Privacy Program: Fully Integrated into All Functional Areas of the Organization

Service Providers and Contractors

The proliferation of privacy and data protection regulations around the world, data security risks, as well as consumers’ emerging awareness of their rights and growing expectation that companies take steps to protect their privacy and personal information, require organizations to take a structured approach toward their privacy and data management practices. Developing a proactive privacy and data management program is essential not only for compliance and data risk management but also to maintain consumers’ trust and confidence, and to sustain and grow the organization’s position in a competitive marketplace.

Many organizations falsely assume that as long as their IT department is tasked with protecting organizational information, nothing more is required in terms of the organizational privacy and data management efforts.

While an IT department plays a key role in ensuring confidentiality, integrity, and availability of personal information, a successful privacy and data management program will require that its fundamental principles be integrated into all functional areas of the organization. It also involves awareness, coordination, and participation from all departments.

For example, marketing and business development teams must be aware of and accountable for the activities in which personal information is collected, processed, used and transmitted for marketing purposes. Their responsibilities within a privacy program may include managing digital advertising and providing notifications to website visitors about the processing of their data.

A financial department, in coordination with the legal, HR, and IT teams, will need to account for personally identifiable financial information of customers and employees and comply with corresponding regulations and standards, such as the Payments Card Industry Data Security Standards.

Employees’ personal information, which is increasingly regulated, will also need to be incorporated into the organizations’ privacy and data protection program. A Human Resources Department will be responsible for the lifecycle of employee personal information and will need to ensure that it is processed in accordance with the organization’s policies and procedures.

An organization should also consider designating or retaining a privacy/data protection officer who would be responsible for overseeing privacy data protection strategy throughout the entire organization and ensure compliance with any applicable regulatory requirements. GDPR, for example, already mandates appointment of an independent Data Protection Officer where the organization’s activities require large-scale regular and systematic monitoring of data subjects or processing of sensitive data.