Articles

What is a Privacy Program and How Can You Build One?

Written by Matt Davis, CIPM (IAPP) | February 6, 2023

For what was once a niche profession, the privacy role is booming. According to research by the International Association of Privacy Professionals (IAPP): 

  • Privacy teams have grown by 12% on average in the last 12 months, representing thousands of new privacy professionals entering the profession. 
  • Businesses are investing over $1.8 million into their privacy program on average.  
  • The largest organizations who face the greatest complexity and risk invest nearly $9 million into their data privacy budgets!  

Source: IAPP-EY Annual Privacy Governance Report 2022 

All of this investment and growth makes sense—data privacy has never been more top of mind for businesses as new regulations are created and amended on a yearly basis. 

So, what are all these new privacy professionals doing with all this extra investment?  

They’re setting the foundations for privacy-consciousness at their organizations, identifying and implementing the right organizational and technical measures to protect privacy rights, reducing risk and measuring outcomes—in short, they’re building privacy programs. 

What is a privacy program? 

There’s a difference between, say, having a consent management system implemented on your website and having a full-blown data privacy program. 

A data privacy program serves as the framework through which you can find solutions to data privacy problems. It’s the collection of approaches, processes, and tools that you use to protect the privacy of your customers, employees, partners, and other stakeholders. Ultimately, it improves your organization’s ability to collect, process, and store personal information in a way that complies with the relevant data privacy laws. 

Data privacy programs will differ from organization to organization, as every organization works with personal information in different ways. But so long as you focus on building a framework first, there are best practices and standards you can follow that will lead to a data privacy program that works for your organization.  

Why do you need a privacy program? 

When asked why they need to have a privacy program, the first response that comes to mind is, “So we don’t get fined for breaking the law.” 

There’s nothing wrong with this being your motivation for implementing a data privacy program. To date, there have been over 1,200 GDPR fines totaling more than €2.3 billion. And although U.S. privacy regulations are just getting started, authorities like states’ Attorneys General and the California Privacy Protection Agency (CPPA) have shown that they intend to enforce the law. While enforcement is still in early days, you can review our analysis of the Sephora case, which was the first enforcement action under the CCPA/CPRA 

But even if these regulations didn’t exist, it would still be a good idea to implement a data privacy program at your organization. After all, the point of these regulations isn’t to collect fines; it’s to protect consumers and businesses. Here are some additional reasons why you need a data privacy program: 

  • Protecting personal data: Data privacy programs help organizations protect the personal data of their customers, employees, and other individuals, which is essential for maintaining trust and confidence in the organization. Not to mention it’s just the right thing to do for your customers. 
  • Preventing data breaches: Data privacy programs help organizations prevent data breaches, which can result in serious harm to individuals and damage to the organization's reputation and financial stability. Today, data breaches are more common and more damaging than ever. According to the Identity Theft Resource Center, 2021 saw an all-time high of 1,862 data breaches. 2022 had the second highest number of breaches on record at 1,802, which impacted 422.1 million victims. For businesses, data breaches can result in significant financial losses, damage to reputation, and legal consequences. According to Osano research, businesses with poor data privacy practices are significantly more likely to be hit with by a data breach.  
  • Improving business operations: By understanding where consumer data lives and reducing the risk for data breaches, you also improve your overall information governance capabilities. As an ancillary benefit of your data privacy program, you’ll also have cleaner, more up-to-date customer data, a better understanding of the data that is at your disposal, and more. 
  • Reputation Management: Organizations with robust data privacy programs are viewed as more trustworthy and responsible, which can enhance their reputation and increase customer loyalty. 

How do you build an effective privacy program? 

As we alluded to above, data privacy programs will look different at each organization, but there are some basic steps you can follow to establish a program that fits your organization. 

1. Understand privacy drivers


Before you do anything, it’s essential to learn all you can about the drivers behind your need for a data privacy program. Understand the applicable data privacy laws and regulations that apply to your operations, such as the GDPR or CCPA/CPRA. There might be other reasons why your organization needs a privacy program—such as reducing the risk of a data breach, building trust with your customers, and so on. Study these drivers as well and consider how they’ll shape your privacy program.

2. Establish a formal strategy

Once you understand the specific requirements that your privacy drivers have, you can review the guidance in this and other resources on building a data privacy program to establish a formal strategy. Don't stress about having all of the answers at this point; your plan might involve a few steps where the plan is to investigate and plan further. Even if there are still gaps like these, it’s important to show that you have a direction and a strategy to move ahead—this is especially important for the next step.

3. Secure organizational buy-in

You need commitment from the top levels of your organization in order to implement your privacy program. They’re going to want to know what the organization stands to gain, how this will impact operations, how it’ll impact the budget, and so on. Most non-privacy professionals underestimate the amount of effort it takes to become compliant. Laying out the steps will help clarify and secure the resources you need to be successful from the start.  

