Privacy Champions – Building a Culture of Privacy
Could your organization benefit from a Privacy Champions Program?
The increased emphasis on data protection, compliance regulations, and changes in privacy laws means that even if your organization already has a well-designed privacy program you can benefit from wider support and awareness. Plus, the fact that privacy issues are evolving means that they require ongoing attention and advocacy. Privacy champions are individuals within your organization who will work to do just that.
Generally speaking, privacy champions can assist with tactical aspects of privacy program operations, build a culture of privacy, and enhance accountability.
Some of their responsibilities might include:
· Ensure personal data collection, use, access, and retention adheres to policy
· Educate teams on the relevant security and privacy control requirements
· Communicate any updates or announcements from the legal and operational privacy teams
· Regularly review internal compliance dashboards, communicate applications security and privacy controls status and compliance activities
· Respond to security issued reports and drive remediation within product teams
· Investigate and help remediate any incidents escalated by threat and response teams
· Influence security-related priorities within a backlog, architecture, or roadmaps
· Bring up questions and challenges
· Integrate privacy training into the process for onboarding new employees
· Ensure that privacy issues are addressed in early-stage new product and new service development
· Assist in completion of Privacy Impact Assessments
In sum, privacy champions can educate, increase impact, troubleshoot, and communicate your organization’s privacy vision and goals. Think of them as ambassadors or evangelists located in various departments. They can build bridges within the organization – and as such also surface and resolve questions and concerns.
What To Consider When Building a Privacy Champions Program
Some organizations select individuals to serve as privacy champions while others provide opportunities for people to apply. Depending on the extent of the work performed you may want to consider whether it’s appropriate to tie promotions, partial work releases, or even company acknowledgement to the assistance that privacy champions provide.
· What are the qualifications for champions? They should be able to effectively communicate and influence behavior. Although they need not have deep subject matter expertise, they should be familiar with – or be willing to be trained in – basic privacy concepts, your privacy policies and standards.
· Who will manage the program? In addition to the Privacy Office, options include a Legal Division or Security Department. Some organizations also have an executive sponsor for Champions programs.
· What role does your champion program play with respect to your overall privacy program? For example, will your champions focus exclusively on training and awareness? Does it play a role in privacy program governance? Is it involved in risk identification and mitigation? (You may want it to do all of three.)
Because it’s likely that you will need to give your champions at least minimal training, one option is to build a privacy champion network throughout your organization by “training the trainer.” In other words, once a privacy champion has become proficient, they may be able to train others on their team to take over their role and responsibilities.
Consider allocating dedicated budget for a champions program and communicating clear expectations to those resources who participate. Champions should be told how much time commitment they will spend per month—and if it will vary, with some months more time-intensive than others. Depending on the extent of their responsibilities, you may want to track their contributions as objectives and key results or as part of a performance review. This way you can make it attractive for champions to dedicate their time, energy and attention to the privacy program.
Ultimately, a privacy champion program can help ensure that privacy policies and practices are understood with individual champions contributing by building privacy requirements into their department’s day-to-day operations. An effective privacy champion program will help build and sustain a culture of privacy, where members of your organization are aware of and actively working towards shared data protection goals and visions.