Privacy Program Management: Buy-In, Governance, and Hierarchy | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/privacy-program-management-buy-in-governance-hierarchy/
Content Type: resource
Section 1
Privacy PowerUp Series #9 Storytelling is a key skill in building and managing a privacy program . Stories allow us to take the reader on a journey, tugging on our emotions while conveying a specific message in the end. Like any story, you need to “hook” the reader early, keep them engaged, and deliver a memorable end. Before you start rattling off about changing data privacy laws, the growth in regulations, increasing fines, and customer expectations, STOP and take time to build your story around data privacy within your organization. Remember, we are also consumers in the global economy. Below are the steps to getting senior management buy-in for a data privacy program and the ongoing need to manage it
Section 2
effectively within the community. Know your audience Senior management today is rewarded based on revenue growth. Mere compliance as the primary focus work for most organizations. Know the organization’s current strategic goals. Are there opportunities for privacy to drive, participate in, or support these goals? Remove ambiguities and unknowns. Refrain from using data privacy jargon, especially acronyms. Benchmark against competitors. You’ll be asked what your competitors are doing or not doing. Use to show privacy investment by verticals. Focus on engagement, not overwhelm. Instead of bombarding them with privacy facts, news, and details, aim to hook them with your story. Focus on the next immediate step and the needed support to test or prove the demand to formalize a privacy
Section 3
program. Identify key evangelists Typically, the most likely evangelists in your organization will be the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Human Resources (HR) lead, and General Counsel. Additionally, there may be influential voices who command respect when they speak, even without C-Suite titles. Determine their script. Decide whether they all evangelize from a common script or have specific aspects of the story they’ll need to convey. Meet with these key people, tell them the story (keep it very simple), and be clear on the ask. Incorporate feedback. Listen to their feedback and incorporate it into your story. Collaboration strengthens the narrative. Get their support. Your primary objective at this time is to
Section 4
have them say, “Yes, I can help tell your story.” Define your approach Be prepared to address strategy, structure, process, and people. Collaborate for strategic goals. Highlight areas where privacy can help achieve organizational strategic goals. For example, privacy teams can help InfoSec focus resources where personal data exists, saving time and unnecessary security expense. Use a risk-based model. Build your program based on actual risks categorized as high, medium, or low. Data should define your future. Identify personal data processing activities and collection requirements Think of this step as a “proof of concept.” Identify areas where personal data processing likely occurs and conduct a data discovery Select activities. Look across the enterprise in areas like talent recruitment, digital marketing,
Section 5
customer service, sales teams, and others. Conduct data discovery. Gather at least the minimum requirements to comply with data privacy regulations Empathetically address pushback and set clear expectations. Your objective is to obtain a statistical data sample. Analyze data as a story or spreadsheets, categorize processing activities as high, medium, or low risks to the organization. Add details to the storyline. What does the data reveal? What are the initial inherent risks? Are there glaring compliance issues? Are we aligning with best practices and data privacy principles? Show data-defined stories. Use the data inventory exercise to define and illustrate the story. PowerUp evangelist network Refine your initial storyline as needed. Share findings with evangelists. Again, ensure they have a simple
Section 6
script to follow. Leverage meetings. Plot specific functions processing personal data and get on established team meeting agendas to tell the story. Gain senior management buy-in Work with your evangelists, especially those in the C-Suite, to get time with senior leadership. Ensure you have enough information (about four PowerPoint slides) to accomplish your objective. Present the story. When ready, present the story to senior management. Implement governance structure Now that you have some level of senior management buy-in, put in place a broader governance structure. Build a cross-functional coalition. Privacy is a team sport; you cannot (and you shouldn’t) do this alone. Choose the right governance model. There are typically three structures in data privacy: Central-out model: A global privacy
Section 7
office is accountable for strategy, operations, insights, and training. Decentralized model: Local privacy functions handle strategy, operations, and training for specific jurisdictions. A central function provides the global strategy and training, while local teams manage operations. Focusing on the hybrid model, there are typically two tiers: Working Committee: Data stewards who provide practical advice and experience. Executive Committee: Executives who oversee the functions and provide strategic advice and budget authority. Crafting a strategic privacy program: Align, engage, and govern for lasting success By following these steps, you’ll be well on your way to creating a robust privacy program that aligns with your organization’s strategic goals. At the end of the day, building a privacy program is about crafting a compelling
Section 8
story that resonates with your audience, gaining buy-in from key stakeholders, and implementing a governance structure that supports ongoing management and compliance. , you can easily build out and manage your privacy and compliance governance program. Easily identify gaps, manage tasks, and streamline evidence tracking and reporting to save you time and help ensure compliance. PrivacyCentral’s library includes over 130 global privacy and security laws and standards – continuously updated by a team of privacy and legal experts. Start automating your privacy operations today Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series. Eight Steps to Privacy Program Management Follow these eight steps to establish a privacy program and gain buy-in from senior executives.
Section 9
PowerUp Your Privacy Watch all ten videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials. Read the last article in this series: #10 Managing Privacy Across the Organization Getting Started in Privacy Data Collection, Minimization, Retention, Deletion, and Necessity Building a Data Inventory, Mapping, and Records of Processing Activities (ROPA) Understanding Data Subject Rights (Individual Rights) and Their Importance The Foundations of Privacy Contracting Choice and Consent: Key Strategies for Data Privacy Managing the Complexities of International Data Transfers and Onward Transfers Emerging Technologies in Privacy: AI and Machine Learning Privacy Program Management: Buy-In, Governance, and Hierarchy Assess the Risk Before it Hits Contracts that Count: Mastering the 10 Most Negotiated Provisions in a
Section 10
Data Processing Agreement Selling and Sharing Personal Information Building a Privacy-Approved Vendor Management Program Tracking Technologies: The Hidden Backbone of AdTech and the Looming Privacy Minefield Data Inventory: Next-Level Classification for Privacy Professionals Incident Incoming–Now What?