Data privacy governance: Staying the course

5-minute read

Originally published July 2018; updated November 2020

When data privacy regulations such as GDPR and CCPA went into effect, companies who spent months (or years) getting ready for them may have breathed a sigh of relief. But enforcement dates are not a finish line. Even if your company created and executed a comprehensive readiness plan in time for a deadline, the task of maintaining your compliance is just beginning—and it has no end date.

Ongoing responsibilities under data privacy laws

Your company may be well situated to fulfill your obligations under applicable data privacy laws today, but remember that technology doesn’t stand still, and neither does your business. Triggers such as mergers or acquisitions, new processes, new applications, new reports, and other events can significantly impact your compliance status, and you need to be ready for them.

In addition to watching for triggers, you also need to ensure that your team can execute the actions that privacy legislation mandates—such as honoring data subjects’ requests for erasure and reporting data breaches—within the required time frames whenever the need arises.

As you look at your ongoing data privacy compliance strategy, remember to consider the following factors:

Monitoring compliance: How will you monitor the “big picture” of your organization’s compliance on a day-to-day basis? Having policies and procedures in place is half the battle; you also need mechanisms in place for ensuring that your employees follow them.

Data processor audits: How will you vet potential business partners who will process personal data on your behalf?

New processes and technology: How will you evaluate new processes and new applications to determine which ones are covered by the data privacy laws that apply to you, and if they are, how will you ensure that they offer the necessary security features, privacy by design, etc?

Record of Processing Activities (RoPA): What is your process for updating your RoPA to keep up with changes in your business?

Data Protection Impact Assessments (DPIAs): How do you determine whether a new process requires a DPIA, and what is your process for ensuring that your team conducts them when needed?

Building a data privacy governance committee

As you can see, maintaining your data privacy compliance level is no simple task, and you may be thinking “Who is going to manage all this?”

While your data protection officer (DPO) is responsible for overseeing your company’s overall compliance, it’s impossible for one person to have the required level of expertise—or the bandwidth—to monitor all impacted areas. Ongoing compliance across the organization requires the concerted effort of a team of experts, and that’s where your governance committee comes in.

When building your data privacy governance committee, consider the areas within your organization that privacy laws affect, and make sure that each has high-level representation, such as

• Education (HR/Communications)
• Data Processing (CIO)
• Policies and Contracts (Legal)
• Security (CISO)

Remember that your governance committee must have authority over your data privacy–related processes and the ability to exercise that authority. This will help you avoid the mistake that many organizations made with the project management offices (PMOs) they built for project governance. Because these groups lacked real authority, stakeholders saw them as a hurdle that slowed down business processes, and as a result, lines of business found ways to circumvent them. This breakdown in authority may have no real impact on the success of a project, but in the case of data privacy readiness, the potential consequences—steep fines as well as loss of customer trust—can be substantial. 

It’s a milestone, not a finish line

Many organizations become so focused on enforcement dates that they given little thought to what comes afterwards. Once your preparatory work sets you on the road of compliance, your mission going forward is to stay on track, which can be an even greater challenge. By creating a data privacy governance committee with the necessary expertise and authority to manage compliance activities, you prepare your organization to adapt to future “triggers” and to fulfill your responsibilities on an ongoing basis.

General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy—particularly GDPR, CCPA, and other data protection laws—and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.

Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.