Furthermore, getting organizational buy-in will help you be more effective once your privacy program is live. If the whole organization understands that privacy is something they need to factor into their day-to-day responsibilities—such as team leads understanding the need to collaborate on DSARs or R&D understanding privacy-by-design principles—you’ll be more efficient and better situated to scale. 

4. Discover your data and conduct a RoPA

Most businesses haven’t had a reason to identify and track the personal data they collect until recently; as a result, many organizations have consumer data spread across multiple systems and databases. Discovering all of this data, classifying it, recording where it’s going and where it came from, and more is crucial for all downstream compliance activities. If you don’t know about it, you can’t do anything about it. 

The GDPR refers to the classification and recording process as a record of processing activities (RoPA). Even if you aren’t subject to the GDPR, following its RoPA guidelines is a good approach to this process. 

5. Conduct a privacy risk assessment

Given the privacy drivers at play in your organization and the current state of your data processing activities, where are you currently exposed to significant risk? You might discover that your security measures are not applied evenly across the organization, or that you aren’t able to quickly process requests to opt out of data collection. Flag these risk areas so you can prioritize controls to mitigate them. 

6. Establish goals and develop an implementation plan

With a full sense of the scope of your privacy drivers, data processing activities, and privacy risks, now you can identify the specific steps you need to take. That might involve identifying a DSAR solution, revamping how your website secures consent, formalizing a vendor assessment process, and more. Almost certainly, you’ll have multiple goals—it's important to prioritize based on the relevant regulations and your organization’s biggest gaps 

As part of this, you’ll want to develop or update your privacy policy. Note that you may need a privacy policy for both customers as well as employees. Establishing your policies at this stage makes sense since you won’t have the full picture of your data processing activities before this step, and drafting a policy now forces you to consider what the day-to-day realities of your data processing activities will be going forward. As a result, you’ll have to account for the specifics of how your organization processes data. 

7. Execute your implementation plan

Once you have your plan, it’s time to put it into practice. 

You’ll need to implement technical and organizational measures to protect personal data, including encryption, access controls, consent management, vendor onboarding processes, incident response plans, and more. Make sure you include education and training in this step—privacy is not possible without collaboration and buy-in from across the organization, so you’ll need to ensure your coworkers are equipped with the resources they need to comply with policies and procedures. 

8. Measure success 

After implementing the various technical and organizational measures contained in your data privacy program plan, you’ll want to see whether they work.  

Can you respond to a DSAR within the 30 days required by law? Does vendor onboarding take too long? Do your colleagues feel burdened and confused by the new data privacy considerations they have to take into account? Measure and monitor these and other data privacy metrics to identify whether you’ve been successful and how you can improve. 

9. Sustain and iterate

Data privacy laws and regulations are constantly evolving. Organizations need to stay up to date with the latest developments and changes in the legal landscape to ensure their data privacy program is compliant. 

Not only will the laws and regulations change, but your internal processes will change too. You’ll collect and process data in new ways that may require data privacy impact assessments (DPIAs) or other evaluations.  

And most significantly, your business will hopefully grow! As you grow larger, your data privacy program will need to grow and evolve commensurately. 

Common data privacy program frameworks 

Following the above steps is a good start, but you might be looking for a greater level of detail. In that case, you may want to study one of the existing privacy program frameworks.  

Here are some frameworks you might consider adopting at your organization: 

  • The NIST Privacy Framework, which is broadly considered the gold standard of privacy frameworks. It provides a set of guidelines for privacy risk management and control and helps organizations to identify, assess, and manage privacy risks. 
  • ISO/IEC 29100: This framework provides a set of guidelines for protecting personal data in the development and deployment of information and communication technologies (ICT). 
  • ISACA’s COBIT framework, which is mainly focused on IT governance but does provide overlapping benefits for compliance and privacy programs. 
  • IACPA’s Generally Accepted Privacy Principles (GAPP) and Privacy Management Framework (PMF), which were developed to help management develop and measure the success of privacy programs. 

The key to successful data privacy programs 

The activities we recommend in this article are significant, but they’re just the tip of the iceberg. Educating and training your colleagues on privacy responsibilities is an entire initiative in and of itself, but it's just one component of a comprehensive data privacy program. 

That’s why it’s essential to make use of the data privacy tools that are available to you. Non-privacy professionals might think that it's feasible to build the necessary infrastructure for data privacy compliance in-house, but often, this assumption doesn’t take into account the many complexities that data privacy compliance poses. In-house development also commits you to maintenance and updates every time the law changes—which it does often.  

Without external support, you won’t have the time or resources it takes to develop a data privacy program that truly fits your organization. Osano can be the partner that automates the most tedious compliance activities like consent management, vendor assessments, DSAR workflow, and more, leaving you with time to tend to the unique needs of your organization.