Navigating the roadblocks to a successful privacy management program

Just as a sports coach does not play the game, but teaches the players how to play it, your role as a DPO is not to protect personal data by yourself, but to create an environment in which everyone is aware of their responsibilities and plays an active role in protecting personal data.

However, it is not just your own skills and those of your team that determine success. The broader organisational environment and active participation from all stakeholders are equally important factors to consider.

Join us in this article as we delve into the most frequently encountered challenges faced by DPOs in implementing and sustaining a successful privacy management program.

First things first:

How do you define a successful privacy management program?

Everybody defines success in a slightly different way, but, in general, we’ve noticed that successful privacy management programs share 3 crucial qualities that ensure their continuity and effectiveness:

1. Systematic and formalised 
   A successful privacy management program should be structured and systematic, so that the processes are repeatable, predictable, and can help eliminate gaps.
2. Integrated in the bigger compliance process 
   The program should be aligned with the organisation's overall compliance strategy and be integrated into the day-to-day operations of the business. For example, a better integration with InfoSec operations helps to ensure effectiveness in protecting data privacy and minimise the risk of data breaches.
3. A team effort 
   Compliance is a team game, so everyone should be aware of their data protection responsibilities.The aim is to create a culture of privacy and ensure that everyone understands and acts out their role in protecting sensitive information.

Your most likely challenges

To learn more about the most frequently encountered challenges faced by privacy professionals on a day-to-day basis, we’ve recently commissioned research from a specialised agency. 

Preliminary results indicate that privacy professionals face a unique set of challenges which can be divided into two categories: 

• Collaboration challenges - communicating and cooperating with management and colleagues. 
• Technical challenges - planning, prioritisation, and executing the daily work involved in building and maintaining an effective privacy management program. 

Out of these two categories, collaboration challenges, such as communicating and getting support from colleagues and stakeholders, seem to be the most difficult to overcome. 

Collaboration challenges: address & minimise internal friction

The most frequently encountered roadblocks in this category are:

1. Engaging colleagues in privacy management activities
2. Securing resources and management endorsement
3. Communicating difficult truths and advising on privacy matters

Let’s take a closer look:

Engaging colleagues

When addressing the difficulties entailed by working with people from across multiple departments, it is important to understand why it is hard for colleagues to help with privacy-related duties in the first place.

To put it bluntly, providing information can be a rocky experience for all parties involved. For your colleagues it’s hard to repeatedly fill in lengthy questionnaires with information that they sometimes don’t even know. For you, as the DPO, it is difficult to constantly check and combine all this information.

So here are 3 quick tips to navigate and overcome these challenges:

1. Ask the right person for the right information - Present information requests in manageable chunks and direct them to the appropriate individual to minimise the time required to answer and to increase the likelihood of getting correct information. Simply put, it’s easier to describe what you know, than to go and ask someone else to give you the info or, even worse, speculate about the right answer.
2. Reuse existing information by allowing people to reference existing data rather than requesting it anew. In addition to saving time, this approach also has the benefit of ensuring that changes can be easily made in one place rather than across multiple sources.
3. Make it easy for your colleagues to provide the information you need by offering a structured list of options. This method leverages the concept of “recognition” over “recall” as it is easier to identify information when presented with a list, rather than relying on memory alone. Lists also offer the benefits of reducing ambiguity, enabling filtering and search functionality, and overall streamlining the information gathering process.

Using proper tools that were actually designed for privacy management can make a big difference. Traditional methods such as manual documentation or the use of spreadsheets are time-consuming, prone to errors, and truly difficult to manage.

Securing resources and management endorsement

Every organisation is different, so there is no definitive way to do it. Nonetheless, when attempting to secure leadership endorsement for privacy initiatives, consider the following strategic pointers:

• Uncover the magnitude of the work involved and the benefits achieved/risks mitigated, by providing a comprehensive view of the situation. This will help management understand the full extent of the challenges and why access to information and proper tools is essential for effectiveness.
• Emphasise that a successful program depends not only on individual efforts but also on the overall environment and support from colleagues and stakeholders..
• Be transparent about the support and resources you need in practice in order to achieve compliance goals.

Communicating difficult truths and advising on privacy matters

Your role requires a balancing act between facilitating the data processing initiatives of the organisation and protecting the interests of the data subjects. Consequently:

• When advising against a certain course of action, do your best to present alternatives and work together with all parties to find a mutually agreeable solution.
• Acknowledge that, in the real world, there is no perfect compliance and work with stakeholders to establish clear priorities and expectations. 

Technical challenges: navigating a constantly changing system

Based on our research, the biggest technical challenges include:

1. Conducting Data Protection Impact Assessments (DPIA) 
2. Building a ROPA you can count on
3. Enforcing deletion and data retention policies

Let’s address them:

Conducting DPIAs

When it boils down to technical challenges, the DPIA tops the list, because you basically need to have everything else in order to be able to conduct it - e.g. records of processing activities (ROPA), legitimate interest assessments (LIAs), data protection agreements (DPAs), data assets register, risk assessments, policies and procedures, etc.

This one is truly hard to do manually, because of the sheer amount of constantly changing information and the often scattered sources they need to be extracted from.

In order to overcome this challenge, consider establishing a structured repository of information and use it as a single source of truth across the entire organisation. 

It will allow you to pull the info whenever you need it and avoid annoying your colleagues by asking for the same information multiple times. Conversely, whenever you update a piece of information, you no longer have to do it in multiple places. 

Building a ROPA you can count on

Building and maintaining a proper ROPA is essential for any privacy management program, as the ROPA forms the foundation for any and all compliance efforts, offering a clear picture of how personal data is being collected, stored, accessed, and used throughout the organisation.

A properly maintained and monitored ROPA allows you to:

• Update privacy notices when relevant changes are detected in any activity
• Identify data-supporting assets and document technical and organisational security measures
• Tag risk factors in any activity and identify high-risk activities that require a DPIA — Data Processing Impact Assessment
• Keep an inventory of all the organisations involved in personal-data processing, to make sure that relationships are properly assessed and documented
• Manage data-subject requests by showing how personal data flows inside and outside your organisation
• Conduct better security-incident and data-breach analyses.

For tips on how to build and maintain a solid ROPA, you might want to check out these related articles: 

• Feeling lost in GDPR spreadsheets?
• 4 Tips for Getting the Most Out of Your ROPA

Enforcing deletion and data retention policies

This is challenging for several reasons. Firstly, organisations often store vast amounts of data that may be spread across multiple systems and databases. This makes it difficult to identify and locate the specific data that needs to be deleted or retained.

Another major challenge is ensuring that, once personal data is inventoried, deletion and retention policies are applied. 

To overcome these challenges, consider the use of data management software, to automate the process of deleting and retaining data.

In addition, you should conduct regular training and awareness programs to ensure that colleagues understand and comply with the data deletion and retention policies. 

Finally, organisations should regularly review and update their data management programs to ensure that they are aligned with changing legal and regulatory requirements.

Closing thoughts

Before wrapping up, we’d like to leave you with three takeaways:

1. Privacy compliance is a team sport and you are the coach. Success depends on everyone being aware of their role and fulfilling their duties.
2. Effective privacy management requires resources and management support. Be realistic and communicate openly about expectations and what you need to deliver results.
3. Yes, you can do a lot of things manually, but at the cost of spending less time focusing on what matters. Investing in the right privacy management software can save you not only time but also trouble.

P.S. As mentioned, we’ve been doing research into the challenges faced by privacy pros. To follow along and find out when we have the final results, subscribe to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format that only takes a minute to read.