Structure your privacy organization | Privacy | Deloitte Netherlands


Structure your privacy organization

Because of the accumulation of privacy work, you don't really get to what matters to your organization. Many companies are currently struggling with the same problem: they are trying to put out fires instead of working on structuring their privacy organization.

Written by Alex Tolsma

Privacy firefighting

A long list of DPIAs that need to be completed, a record of processing activities that’s not completely up to date and data processing agreements that need reviewing or even concluding. On top of that, personal data breaches seem to occur at the most unfavorable moments, your work is piling up and there’s a lack of c-level support, which means you definitely need to bring changes within your organization. Management is tough and your team is dropping out due to a high workload. Any of this sound familiar? You’ve gone from implementing a pre-defined privacy strategy to firefighting.

Time is precious

There are only 24 hours in a day. As fun and interesting as privacy is, you don’t want to spend all 24 hours on work and your budget may be limited too. Time is precious and you need to make choices. Only then will you be able to accelerate and reach your goals.
Prioritizing tasks both for yourself and for your team members is equally important. The decisions made in this regard will differ per organization. This may be due to the different privacy strategies, demands from the sector or the current organizational structure for privacy. Although drawing inspiration from other organizations is useful, it’s important to look at the needs of your specific organization when making such decisions. It’s your time and budget, neither of which are unlimited.

Building a transparent privacy organization

In order to build a transparent privacy organization, you will need to determine which privacy capabilities are necessary and make a distinction between absolutely necessary ones and ones that are nice to have. If resources are scarce, consider focusing on a select group of fundamental activities only. The rest can come later.
People generally like knowing what’s expected from them in their work. You can reflect roles and responsibilities in a RASCI matrix to keep track of them and provide structure to the organization. Keep in mind that there are different roles within RASCI matrices. A responsible person completes the work, whereas the accountable person can be held to account for completion of the work. There can only be one person accountable, whereas several people can be responsible for completing the work.

Create an overview to spend your time where it matters

Prioritizing tasks doesn’t need to be a gut-feeling exercise. These decisions can be based on actual data. How many data breaches have you dealt with in the past year? How many DPIAs have been completed or still need to be completed? You can also make an estimate of the time needed per task, and by doing so you will be able to make the most out of your budget and the time of others in the privacy organization.

In control

Once you’ve clearly structured your privacy organization, you can use your valuable time productively and activities will shift from putting out fires to being in control of your privacy organization. Planning strategically helps you get a grip on privacy activities again, instead of the activities slowing you down.

More information

For more information about structuring your privacy organization, please contact Annika Sponselee or Bart Witteman via the contact details below.

Did you find this useful?