Why and How to Build a Cross-functional Privacy Team
By Ekaterina Lyapustina and Jared Maslin
“It’s almost unimaginable that he was able to keep this group together. But the success in keeping it together meant they also represented very different spectrums of political opinion from very conservative to moderate, to radical. And as long as he could keep that coalition together by keeping these people inside the tent, he was actually keeping those strands in the country together as well.”
Doris Kearns Goodwin, the author of “Team of Rivals: The Political Genius of Abraham Lincoln” noted this about Lincoln’s relationship with his cabinet. It provides a glimpse into his remarkable political skills and can serve as inspiration for privacy leaders building their teams today.
Succeeding Because of Differences, not Despite Them: The Key to a Successful Privacy Program is a Diverse Team
The privacy environment is evolving rapidly as organizations face a variety of new legislations, both within the US and internationally. Given this turbulent environment, leading brands are redefining their privacy strategy, policy, and governance.
Building a successful team requires participation from individuals across various departments within your organization (such as IT, legal, marketing, sales, and finance). A diversity of opinion allows a team to broadly visualize risk potential and to effectively design mitigation techniques that consider a vast array of subject matter and risk vectors. Teams with a single, focused discipline (or even an individual acting on behalf of multiple functions) can run the risk of developing short-sighted solutions that struggle to scale as your operations evolve with shifts in the market.
Getting the Buy-in from Key Stakeholders
The first step in building a platform for your team to operate effectively is to identify stakeholders from all impacted functions, obtain buy-in from those individuals, and clearly define their roles and responsibilities. Stakeholders are those individuals and departments who might be impacted by the efforts of your cross-functional team.
Without stakeholder support established, your team can find itself without a voice or without the political strength necessary to drive effective and efficient change at scale across your organization. To alleviate this risk, it is critical to ensure that each and every stakeholder has a voice and representation within the team, which ultimately increases the likelihood of confidently maintaining stakeholder support buy-in.
When identifying all stakeholders for your cross-functional privacy team, determine the level and type of representation each will need on the team. For example, some groups, such as compliance and IT departments, will need permanent members. Others might only need to participate in specific areas or aspects of the project.
It is also important to communicate with all stakeholders as well as anyone else in your company who will be affected by the team’s work. For example, your customer service department or team will likely receive some Data Subject Access and Deletion Requests, or DSARs. Similarly, your sales and marketing teams will be involved, particularly if your organization sells personal information or where direct consumer interaction is necessary. Don’t spring surprises on stakeholders, as this could make teams resistant to the hard work that your privacy team is striving to achieve. You should decide on the communication plans upfront and plan them as carefully as any other aspect of the project.
In response to the evolving and complex regulatory environment, the assignment of a “privacy champion” has become a best practice whose role it is to indoctrinate data minimization and privacy best practices in all aspects of performance. This individual (often more) ensures that teams are responsibly and safely handling the personal data that they interact with by default instead of through corrective action down the road. They act as culture bearers and influencers throughout the enterprise, injecting privacy considerations into daily operations in ingraining core principles of practice.
Many practitioners craft their privacy teams with individuals possessing primarily information security-based skill sets. Undoubtedly, these individuals serve as a great foundation for any privacy team. However, a privacy team’s perspective must be broader and more diverse to ensure that the data value chain from initial strategy through to the customer experience is governed. In fact, your ability to not only achieve sustainable compliance, but to nurture it as consumer privacy regulations like CCPA evolve depends on it.
For example, consider a privacy team devoid of user experience expertise but strong in matters of security and internal controls. While much of the compliance and implementation of security-based controls may be as rigorous as can be, the team may miss critical elements of the customer experience and presentation of the privacy platform in an efficient and effective manner.
Why Your Privacy Team Should be Diverse
A team usually works most effectively not when all its members are identical, but when they are compatible and able to cooperate freely.
Diverse teams are often more likely to operate from facts and hard data rather than from stereotypes or group think. It becomes easier to identify when team members are operating from bias instead of data. The members of cross-functional teams will bring a variety of solutions to the table, which leads to a more informed decision-making process and insightful, more well-reasoned outcomes.
At Slalom, our experience partnering with clients of all shapes and sizes has garnered a great deal of lessons learned in working with organizations from both ends of the spectrum — some making decisions based on rational data and others are operating on status quo standards or industry-based intuition. Once more, we’ve seen many businesses who possess teams that operate on both logical planes, creating a counter-productive environment at the enterprise level. This dichotomy is precisely where having teams from multiple business units, offering many perspectives, can lead to a single approach that is consistent across the organization. While this is crucial to the success of the privacy function in an organization, it is also essential to how organizations approach the modern culture of data.
For example, consider an enterprise team that possesses expertise and perspective from several core organizations including IT, Product Development, Data Analytics, Marketing, Information Security and Compliance, and Legal.
1. Your IT expertise aids in assessing your hardware and software architecture risk in ways that others cannot.
2. Product Development can speak to specific elements of the project plan, product lifecycle, and agile development planning needed to prioritize privacy risk mitigation.
