International: How to plan a global privacy program - five critical success factors to consider

'If you fail to plan, you plan to fail.' A global privacy program rollout is a considerable undertaking with multiple moving parts, and a realistic and effective plan will help with the understanding of the scale and scope of the project, and increase the ability to successfully deliver the privacy program globally. Toks Oyegunle, Director of Privacy and Cybersecurity at Security and Privacy Lyceum, provides insight into how to plan and implement a successful global privacy program, and what factors must be considered throughout this process.

When planning or implementing a privacy program, it is helpful to use a simple five-factor framework as a basis to discuss key areas that need to be considered, questions that must be asked, and factors that should be established to ensure success. These five factors are:

1. the foundation (team, vision, mission, and strategy);
2. the organisation (structure, culture, and geography);
3. the law (regulations, compliance, and risks);
4. the tools (productivity tools, systems, and privacy frameworks); and
5. the deliverables (training, data mapping, gap analysis, and reports).

The foundation: team, vision, mission, and strategy

The foundation represents the starting point of the project, the fundamental issues that must be clarified before you start the rollout of your global privacy program. As we start, there are a few things we need to put in place: we need a team in place to do the work, a vision to guide us to the successful destination, a mission to keep us on track, and a strategy to detail what exactly we plan to do to realise the vision.

The team

The team is probably the best place to start, as here the goal is to establish who will be included in the team, what they will be doing, and why. Think of the team as the group of people tasked with the responsibility to deliver this project globally. Let us start with the team leadership. Some organisations are more mature than others, and may have more established privacy management and privacy processes; for example, they may already have a chief privacy officer, a data protection officer, or a similar role tasked with the leadership of this function. In this case, the task starts with this individual and they will probably have a team in place. In most cases, privacy teams tend to be small, so this individual may only have a few other people in their team. What if you do not have an established privacy office, or there is currently no role tasked with the leadership of privacy in the organisation? This is quite common due to the relatively new status of privacy compared to other organisational functions, and if this is the case with your organisation, do not panic, but realise you will need a team that is set up specifically to deliver the privacy program. In this case, there will probably be a project sponsor that initiates this, and ideally this will be a relatively senior resource. The role of the project sponsor is important, as is the executive approval they have for the project. This is because it will have a direct impact on the project budget, which feeds directly into the ability to staff the team with the right resources. The project sponsor may be a strategic team member, but not necessarily an operational one. While they may attend steering committee meetings and receive executive briefings, they will probably not be involved in the day-to-day running of this project, however, this is the first resource required to start building the team. You will also need someone to drive this project across the organisation globally; such a person would effectively be doing the job of a program/project manager, given that a global privacy program is a program consisting of multiple privacy projects spread across different locations. Therefore, regarding the team, you need someone at the executive level as a project sponsor, you need someone at the management or senior management level as the program manager, and then you need privacy managers and privacy analysts to deal with the day-to-day operational side of the project. The number of people required in the core team will typically be a reflection of your organisational size and structure. If you are doing everything centrally and the organisation is large, you need a bigger team, on the other hand, if you have a decentralised structure with resources also deployed locally, then your central team can be smaller, as you can delegate tasks to the decentralised units.

Vision

With a team in place, there is a need for a clear vision. Ideally, this should be a privacy vision statement that documents a future state for the organisation regarding privacy. This is not a long document, but a brief statement of a paragraph or two that describes how the organisation sees itself regarding privacy in the future. Simply put, the vision statement describes where, as an organisation, you are going regarding privacy, including privacy governance and privacy operations.

Mission

Alongside the privacy vision statement, there is a need for a privacy mission statement. The privacy mission statement should capture what the organisational mission regarding privacy is. Many people confuse a vision statement with a mission statement, assuming that they are the same thing, but they are different. The vision is where you are going, and ultimately, the vision is a destination, a future state to achieve. The mission, on the other hand, is what you do daily to get you to that desired destination. For example, the vision shows a tangible, quantifiable result, while the mission captures the intangible aspects, like attitude and beliefs, required to achieve the vision.

Strategy

The privacy strategy is quite important as it is a document that will take the desired vision, coupled with the chosen mission, and use them as a basis to create a realistic plan that may successfully actualise the vision. The strategy will detail the sequence of activities, tasks, and deliverables required to get us from the current state today, to the desired state in the future. When this is done properly your global privacy program becomes increasingly clear with project deliverables, project timelines, and the resources required becoming much easier to identify.

The organisation: structure, culture, and geography

The goal of a global privacy program is to implement a 'new normal' regarding privacy across your organisation globally. In line with this, you need a firm understanding of your organisation from the outset. This section discusses a few aspects of the organisation that are critical to success.

Structure

How is your organisation currently structured globally? This is a question that you need to ask and understand, as you need an approach that works with the current structure. Some organisations have a very strong centre; they adopt a head office model where everything tends to be managed centrally, and if this is the case, it is very likely that the privacy program will need to be managed centrally too. Alternatively, there are organisations that adopt a more distributed structure where the units are more autonomous or they report to regional head offices. If this is the case, you may need to adapt your program accordingly. It will be helpful to understand where your organisation fits into the two extremes, between a strong centre and a weak centre, and think about how this will impact your privacy program.

