One of the most challenging aspects of establishing a privacy program can be summed up in one word, “Alignment.” We often think of this as alignment with organizational goals, but it is broader than that. Privacy programs have multiple stakeholders, both internal and external. To be successful a privacy program must achieve alignment with the goals and expectations of all these constituencies.
Who are the stakeholders?
Generally, your privacy program stakeholders include anyone who has an interest in the operation of your privacy program. Stakeholders may be internal to your organization or external parties.
Internally, there are three types of stakeholders. Strategic stakeholders are those roles providing direction for the organization. The senior leadership team and the board of directors are examples of Strategic stakeholders. These roles will be key to getting the organization to participate in your program. A Strategic stakeholder may endorse the need for all members of the organization to follow your privacy program.
Tactical stakeholders represent the operational aspects of your business. Information Technology, Security (both IT and Physical), Marketing, Human Resources, Sales, Legal, Purchasing, Compliance, Internal Audit, and Risk Management are all examples of Tactical stakeholders. These roles may need to alter their practices to meet the requirements of your privacy program. For example, Legal may need to add new contractual clauses to all agreements or Human Resources may need to adjust how interviews are conducted and feedback on those interactions is provided.
Tactical stakeholders may also be providing resources to implement various aspects of your privacy program. For example, Marketing may help you create posters to enhance privacy awareness or Compliance may be used to verify that the organization is meeting your program’s requirements.
A final internal group, often overlooked, is Internal Data Subjects. These may be employees, contractors, or vendors working on your behalf whose personal information might be processed to fulfill various obligations. Organizations often know more about their Internal Data Subjects than they do about their customers.
Externally, there are a plethora of roles that can be represented by four stakeholder groups. External Data Subjects consist of customers, patients, prospects, or others you have done or may be doing business with. When I make a purchase at a restaurant, join a frequent flyer program, or sign up for a mailing list, these are all examples of my becoming part of an organization’s External Data Subjects group.
Regulators may be governmental or industry representatives that set requirements for your privacy program enforceable by law or contract. Any of the Supervisory Authorities or Data Protection Authorities around the world, the Federal Trade Commission in the US, State Attorneys General, the Payment Card Industry Security Standards Council, and the Digital Advertising Alliance are all examples of regulators.
There are also Advocates who promote privacy or data protection. They may identify specific practices in specific organizations to target for change. noyb, the Electronic Frontier Foundation, Privacy
International, and the Electronic Privacy Center are examples of Advocates. Often, the media can be considered Advocates.
There are also organizations that provide advice about privacy, but do not directly advocate for privacy. These Advisors will be important to the development of your privacy program, but I would not consider them a stakeholder in the program. The International Association of Privacy Professionals (“IAPP”) is an example of an Advisor group.
Finally, there is the General Public. These individuals are not currently interacting with your organization but may do so in the future. Their interest in your privacy program may range from potentially doing business with your organization through just curiosity.
A roadmap for alignment
For each stakeholder class there are different tactics that may be used to achieve alignment. In each case your goal is to get buy-in for your privacy program by understanding the stakeholders’ requirements and addressing them. This should be an on-going process as stakeholders’ goals and requirements will change over time with changing business conditions.
The Strategic stakeholders, the thought leaders of an organization, are often transparent about their requirements and goals. Through documents like an organization’s mission statement, code of conduct, newsletters, and presentations, organizational leaders express where an organization is meant to be going and the behaviors the leaders expect to be exhibited by the staff.
Using the knowledge gleaned from reviewing the publicly available information as a basis, it is beneficial to hold a discussion with these stakeholders to dive more deeply into their expectations.
You will be asking the Tactical stakeholders to provide resources, either directly or indirectly, to your privacy program. For example, if you are going to modify a process used by a business unit to enhance personal information protection, the Tactical stakeholders will potentially be asking their staff to spend more time on the process.
Meeting with departmental leaders in this group will help you understand their personal and departmental goals. You can then adjust your privacy program to support these objectives, both organizational and personal, making the program a benefit to these leaders.
Regulators, Advocates, and Advisors
For these stakeholders it is vital to understand their perspectives. You can derive the priorities of these groups through reviewing published papers, website contents, news articles, conference presentations, and pending/new legislation. Also, spend time to understand new interpretations of existing legislation, and try to interact directly with these stakeholders whenever possible. Do not shy away from meeting with regulators when you are both attending a conference.
Data Subjects and the General Public
For any privacy professional it is fundamental to take the time to keep up with the privacy perspectives of your customers, employees, and other Data Subjects. Monitoring queries/complaints received will
assist in understanding these perspectives. Also, work with your sales team to get feedback on what they are hearing from customers and prospects about privacy requirements. Holding focus groups provides another avenue to see how your program is aligning with these groups’ needs.