• Privacy

Guide to Data Privacy Program Management


Rick Buck Chief Privacy Officer

Data privacy program management incorporates policies, procedures, and programs that protect companies and their customers’ information. Strong data privacy and protection can influence whether or not customers will do business with particular companies. Weak management can make companies easy targets for costly breaches that can devastate fortunes.

A well-managed program helps make data privacy an integral piece of business that gives the company a competitive advantage. By meeting or exceeding requirements in laws and industry standards, companies can:

  • Improve their brand’s reputation
  • Meet and exceed consumer expectations
  • Uphold consumer rights
  • Guard data from threats and attacks
  • Keep the trust of business partners and clients
  • Sustain regulatory compliance


Privacy program managers guide the company’s use of client and prospect data for marketing purposes.  Their teams must use data privacy’s best practices to keep their companies compliant with current laws and consumer demands. They must create and continuously enforce policies. Although their responsibilities may not change, their preparation and approach are vital so their companies can keep up with the evolving landscape of privacy.


Understanding Data Privacy Program Management

Knowing the basic pillars of privacy protection can launch and guide programs through any legislative changes. The pillars ask:

  • What data is being collected?
  • Was notice and consent presented or collected where required?
  • What is it being used for?
  • Where is the data being stored?
  • Where is the data being processed?
  • Who has access to the data and for what reason?


Having a deep understanding of the answers to these questions allows companies to build privacy programs that increase compliance and decrease risk. Addressing each of the pillars can facilitate planning and the evaluation of a company’s strengths and weaknesses regarding privacy.

However, having a firm foundation is only one facet of the overall scheme. Even creating a plan, although instrumental, is not the end-all. Continuous implementation is required otherwise the best plans will go to waste and businesses can suffer.


Data Privacy Program Management’s Best Practices

The processes and procedures to keep data secure entail several tasks. They range from inventory creation to incident reporting. Staying up-to-date with each task can mitigate breaches even though it will take expertise and time.

Asset inventory and data discovery

Companies can better manage their privacy risk when they know where they store personal data. They can do this by creating an inventory of data assets. This inventory can also reveal what kind of information is stored. Clear visibility can better identify risk levels according to where it is stored, who has access to it, and how it was obtained.

Privacy assessments

Since data privacy management is an ongoing process, occasional assessments offer time-sensitive reports that can identify privacy risks. Companies can prioritize actions and make required regulatory documentation based on the results of assessments.

For companies that partner with third parties, vendor assessments can ensure third parties responsibly handle personal data. Every entity in a data supply chain must be accountable for securely dealing with data. One weak link can expose customers’ private information and damage the reputations of everyone in the chain.

Privacy assessments are not just an important part of your program, they are required by laws such as GDPR, and many of the emerging U.S state privacy laws.

Privacy incidents

How fast a company is made aware of a transgression can determine how soon it can respond. Empowering employees to easily report on privacy incidents is a sound plan. Triggering a response is important but so is assessing what went wrong. Taking the results of a data breach assessment can help prevent it from occurring in the future.

Some regulations require companies to report privacy incidents. Having a system in place can keep data safe and maintain compliance.

Privacy rights requests

Privacy rights are required by GDPR and all of the new U.S state privacy laws.  Sometimes an individual wants to obtain their own information that is being stored. Companies have to ensure requesters are who they say they are before sharing data.

Data Subject Access Request (DSAR) management concerns granting access to customers, verifying identities, and delivering information – seamlessly so as not to inconvenience the customer.

Global cookie consent

More and more privacy laws state that websites must allow visitors to control their cookie preferences. Complying with regulations satisfies government entities. It also can build consumer trust. Giving customers what they expect when it comes to cookie consent might seem insignificant but it can keep them happy and coming back for more.

Privacy policies and notices

Almost as important as cookie consent are a website’s privacy policies and notices. Publishing them educates visitors about how effectively the website owner handles data. In many jurisdictions, notices must be presented prior to the collection of personal information.  This can instill consumer trust and increase compliance.


Data Privacy Program Management Challenges

Privacy programs appear to be a lot of work because they are. Running one effectively is a full-time job. In addition to all of the program’s privacy operations, challenges can arise that affect a program’s effectiveness.

Evolving regulations increase complexity and uncertainty

As more countries and states enact data regulations, data privacy managers and their teams can find themselves lost amid all the different rules. Compliance is not easy when regulations often change. It takes dedication to stay current with every law.

Small budgets make prioritization difficult

Some companies can’t afford strict data privacy measures. People, hardware, and software cost money. Financially-beleaguered companies sometimes place their customers’ data security behind profit margins simply out of survival. It is only a matter of time before these organizations receive large fines or penalties for non-compliance.

Hiring privacy people takes time, energy, and patience

Implementing a data privacy program does not usually happen overnight. If a company does not employ privacy professionals, then they will have to hire them. The hiring process can be a chore that companies do not have time for, especially in today’s hectic business climate. Plus, one more employee is another expense that might not fit into a tight budget.

Companies typically want results immediately. However, if they can not spare time to recruit the right person or people who can operate their privacy program, then they will gain nothing.


Data Privacy Program Management Solutions

Some companies struggle with data privacy management for a variety of reasons:

  • Lack of subject matter expertise
  • Limited resources (time, money, knowledgeable personnel)
  • The complexity of privacy program management
  • Complicated regulations

Privacy compliance software and managed services packages can align with companies’ needs, technologies, and timelines to overcome the challenges and struggles centered around data handling. A fully-integrated platform can:

  • Create a central hub for data asset inventory to see what kind of information is stored, how it is used, and where it is transferred.
  • Automate privacy assessments that automatically collect data and trigger actions such as approvals and alerts.
  • Allow employees to quickly report data breach incidents and automate privacy incident follow-up.
  • Automate data requests that adhere to regulations.
  • Easily modify and publish website privacy policies and notices.

Additionally, some privacy compliance platforms augment existing systems and processes and provide scalable compliance. A company that finds itself dealing with a high volume of requests can use a framework or automated solution built on a privacy platform to ease the load.

Every company’s privacy needs are impacted by several factors. For example, a company’s industry and regulatory requirements can dictate privacy program demands. Regardless of the reasons, taking an assertive approach to compliance and risk can reduce and even prevent serious issues in the present and future. Companies that follow data privacy best practices are better positioned to maintain their market share through consumer and public trust, and possibly overtake competitors that are slower to adopt.

Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…