains to their department.

Their involvement will ultimately result in a more robust and multidisciplinary plan that enables companies to effectively respond to an incident or breach while protecting the brand and minimizing disruptions to the day-to-day operations.

3.  Monitoring and Policy Enforcement

Monitoring is essential and can be in many forms and types. Without a formal monitoring process, an organization cannot be reasonably assured that personal information is being handled appropriately and consistently. The role of the privacy champion can support the Privacy Office with:

  • Providing oversight to ensure employees within their department are conforming with privacy policies, procedures, and best practices;
  • Identifying any subsets of vulnerable employees that may need further awareness or training – often violations or repeated questioning from individuals may identify such a need;
  • Supporting enforcement actions within their department and ensuring corrective actions are being followed; and
  • Ensuring that established privacy controls are operating effectively both internally and at third parties, where applicable.

Conclusion

As privacy laws and regulations continue to evolve and the responsibilities of Privacy Offices increase, it is important that alternative solutions are sought that would help ensure the privacy program goals are achieved. In response to the increased emphasis on privacy, organizations can significantly benefit from a dedicated team of privacy champions that will serve as advocates for the privacy program, as well as its “eyes and ears” on the front line of an organization’s operations. Privacy champions can help the Privacy Office ensure privacy policies and practices are understood, assist with building privacy requirements into their department’s day-to-day operations, respond effectively to incidents, and monitor the function’s compliance with privacy requirements. Ultimately, an effective privacy champion network will help ensure that everyone in the organization is aware of and actively working towards the shared goals and visions of the Privacy Office, and the Privacy Office can permeate these goals and visions more efficiently and effectively throughout the organization.