1. First things first: start with a privacy governance framework
Start with formulating a privacy governance framework: which departments, roles and persons are responsible? What will be the organisation wide policies? Only after that is in place, is it possible to arrange the processes associated to this, such as getting a processing activity register in place, carrying out data protection impact assessments and registering (and notifying) personal data breaches. For this second phase, it is necessary to know which processes, applications and systems are being used within the organisation (see our whitepaper on this inventory here). This may sound obvious, but you cannot get the processes in order without having a clear organisation wide goal and structure for privacy
2. Tone at the top: effective privacy governance starts with backing from the board
Everything starts at the top of the organisation. Without backing of at least one sponsor of the program in the organisation’s boardroom, a successful privacy compliance program is almost impossible. It’s very hard to say how to get that sponsor, but anything or anyone helping you to be in touch with a potential sponsor will be useful. You may find a natural ally in the people responsible for HR, risk mitigation or compliance, but they should be in rather than just below the board. The Board is ultimately accountable for these activities and therefore has an interest in making the organisation compliant.
3. Be multidisciplinary: acquire necessary knowledge and involve other people
Although the GDPR is a legal instrument, you’ll need at least some IT knowledge to be able to ask necessary questions. What if ‘anonymisation’ is in fact ‘pseudonymisation’? You’d better find out early by asking the IT people you work with. A lack of ‘ownership’ threatens any GDPR privacy compliance program. Therefore, you need to involve other people with other responsibilities. Information security and privacy are basically two sides of the same coin - you’d rather team up to be stronger together.
4. Don’t mix responsibilities: you cannot combine executive and controlling roles
As a (chief) privacy officer (or data protection officer in GDPR speak), you need to be highly
independent. You cannot combine that role with that of e.g. an HR director or an IT manager.
Otherwise you would be assessing your own work and that is in contrast with the responsibilities that come with the role. The European Data Protection Board (EDPB) and the GDPR list requirements for this independency, such as responsibility for your own budget, reporting directly to the board, and access to support (staff and other resources).
5. Get your team together: you cannot do it alone
You’ve just been appointed as a privacy officer in a large organisation - and the board thinks that ‘that’s it’. Think again, board, we’re just getting started. To get the job done, a (chief) privacy officer needs a team doing the work, such as rolling out the privacy governance strategy and getting all procedures in place. What’s more, the procedures have to be followed, and that involves a lot of other people from the business, who have to be managed as well. A single person cannot do that on their own. So yes, you will need budget for that, and the organisation needs to provide for it.
Now that we have elaborated on the preparation of a GDPR privacy compliance program, it is time to execute the plan. In the second blogpost we will give you tips for the execution phase of the plan.
This blogpost series is based on our whitepaper about creating a successful GDPR privacy compliance program in collaboration with Annemarie Vervoordeldonk, an experienced DPO who has worked for several multinationals and has started her own business with which she provides consultancy and “DPO-as-a-Service”.
Want to know more about the whole process of creating a GDPR privacy compliance program? Download the full whitepaper here.