Data & Privacy - Privacy Transformation

Privacy Governance

Designing the right governance structure by defining a clear division of roles, responsibilities, monitoring and reporting is key to developing an effective privacy programme.

Challenges

How can Legal, IT and business interests be combined to meet privacy requirements?

The success of ongoing compliance is heavily reliant on the governance framework that organisations have built to support their privacy activities. Unfortunately, as a result of a general lack of structure in governance and accountability, there is a high risk that many privacy efforts go to waste.

  • Living up to privacy regulations requires in-depth knowledge of not only the business processes, the organization and the industry but also of technology and the law. Many companies do not take the time necessary to address their maturity in these areas or to assess their in-house competencies, which potentially leads to non-compliance.

  • A key aspect of ensuring governance is to address the duties and privacy activities for each stakeholder for all departments. If this is not done, there is a high risk that the wrong stakeholders make decisions in areas where they do not have the required competencies or mandate, or, even worse, that some decisions and risks are not addressed at all.
  • Compliance is not a one-time exercise; it must be ensured on an ongoing basis. In recent years, many companies have successfully implemented measures relating to privacy governance. However, they have not prioritised the continuous operation of the implemented programme or reviewed its subsequent efficiency through controls. Privacy efforts must be maintained and reviewed after a defined period of time, or when the circumstances change, and the results must be documented. Such traceability is essential in ensuring accountability and, subsequently, effectiveness.

  • When privacy is addressed in an ad hoc manner without this being documented, the effectiveness and consistency of the efforts decrease greatly. Also, the scale and likelihood of privacy governance mistakes occurring increase. A well-functioning governance framework is necessary to provide assurance that the compliance programme is implemented and achieves the desired results.

Our approach

Effective governance combines organisational and operational aspects to promote internal and external accountability.

Governance is about getting all the areas of the business to work together using the strengths and capabilities of each area in an effective way. Deloitte has a variety of legal, technology and management specialists who are able to assist you in getting the right governance set-up for your business' specific needs and risk profile.

  1. Privacy strategy

    Creating and implementing a privacy strategy is a key step in addressing privacy risks and meeting industry requirements. A privacy strategy allows your organisation to demonstrate your expected target compliance level, taking into account the company's present maturity.

  2. Governance model

    Considering your organisational set-up, Deloitte will assist your business in setting up lines of defence taking a RACI approach. This will ensure that all stakeholders are involved in the process and are aware of their respective responsibilities.

  3. Assurance

    Deloitte has extensive experience of designing, implementing and testing privacy controls, as well as setting up assurance programmes. In combination, Deloitte is also able to provide continuous monitoring services and management reporting to provide assurance that the privacy programme is implemented and working as expected.

  4. Privacy implementation projects

    Depending on the privacy maturity level, Deloitte is able to tailor a Privacy Implementation project to suit your challenges and ambitions. Our services are broad and include data flow mapping, risk and privacy impact assessments, management of processors, and implementation of technical and organisational security measures as mandated by Art. 32 of the GDPR. Our extensive experience ensures thorough and effective implementation.

  1. Privacy strategy
  2. Governance model
  3. Assurance
  4. Privacy implementation projects

Creating and implementing a privacy strategy is a key step in addressing privacy risks and meeting industry requirements. A privacy strategy allows your organisation to demonstrate your expected target compliance level, taking into account the company's present maturity.

Considering your organisational set-up, Deloitte will assist your business in setting up lines of defence taking a RACI approach. This will ensure that all stakeholders are involved in the process and are aware of their respective responsibilities.

Deloitte has extensive experience of designing, implementing and testing privacy controls, as well as setting up assurance programmes. In combination, Deloitte is also able to provide continuous monitoring services and management reporting to provide assurance that the privacy programme is implemented and working as expected.

Depending on the privacy maturity level, Deloitte is able to tailor a Privacy Implementation project to suit your challenges and ambitions. Our services are broad and include data flow mapping, risk and privacy impact assessments, management of processors, and implementation of technical and organisational security measures as mandated by Art. 32 of the GDPR. Our extensive experience ensures thorough and effective implementation.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

Is your organisation in need of a new governance framework or advice on whether your existing set-up is efficient?

Reach out to us, and we will be happy to share our expertise with you.

Tommaso Di Carlo

Senior Manager