close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Step One Designate a Privacy Lead

The common principle of Accountability recommends that a suitably empowered individual or group should be responsible for implementing and maintaining a privacy program. This forms the backbone of the PMP’s governance and operating model.

There are a number of possible operating models, ranging from a top-down pyramid helmed by a Chief Privacy Officer to a flatter network (matrix) of privacy champions embedded throughout the business.

Common governance models include:

  • Privacy office: In this model, there’s a centralized department headed by a Chief Privacy Officer responsible for the organization’s privacy compliance program. The CPO may report to the CEO or directly to the Board of Directors and is responsible for developing and implementing the compliance program. This model allows for centralized decision-making but can lead to a lack of accountability and buy-in from other departments.
  • Privacy matrix: In this model, privacy compliance functions are spread across different departments, with each department having a designated privacy lead (champion) responsible for their respective area. This allows for a more democratized approach to privacy management but can lead to silos and a lack of communication across departments.
  • Privacy risk steering committee: This model involves a commiee of representatives from different departments who work together to identify and manage privacy and related risks. The commiee is responsible for developing and maintaining the privacy program cross-functionally and reporting its findings to the CEO and/or the Board. This model allows for a more holistic approach but may lead to increased complexity in decision-making.
  • CPO-aaS: Small organizations, particularly early-stage startups, may not have the resources to hire a full-time privacy leader. They would instead hire a specialized law firm or consultant to provide fractional support.

Some Europe-facing organizations may be legally required to appoint a Data Protection Oicer. A DPO is a specialized independent oversight and ombudsman role under the GDPR. It has certain unique constraints and liberties under European law making it distinct from CPOs and other such leadership roles. Notably,

  • DPOs may not have any conflicting interests or be influenced by other parties in carrying out their GDPR compliance duties.
  • In its guidance, the European Data Protection Board (EDPB) states that a DPO should not be a member of the management board, nor should they be involved in the day-to-day management of the organization.
  • DPOs should not be dismissed or penalized for performing their tasks and should have the necessary resources to carry out their role.
  • DPOs are also required to report and have direct access to the highest level of management, to ensure they can carry out their tasks freely and independently. This is irrespective of full-time or fractional status.

In contrast, a CPO is a senior-level executive responsible for the overall privacy program of an organization. This can include legal and regulatory compliance, risk management, and stakeholder engagement. Unlike the DPO, the CPO role is rarely mandated and organizations can choose whether to appoint one. Depending on the organization, the CPO may also have different responsibilities and reporting lines along with a different level of decision-making power than the DPO, as a part of the management board.

icon

Bottom Line:

Regardless of your size or operating model, your privacy lead (or leads) will be the architect, designer, and engineer of your privacy management program.

How to Get Started

icon

Anyone on your team can use DataGrail: From dedicated and distributed to fractional employees. Help them find the right role with ease to maximize the impact of your privacy team.

In DataGrail, choose Settings from the top-right corner to set up your users and their roles. Designate specialized approvers for handling data subject requests.

icon

It starts with the platform but doesn’t end there. Request a demo to learn more about partnering with us to manage aspects of your privacy program.

We can also refer your team to trusted law firms and fractional CPO/DPOaaS providers.

icon

Anyone on your team can use DataGrail: From dedicated and distributed to fractional employees. Help them find the right role with ease to maximize the impact of your privacy team.

Connect with other pros (free) to discuss which privacy management models work for them. Join the Privacy Basecamp Community.