Privacy Program Maturity Model

Resourcing

Written by Osano Staff | Sep 30, 2024 10:34:53 PM

Resourcing

Without adequate resources, there is little a privacy program or privacy professional can accomplish. It can be challenging to advocate for adequate budget, tooling, and staffing; privacy is so often seen as a cost center, and stakeholders who are unfamiliar with the demands of privacy may be inclined to reduce cost as much as possible. In a mature privacy program, privacy resources are distributed based on actual need and resourcing changes as those needs change.

Less Mature

When your privacy program has immature resourcing practices, there may not be a single individual whose primary role is privacy management. Instead, privacy may fall under the purview of individuals in other departments like operations, IT, or security. These individuals may address privacy concerns based on their capacity and do so in a highly reactive manner.

When there is a privacy professional, they may lack the resources required to procure the technology and tooling that they need to be effective. Not only will they have an excessive workload, but the extra work will also spill over to IT and development teams who may suffer an increased workload spent developing and maintaining in-house solutions to privacy challenges—or who may de-prioritize such solutions in favor of completing their primary responsibilities.

Due to the lack of adequate staffing and tooling, there may be significant errors in executing a given 
privacy task, such as subject rights responses, or there may simply be no solution in place for regulatory requirements, such as for website cookie consent.

More Mature

In an organization with mature resourcing practices, there will be adequate staffing to address the organization’s entire privacy needs. Those personnel will have access to compliance solutions that streamline the transactional, tedious, and time-consuming aspects of privacy management, such as consent management, subject rights requests, vendor onboarding and review, privacy assessments, legal documentation, and more. Moreover, the program will have cross-functional support from other stakeholders, who will themselves have adequate capacity to handle privacy responsibilities.

When fully optimized, resourcing is periodically adapted and updated such that the privacy program always has access to what it needs to be effective, but it doesn’t create an undue burden on the organization’s overall budget.

Recommended Next Steps

The following key steps can help you mature your organization’s privacy program resourcing:

  • Formally define your organization’s specific privacy needs and identify which are suitable for or require technological solutions, which are better suited by in-house efforts, and which should be done manually. This includes developing an understanding of the specific needs of the organization, including the size of the organization, the types of data collected and processed, and the level of data risk.
  • Regularly review and update tooling as needed to ensure their continued effectiveness and alignment with the organization's needs.
  • Use this model to assess the current state of your privacy program and identify gaps. With this information, develop the business case to acquire the resources needed to close the gaps.
  • Align the privacy program's goals and objectives with the organization's strategic vision and mission and communicate them clearly to the senior management and stakeholders.
  • Establish a cross-functional privacy governance structure that involves representatives from different departments and functions, such as legal, IT, marketing, HR, and security. As more stakeholders across the organization become involved with data privacy and understand its needs, securing necessary resources will become easier.