Culture

The organisational culture is another factor that needs to be understood and managed effectively. Is it a well-entrenched bureaucratic culture, typical of large mature organisations with an established order? Or do you have an organisation that is less structured and more open to innovation? Is the culture resistant to change, as opposed to an organisation where change is embraced? Rolling out a new privacy program globally is a change management project, so a firm understanding of how the organisation reacts and adapts to change is required for success. Without understanding and aligning with the existing culture, you may find that you come across some resistance or that the project is not received very well, simply because it has not been packaged or presented the way that your stakeholders are used to and expect. Ensure you understand the culture, and make sure that as you roll your privacy program out, you are aligning it to the culture of the organisation as it already exists across different locations.

Geography

Geography is used here to refer to the geographical spread of the organisation. Ideally you would start with a verified list of all the entities in the organisation, their addresses, and details of their leadership. Some organisations have 20 subsidiaries across five countries, some may have 100 subsidiaries across 30 or 50 countries. Irrespective of what it is, it is a metric you must identify and document because it feeds directly into the next factor we will discuss, which is the law.

The law: regulations, compliance, and risks

The law is a major driver of the privacy industry; indeed, the recent growth of interest in privacy globally is synonymous with the implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This section will discuss the law within the context of your global privacy program.

Regulations

Privacy laws are typically established by countries or regions to protect the personal data and rights of their citizens and residents, for example the GDPR in the European Union, and the California Consumer Privacy Act of 2018 ('CCPA') in California. Major organisations, on the other hand, tend to have global operations conducted by different entities established in different countries. It is necessary to know all the relevant privacy laws applicable to your organisation, which can be deduced partly from a list of countries you are physically operational in, in addition to an overview of the markets you serve, whether you have a physical presence there or not. Since the introduction of the GDPR in 2018, there has been a flurry of activity in the privacy law space with many countries and regions coming up with their own similar regulations, such as Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil. Additionally, many countries in Africa and across the Asia-Pacific region have new privacy laws, and there are many states in the United States with new privacy laws at different stages of development. The landscape for privacy laws globally is increasingly dynamic, and there is a need for privacy professionals to be on top of this by understanding what laws are relevant to their organisations and why, as this is what will drive your global privacy compliance efforts.

Compliance

One of the key deliverables from your global privacy program will be compliance with applicable privacy laws. Your ability to be compliant will be influenced by your ability to understand the relevant laws you must be compliant with, and what compliance with each law requires. The key question to ask here is: what laws need to be complied with, and what is needed to demonstrate compliance with these laws. The answer is typically a matrix which clarifies areas of focus for the project. Consider what compliance means to your organisation and what your understanding is of being compliant with a specific regulation. Different business models require different approaches to compliance in order to meet their needs. There is a need to review and agree on what being compliant looks like for your organisation, and how you intend to demonstrate compliance once it is achieved. Defining privacy compliance globally can indeed be challenging, especially with the proliferation of multiple privacy laws across different jurisdictions. An approach many organisations have taken is to use their GDPR-compliance project as the privacy compliance reference point, and to tweak this in line with the different requirements of other privacy laws they need to comply with globally. Indeed, there is a school of thought that believes that because the GDPR is a robust regulation with an increased focus on accountability, adopting GDPR-compliance as a preliminary global privacy compliance standard is a good risk management strategy.

Risks

It is impossible to discuss a global privacy program without exploring risks when the very nature of the project is broadly to comply with privacy regulation to mitigate regulatory and financial risk. Most of the newer privacy regulations provide for regulatory sanctions and significant financial penalties in the event of data breaches amongst other events. As you progress with the privacy program rollout globally, you will no doubt highlight various risks across the organisation. It may be helpful to create a risk register of all risks, and categorise all risks using a standard risk-scoring methodology, which will enable appropriate risk assessment and prioritisation. Consider the relevant mitigation actions required for each identified risk, and establish who the risk owners are and how the risk mitigation process will be managed. Organisations must realise that customers are increasingly aware of privacy issues, the rights they have regarding their personal data, and the constant breaches announced in the news. Subsequent fines have sensitised the public into how organisations are using their personal data.

The tools: productivity tools, systems, and privacy frameworks

As part of the global privacy program rollout, you will need various tools to get the job done, some of which will help you work more effectively, while others will make you work more efficiently. This section explores some tools you should consider to increase your chances of success.

