Choose your own Privacy Organization | Privacy | Deloitte Netherlands


Choose your own Privacy Organization

Do less, hire more, or do things differently: three paths towards achieving an optimized privacy organization

Now that the GDPR has been in force for over a year, many organizations are shifting away from dealing with the GDPR obligations reactively, and shifting towards an optimized privacy organization by becoming more efficient over time. Such a shift is necessary, however three main choices need to be addressed to successfully realize this next phase.

By Anastasiya Milshina | June 3, 2019

In a variation on the book series where your decisions branch off to different storylines, the movie “Black Mirror: Bandersnatch” allows you to choose your own path, and design your own storyline. Every seemingly minor decision leads to varying, sometimes unexpected, outcomes.

On that same note, creating an effective privacy organization requires many decisions to be taken. Just like in the Bandersnatch movie, some of these decisions can lead to unfavorable results. For example fines, reputational damage or increased operational costs. On the other hand, the decisions taken can also support your privacy organization and enable you to reach your privacy goals.

The need for an efficient privacy organization

As mentioned in our previous blog, organizations usually go through three stages of data protection maturity. Many organizations are at the start of the second phase: the GDPR is being dealt with reactively, but they are struggling with putting paper into practice in an efficient manner. Implementing the policies, procedures and statements designed during GDPR Programs turns out to be a huge challenge. In addition, your privacy professionals have a high workload, which results in building an increasing backlog of tasks and less time to deal with each task effectively. In extreme cases, your organization may not even be able to address its highest priority actions to achieve GDPR compliance. Does this sound familiar?

Choosing your path towards privacy efficiency

Luckily, you can solve these kinds of problems. But they require decisions to be made. And just like in the Bandersnatch movie, every decision leads to a different set of outcomes.

To get to an efficient and effective privacy organization there are three main paths you can go down, which can (and in most cases should) be combined:

  • Do less: The GDPR encourages organizations to implement measures corresponding to the level of risk of the data processing activities. This leaves room for organizations to apply a risk based approach. You can choose to accept the increased risk for the more complicated, low result actions and allocate your resources towards the quick and big wins. Doing less can easily lead to doing too little, which result in non-compliance and possibly reputational damage. And since the GDPR is silent on how organizations should assess and quantify risk, risk assessment are sometimes complicated balancing acts. Is your risk acceptance based on a rationalized decision? Any risks you choose to accept should be justified by clear priorities.
  • Hire more staff: Our recent privacy benchmark report shows that most organizations have increased their team size to manage privacy compliance, but still see challenges in headcount and reaching appropriate capacity. But data protection professionals are scarce at the moment and hiring extra employees raises operational costs. And while most organizations feel that hiring more privacy staff will solve their privacy organization inefficiencies, it is important to note that inefficiency will not go away unless the right roles and responsibilities are allocated to the right tasks. Are all privacy roles and responsibilities defined and are the hours per activity well-substantiated and realistic?
  • Work more efficiently: But perhaps you do not need those three extra FTEs after all and the root of the problem is the inefficient deployment of resources. An efficient way of working can be reached by optimizing the organizational structure (the roles and responsibilities), but also by using technological measures such as tooling or automation. This requires an upfront investment in time and efforts. If your organization is struggling with the scarcity of employees and other resources, this might be an unattractive investment on a short term. However, for every organization processing personal data this investment is (to a greater or lesser extent) an absolute must: high upfront investment will lead to less effort being used per activity over time. Have you invested in privacy efficiency yet? 

The importance of privacy governance

As in the interactive movie, no single solution leads to the perfect outcome. You need to mix your solutions and tailor them to your organization’ privacy strategy in order to become more effective and efficient.

So how can you assess which combination of choices truly fits the needs of your organization?
This is where our privacy governance methodology comes in: investing in privacy governance will enable you to assess the needs of your organization and design a fit-for-purpose privacy organization that helps your organization get the work done, in a rationalized manner.

Do less, hire more, or do things more efficiently: three paths for you to choose and combine to create an optimized privacy organization.

Sign-up for the Privacy E-mail Alert

Our Privacy E-mail Alert will keep you up to date on a wide range of privacy-related topics. The Privacy E-mail Alert will be sent to you once every six weeks and will include the last news on privacy, links to our latest blogs and notifications about privacy-related events we organize.

Privacy email alert

Receive the latest Privacy insights.


More information

Do you want to know more on Privacy Governance? Please contact Annika or Bart via their contact details below.

Did you find this useful?