In a recent online post, I shared my opinion that the privacy team is not a compliance function, and it sparked an interesting debate, which I think is worth expanding on.

I passionately believe that in this era of exponential change in technology and regulation, the privacy team is not a compliance function, but an instrumental and cross-functional team, essential to every business processing data. The work we do is misunderstood though. Good privacy professionals don’t just “quote the law” or “say no” to processing data that creates complex privacy issues - instead they will partner with you to explore ways to make things happen. They will help make data a competitive advantage and reduce the risks to your company and individuals.

In this article I want to dive into the activities we undertake and the value we add for each department. I hope to dispel the myth that we are just compliance!

How we engage with functional areas

Let's start with supporting product, solutions, operations and data analytics teams. Privacy teams play a pivotal role in ensuring that 'data protection by design' is integrated into any product or service or process that involves the use of data.

Embedding data protection by design requires privacy professionals with strong expertise in data protection impact assessments, embedding data subject rights, data minimisation, storage limitation, consent management, and other technical and organisational measures, including privacy-enhancing technologies to protect the data. If data analytics, AI and machine learning is involved, your privacy team will advise you on additional controls required to meet evolving regulations in this sphere. They will conduct a deep-dive analysis, identify risks and propose mitigations and they will also help define user stories, functional requirements, features, solutions, and controls. Privacy teams will use their expertise to help you deliver faster and with less rework.

Marketing areas cannot function without taking into account privacy and data protection. In a time of digital and regulatory change where the use of cookies and pixels can be considered selling data, the rules are incredibly broad and complex – they depend on the country, the State, the type of marketing, the type of customer and even the time of day you communicate with customers. No good comes of throwing regulation at the Marketing department, so privacy teams must be a pro-active business partner to offer hands-on support in their pursuits. This helps avoid penalties in this area, which is one of the most likely to be pursued by regulators.

When it comes to vendor and third-party management, the privacy team must be involved from day one. The privacy team's role is not just due diligence - third party relationships can often be multi-party and involve several processing actors and purposes, requiring an incredible amount of work to support and ensure that the right artefacts are produced and controls put in place to manage data sharing. If this isn’t done properly, it causes operational issues and expense later on down the line.

Many legal teams have a good understanding of privacy, but they may not have the necessary privacy experience to assess the downstream operational impact of privacy wording in contracts, data processing agreements, and standard contractual clauses - this is where I have found privacy teams can provide invaluable support to the legal department. In some cases, privacy experts can even push back on onerous contractual privacy terms received from third parties, identify excessive demands and negotiate more reasonable terms that benefit both the business and data subjects. It is critical to have a pragmatic and experienced privacy professional available to challenge and offer alternatives.

The privacy team also plays a critical role in conducting a transfer impact assessment and advising on the safeguards and supplementary measures if restricted transfers of data are involved.

Involving the privacy team in B2B sales meetings with potential customers concerned about privacy and data protection can lend credibility, foster trust, ensuring accurate information is provided. I have seen situations in which in the absence of privacy expertise, salespeople provide incorrect details about data protection and this undermines trust. The privacy team's involvement can relieve pressure on sales teams, who may not have the necessary expertise to answer privacy-related questions.

Overall, the privacy team can play a crucial role in supporting sales and business development efforts and building strong partnerships with customers. If we consider regulatory, risk and strategy, I have witnessed entire business models crushed by changes to regulation. Privacy teams don’t only assess privacy risks within your business and work to define likelihood and impact, they horizon scan the regulatory landscape, assessing operational impact, identifying opportunities and threats and providing recommendations. Good privacy teams will help organisations strategically prepare to gain competitive advantage from the introduction of new laws. 

What about people teams? Privacy teams help build processes and practices that safeguard the privacy of employees and candidates. Often HR teams may not realize the data protection impact of certain initiatives, such as collecting biometric data or using screening tools to automatically sift through candidates.The privacy team is well-equipped to guide and support HR teams through the entire data processing lifecycle and help them navigate the complexities of handling data across multiple countries. Employees will often make subject access requests and any contentious processing is likely to come back to bite, so privacy teams are essential to ensuring HR have their house in order and save a lot of money in the long run.

We finish where we started, compliance and governance are of course the cornerstone of the Privacy Program, which takes into account the laws and regulations of all territories where an organisation operates. The privacy team will build a comprehensive framework that covers policies, procedures, processes, training, monitoring, and auditing. Operationally they will deliver internal privacy policies, external privacy notices, cookies notices, records of processing, incident and breach management, definition of legal bases for processing, managing and monitoring data subject rights and ensuring security is embedded. The privacy team is also responsible for defining key performance indicators and reporting to the Executive teams.

Conclusion

In conclusion, evolving regulations require continuous vigilance and adaptation, managing the privacy program compliance is a huge job alone, but now we understand it is just a fraction of what the privacy team will do for your business.

In 2023, privacy and data protection are vital to any business processing data. The scope and breadth of the work done by privacy teams is extensive and provides the foundation and value to almost all business functions and initiatives – they won’t just give you a legally defensible position, they will translate complex laws in product features, technical controls and operational processes.

Despite being seen as a cost, a recent Cisco report has shown that privacy spend offers a strong 1.8 times return on investment. I bet that for tech or heavy processors of data, the return on investment is much higher.

Treating Privacy as a compliance function will limit the value they can deliver and the business returns, but with the right Executive backing and resources, your privacy team will be instrumental to your strategy and deliver outstanding value by helping you build products, processes, systems, business and customer relationships.

Are you a privacy professional? Do you see yourself as compliance function or something else? How does my experience of running a team compare to your own?

Let me know in the comments.