Productivity tools

Let us explore the productivity tools that will be helpful as you embark on the global privacy program rollout. A global privacy program rollout is a program consisting of multiple projects, and there is the need for a good project management tool. Using a tool to manage resources, milestones, deliverables, and deadlines will help you retain overall oversight and control of what is happening globally at any point in time. Do note things can get complex very quickly as you try to manage different projects, people, and deadlines across different countries and time zones, and your project management system will help to keep this manageable. A few other tools that will come in handy and will help you to systematise the global rollout include templates, checklists, scripts, and question and answer documents. You need various email and communication templates that are sent to stakeholders at different stages of each project, you need checklists to clarify what needs to be done at each stage and in what order, you need scripts that will be used to deliver webinars and workshops, and you will need question and answer documents to help people get their questions answered before they need to ask. Do not underestimate the importance of these tools to the success of your project; they are simple tools with a significant impact.

Systems

The growth of the privacy industry has seen an explosion in privacy technology, and we now have many vendors offering systems to help with every aspect of privacy operations and management. From data discovery through to data mapping, from data subject access request ('SAR') management to consent management, from cookies management to incident response, from privacy policy/notice management to vendor management and risk management, there are software solutions that can help you. If you want increased insight into what tools are out there, there is a Gartner Report that collates and categorises privacy management tools and would be a good place to start. A decision you need to consider early on is whether you will do your global privacy program manually or whether you will invest in a software solution. An appropriate system has multiple benefits, for example, they offer automation, which helps you to get more done in less time, a huge plus when you are taking a program globally. Many tools also offer systems integration which means they can interact with your existing technology landscape, and automatically help you with data discovery, data mapping, and even dealing with SARs from the public.

Privacy frameworks

Adopting the right privacy framework is quite important as this is a tool that will help to provide structure and direction to your privacy program. Think of a framework as an approach, a set of principles or guidelines that help to direct the correct implementation of your privacy program. There are various frameworks available, and you will need to select one that is a good fit for your organisation. Many would argue that the GDPR itself provides a framework that you can use for your privacy program, but then, so does the CCPA. There are other privacy or data protection management frameworks that you may use. The important thing is to use your knowledge of your organisation, its geography, and culture, to guide the appropriate choice of framework.

The deliverables: training, data mapping, gap analysis, and reports

There is a need for tangible deliverables from your privacy program, namely, how will you showcase the results of your hard work and what will you deliver to your stakeholders at the end of each project. With the increased emphasis on accountability required by the GDPR, organisations must now demonstrate compliance, and this is achieved with increased actions and documentation which will form most of the deliverables from your privacy program.

Training

Most privacy programs will include a requirement for privacy and data protection training across the organisation. There is also a need for a comprehensive privacy awareness campaign, which serves to increase the general awareness of staff regarding privacy matters and any imminent changes in privacy law. Privacy training is ideally delivered via a two-fold approach. Initially, some general privacy training should be arranged for all employees irrespective of their role, as this should provide the general basics of privacy within the context of an organisation. It helps employees understand the new privacy expectations and culture that is being propagated. In addition to this, is the need for role-specific privacy training where detailed privacy education is provided within the context of the role the employee has within the organisation. Awareness campaigns may be delivered via flyers, screensavers, posters, newsletter articles, and webinars, among other available options.

Data mapping

As part of privacy management, there is a time-bound, regulatory enforced requirement to respond to personal information requests from data subjects and consumers, and there is also a similar requirement to respond to data breaches. These requirements can only be effectively fulfilled based on a comprehensive understanding of where, how, and why your organisation uses personal data. This leads to data mapping - a central focus for most privacy programs - and you will no doubt need to conduct a data discovery exercise to identify everywhere that your organisation collects and processes personal information. Then you will need to map the movement of all identified personal data through its lifecycle. Doing this properly in one location is challenging enough, especially when you consider how much personal information is used across functions such as human resources, marketing, operations, and others. Therefore, scaling this globally can become complex quickly, and many organisations choose to use Excel for this, however, you are well advised to use a proven tool to systematise and automate this process for your global privacy program. Bear in mind that in addition to using this internally for SARs and breach management, you will also have a legal requirement to demonstrate this, for example, according to the Article 30 requirement of the GDPR, which states that you must document all processing activities that store and/or collect personal information.

Gap analysis

The gap analysis phase of your privacy project will no doubt uncover some privacy gaps and risks that need to be addressed. They will vary and may range from outdated privacy policies that need rewriting, to websites that need new consent clauses, or specific systems that require a comprehensive security review. These will need to be documented as some will trigger new remediation projects. The documentation of these gaps is critical as it demonstrates the results of your privacy program. This is proof that your organisation is not only aware of the privacy issues identified, but it already has a plan in place to remediate them. The ability to demonstrate this goes a long way to show regulators and auditors that you are clearly on top of your privacy responsibilities.

Reports

Your project sponsor, the executive team, and senior management will require various reports from your privacy program. These will vary and will be driven by their specific requirements. Reports regarding risks identified and risks mitigated are standard, and there will be other reports needed to help them understand how privacy is faring across the organisation in general. This is another area where investing in the right privacy management tool is important, as some come with extensive reporting capabilities which should make this part of the project relatively easy.

This article was first published in Data Protection Leader in March 2020.