If your brand doesn’t have a specific team or individual dedicated to data privacy, you’re not alone. Many companies start with no concrete plans for how data privacy work will get done. After all, data privacy is everyone’s responsibility, right? The challenge is, eventually this model becomes unsustainable. 

With new state privacy laws and modifications to existing state privacy laws passing every quarter, maintaining compliance takes dedicated time and attention. In addition, as your company gains more customers, you will also gain more personal identifiable information (PII), which means increased privacy responsibility, more data subject requests (DSRs) to keep up with, and greater risk of potential fines and negative publicity if you fall behind.

When is it time to invest in data privacy?

As a privacy company and advocate for better consumer privacy protections, we believe it’s never a bad time to start investing in data privacy. Still, we also recognize that privacy must be balanced with other business needs. 

Here are some common events that indicate it’s time to start building a data privacy function: 

• Your business can’t stay on top of new and upcoming privacy regulations
• You’re launching a new product or introducing new AI technology which will require you to collect more PII data or sensitive data from your customers
• You are under threat of fines or private legal action due to non-compliance
• You have an upcoming business event, such as a funding round or IPO, that will bring increased scrutiny

If any of these sound like your company, then it’s probably time to invest in a privacy team. Knowing where to start can be tough, so let’s walk through three common models:

1. Centralize Privacy under a privacy-specific team, either within its own department or reporting up to Legal, Security, or Product
2. Keep privacy decentralized across teams, but ensure each team has clear staff members identified to address privacy topics
3. Build a hybrid of both of these models with a dedicated centralized privacy team and privacy owners across teams

Let’s take a closer look at each option.

1. Centralize your privacy team

A centralized privacy team has several major advantages:

• Hire a highly specialized and informed team with existing knowledge and certifications, often including a blend of legal, security, compliance, and engineering backgrounds
• Built-in compliance with GDPR with a clearly assigned Data Protection Officer (DPO) who can handle privacy questions for all data subjects (customers, prospects, employees, applicants, etc)

The main disadvantage of this model is that it can be challenging for a privacy-specific team to stay informed on upcoming initiatives from other teams that could impact a privacy strategy. With less visibility into important projects across the organization, building buy-in on privacy goals cross-functionally can be more difficult. Additionally, mature privacy programs will need an engineering resource to succeed, and depending on where you place your privacy team within the organization, they could have less direct engineering support. 

If you choose to centralize your privacy team, you have a few options of where to place them:

Add a privacy team to Legal

Data privacy is a complex topic with rapidly evolving legislation, and lawyers will often be needed to help interpret laws and draft updates to the company privacy policy. If your company has an existing strong legal function, it can make the most sense to set up a privacy function reporting to a General Counsel. 

Add a privacy team to Security

A privacy team organized within Security, reporting into a Chief Information Security Officer, can offer the organization greater insight into total risk exposure and more effectively partner to evaluate procurement decisions and address the privacy implications of data breaches. If your security leader already has interest or expertise in privacy, this is an ideal organizational choice. 

Add a privacy team to Product

SaaS companies with a highly technical or product-led culture can benefit from organizing their privacy function to a specific product and/or engineering team. This team will be responsible for building privacy-by-design into the product as well as building greater technical efficiency in handling DSR volume and other internal tasks. Investing in customized automation can help a complex organization build buy-in cross-functionally and secure compliance without risk of human error.

Build a standalone privacy or compliance team

This type of team will report directly to a Chief Privacy Officer or Chief Compliance Officer, who in turn reports directly to the CEO. This is the best way to signal the importance of privacy as a value to your organization and ensure you have dedicated staff to prioritize privacy across the business. The more your customer trust could be deteriorated by a data privacy incident, the more seriously you should consider this option. For example:

• If your brand has experienced a data breach that leaked PII, or your competitors have experienced similar
• If your brand holds sensitive data such as medical/health data, financial data, or children’s data
• If your brand operates in security or any industry where privacy has been publicly scrutinized (e.g. social media)

2. Strengthen a decentralized privacy team

In this model, the business formalizes existing contributions to privacy work by ensuring privacy is reflected in job descriptions of key roles across the entire company. Privacy often won’t be anyone’s full-time job in this option.  

