The four pillars of a high performing privacy programme

By Mohamed Alkawash, Ali Sheikh

Global and local organisations work constantly to comply with rapidly evolving privacy and data security regulations. Appropriate data handling and privacy practices remain fundamental focus areas for organisations. However, document-based compliance only forms one aspect of an organisation’s privacy programme.

Embedding privacy within the organisation ensures a holistic approach, achieving and maintaining compliance with applicable regulations. Here, we identify the four key pillars of a well-functioning privacy programme.

1. Apply the ‘Three Lines of Defence’ privacy model

The Three Lines of Defence privacy model allows privacy teams to create a clear decision-making hierarchy and clarify role responsibilities, encompassing all levels of seniority in the organisation to create a privacy-first culture while establishing multiple safeguards against non-compliance and risk. The first line of defence comprises employees; your eyes on the ground who handle personal data. Employees then cascade any issues or queries to management – the second line of defence – who review risk assessments and escalate any issues to the third line. This final line is the Data Protection Officer or privacy function that provides responses, tracks ongoing or new risks, and identifies any additional areas of consideration.

2. Develop a targeted training programme for employees

Training should be proactive, responsive, and target employees’ privacy-specific responsibilities to bring the most relevance and value. Role-relevant training will reassure managers and leaders that employees are aware of key areas of focus. Tracking training completion – or non-completion – and the nature of queries received after training can help to realign and adapt the content of these sessions to address organisational needs. If the majority of queries relate to Data Protection Impact Assessment (DPIA) completion, for example, then additional time and guidance should be allocated to explaining the information that data owners must provide during DPIAs, and why.

This data-based approach allows privacy teams to understand the context and challenges of their organisation, and create targeted, impactful modules as opposed to generic information security training.

3. Utilise an impactful privacy metrics and reporting framework

There are many different ways to review the effectiveness of privacy measures across your organisation. One example is assessing the amount of DPIAs that are correctly completed and reviewed by the Data Protection Officer or privacy function, alongside the volume of screening questionnaires that result in a DPIA, to illustrate that risks are flagged, logged, and mitigated.

Other metrics to measure performance and effectiveness include:

  • Internal audit actions: The number of successful actions from internal audits results completed across the organisation – where internal audit actions remain pending or unresolved there may be a wider assessment required of the challenges in implementing required changes
  • Privacy training engagement: The level of engagement during training sessions – a higher engagement level will mean a reduction in the volume of queries or incidents reported to the privacy function. All staff privacy training should be completed and refreshed where required, at least annually
  • Data privacy queries: The level of successful data privacy queries responded to and received across the whole organisation – this will demonstrate how privacy knowledge is shared and adhered to across the organisation
  • Breach reporting and incidents: The volume of data breaches and incidents reports completed and reviewed by an organisation, and an assessment of any changes in their frequency.

4. Embed ‘privacy by design’ and ‘ethics by design’

A privacy by design approach considers data protection issues within the design and development of data collection activities. A simple example is completing a DPIA to identify and mitigate risks to the rights and freedoms of data subjects which may be impacted by data processing activity. This includes organisations sharing information to data subjects in a transparent manner, such as using plain language in a privacy policy.

An ethics by design approach includes an Ethical Impact Assessment to assess the importance of ethical impacts, risks of violations, and the severity of the subsequent impact of proposed data processing activity. By embedding this approach, organisations can strengthen customer relationships by demonstrating that data collection activities are designed with transparency and trust in mind, accounting for both data privacy and data ethics considerations.

High-performing privacy programmes in practice

Operational privacy programmes are composed of multiple components, working together to achieve and deliver a privacy-first culture that allows organisations to build and maintain customer trust while supporting smooth compliance journeys.

For example, we supported a leading pharmaceutical client to embed GDPR into business-as-usual, combining their deep knowledge of the business with our privacy expertise to deliver a privacy operating model that balanced risk and innovation. Our team pressure tested and designed core privacy processes – such as inventory maintenance, individual rights, and DPIAs – in line with regulatory requirements. We developed a privacy procedure and quality management plan and defined the overarching governance arrangements. Through our support, the client’s new privacy stewards were equipped with the required knowledge and tools to operationalise privacy requirements.

Applying the above pillars in your approach to privacy and security will ensure compliance and consistency across all organisation functions. To find out how to embed your high-performing privacy programme, reach out to our experts.

Explore more

Contact the team

We look forward to hearing from you.

Get actionable insight straight to your inbox via our monthly newsletter.