3. Data Analytics staff understand the most complex aspects of your data and the business purposes for which it’s being leveraged each day.
4. Your Marketing team holds distinct knowledge and expertise in how consumers and employees are engaged to provide information (whether via website, direct to consumer marketing, etc.), and how privacy rights requests come into the pipeline.
5. Information Security and Compliance possesses unique knowledge of internal procedures and control structures, tracking adherence over time and directing enhancements across functions.
6. And finally, Legal keeps a finger on the pulse of regulatory change, advising business stakeholders and technologists of upcoming changes to existing processes.
If you’re missing even a single element of that framework, you run the risk of an incomplete approach to privacy risk mitigation and can potentially put your employees and consumers at risk in the process.
More to the point, in our experience, one of the most efficient and effective methods for becoming compliant is through cross-functional collaboration and leveraging technology solutions that automate manual processes while simultaneously satisfying policy compliance, data security, and reporting requirements.
Encouraging different departments in your organization to work together can be a challenge, because everyone has conflicting priorities (especially when it comes to privacy and product development). However, there are many ways to further facilitate collaboration:
- Build open collaboration into your documented process flows
· Institutionalizing collaboration supports cultural change and diversity at scale
2. Secure top-down support, starting with key privacy champions
· The long-term sustainability of privacy programs is founded on the support of influential leaders who amplify the voice of privacy teams
3. Incentivize security and privacy — not haste
· Tight deadlines can lead to siloed execution and lack of collaboration
4. Assign clear roles and responsibilities, injecting areas of functional crossover to encourage collaboration and partnering
· Opportunities to collaborate must be made clear and efficient for teams, otherwise old habits will become reinforced to the detriment of privacy.
Structuring the Team
Now that you have a solid cast of diverse opinions, you need to build a structure for your team to flourish and prosper, which starts with defining your risk profile and choosing the most effective operational model for your needs. Understanding your privacy risk profile and footprint across various regulatory fronts can be critical to designing an effective structure that prioritizes key risks effectively and ensures that your controls rise to meet them.
Within your organization, you should also position the privacy team in a way that it relies on the authority it receives under the specific governance model that it follows. There are several privacy governance models, including centralized, local, and hybrid versions. Amongst these methods are a few key steps that should be taken into account in order to maximize the success of your privacy program. These include:
· Involvement of senior leadership and key stakeholders
· Developing internal functional partnerships
· Leveraging collaboration
· Providing flexibility and agility to all aspects of your privacy program
· Using effective communication and consistent messaging
· Identifying concrete ways of embedding privacy risk assessment into business-as-usual
Hybrid Governance Model is Recommended
When developing your privacy compliance program, it is also vital to consider how your company will structure its privacy function. There are many factors that help determine the right privacy structure for a particular company. Some of them are:
· Your company culture
· Size and corporate structure
· The number of geographic locations
· External and internal resources
· Data risks you are facing
· Business and operational needs
Many organizations opt for a “hybrid” governance model as a way to create a custom approach, combining centralized and local governance models into a holistic initiative. You might see this when a large organization assigns one key individual (or function) responsibility for all privacy-related affairs, while this person or department is also responsible for issuing policies and directives to others in the organization. The local entities are responsible for fulfilling and supporting the directives and policies from the central governing body. This model utilizes a set of oversight committees, structured around governance instead of defining management responsibilities from scratch.
The hybrid approach is an effective approach because it makes the most of a decentralized decision-making process and offers the benefit of the resources of a larger and centralized organization. In most cases, the hybrid model tends to dictate core values, allowing the employees to decide which practice to use in order to obtain the goals. That said, it’s critical to identify, communicate, and actively foster those core values as they are shared with the various edges of the business, so any loss of traction in this space can be detrimental to the success of the program.
Key Oversight Personnel
Although you will come across a great variety of possible titles for people responsible for privacy in an organization, a privacy team or office typically involves one or more of these members:
· Chief data officer (CDO) or data protection officer (DPO)
· Privacy program manager
· Privacy director
· Privacy analyst (including experience in technology, product development, and data analytics)
· Privacy attorneys
· Regional data protection officers or leads in each jurisdiction where the organization collects data
An efficient privacy oversight committee (diagram below) should be made of stakeholders from Legal/Compliance, IT, Product Development, and Marketing/User Experience. It’s also important to have an extended privacy team that will advise steering committee members on new and emerging issues impacting customer privacy. This team will likely have staff from third party partners/programs, operations, customer care and billing and sales.
Ultimately, it will take every single employee to create and successfully follow new data privacy laws, but there are many things that can be done to amplify the voice and value of your privacy staff. Just follow our core principles:
· Value and prioritize diversity in your privacy team
· Align your privacy oversight committee with the same commitment to diversity
· Gain stakeholder support and maintain that support through consistent communication
· Build practical solutions that can scale with privacy at the forefront
By sticking to the core tenets above, you will have built a firm foundation for a scalable privacy function that can evolve to next generation of privacy laws and consumer demand.
To discuss how you and your organization can apply this guidance, or to discuss specific privacy team challenges, please reach out to Ekaterina Lyapustina or Jared Maslin at Slalom.