This model has some clear drawbacks in terms of resourcing efficiencies as well as in assigning a comprehensive DPO for GDPR. However, teams can still be very successful in this model with sufficient support. If your company does not collect a large amount of PII or sensitive data, this model can enable you to improve your privacy practice without necessarily investing in a new headcount. 

If you choose to keep your privacy team decentralized, focus resourcing on these teams in addition to those listed above (Legal, Security, Product):

Marketing

Many privacy laws specifically address tactics owned by marketing, such as the use of third-parties to share data and track consumer interests. Plus, at many organizations, marketing owns customer and prospective databases hosting the largest portion of PII data.

An effective privacy champion within a marketing team can also help tie privacy into major brand initiatives across the company and build buy-in within other teams. Take for example the Marketing Operations Director at Ping Identity, Molly Reed, whose colleagues applauded her, “she has championed the development of an effective privacy strategy combined with its efficient execution while understanding and not inhibiting the goals of the business or the many functions she works across.”

Marketing will need support from Legal and Engineering to achieve their privacy goals. 

Customer Experience

At some companies, DSRs are managed as tickets through the Customer Support team, giving the broader Customer Experience organization greater insight into trends within the DSR process and any pain points. 

Erika Alonzo, a Customer Experience Project Manager at Crunchbase, was able to optimize her company’s usage of Zendesk and DataGrail to handle a large DSR volume while still closing requests in 5 days or less. “With firsthand experience,” she noted, “I knew which integrations to prioritize first and what kind of reporting we’d need to be able to improve.” 

Customer Experience will need support from Legal and Engineering to achieve their privacy goals. 

Engineering

As your company grows and expands its customer base and tech stack, engineering will be critical to help scale the organization. Your Engineering team will likely be tapped by other teams to help expedite DSR processing and integrate risk assessment tools. Without support, engineering teams can end up over-utilized, manually deploying cumbersome custom scripts and maintaining complicated homegrown systems. Ensure that a member of your legal or security team can help project manage this team and spot inefficiencies before they become an issue. For smaller companies, you may choose to work with an external developer for privacy-related projects. 

Human Resources (HR)

Past employees and job applicants can submit DSRs too, and applicant tracking systems can store a large range of potentially sensitive data. Ensure your HR or people operations team is reflected in privacy efforts and included on data maps and DSR management. 

3. Creating a hybrid approach

The best path forward may be to embrace the strengths of both centralized and decentralized approaches by supporting both. In this context, you’ll build a privacy team within Legal, Security, Product, or its own arm of the business, but you’ll also spread privacy responsibilities across other departments as well. 

Consider creating a privacy risk council or similar to encourage proactive collaboration across teams. Your council should include privacy representatives from:

• Legal
• Security
• Product
• Marketing
• Customer Experience
• Engineering
• Human Resources 

As for your privacy team itself, you’ll need the following minimum responsibilities managed. Consider which ones are the responsibility of the privacy team itself, or a member of your broader council:

• Someone who manages the DSR process, ensuring the correct individuals are tapped to process access, modification, and deletion requests on a timely basis, and project managing the creation of integrations to eliminate manual work where possible
• Someone who proactively evaluates privacy risk, completing risk assessments (including data protection impact assessments and records of processing activity, required by some governing bodies)
• Someone who can set internal policies and meet with teams to mitigate risk and educate on privacy compliance
• Someone who can draft updates to the privacy policy and communicate changes to your user base 
• Someone who can monitor and evaluate new privacy laws to understand any necessary upcoming changes to your business process for continued compliance
• Someone with an engineering or technical operations background who can help the entire privacy process scale and mirror your brand identity

Your privacy team might consist of only a few individuals holding several of these responsibilities each, while partnering with other teams to meet the remaining goals.

For example, at Aura, the Chief Privacy Officer (CPO) sets overarching strategy and resourcing for privacy and maintains responsibility for overall risk insight. The DSR process is not handled by the CPO’s team at all, however, and is instead managed by James Smith, the Sr. Supervisor of Member Services and Tech Support. This hybrid model allows Aura to integrate the privacy experience into the overall customer experience, where Smith has the most insight into the team’s needs. Smith takes strategy and direction from the CPO, but is ultimately the most informed to direct execution. 

As long as each listed responsibility is owned by someone in the organization, a hybrid model can be a truly effective way to integrate privacy into company culture and brand identity.