Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Set Your Small Privacy Team Up for Success

Privacy Assessments

Amidst the evolving patchwork of data protection and privacy legislation in the United States, privacy remains a top priority for organizations. But protecting privacy also requires resources, and while not all organizations have that much to spare, it is possible to make do with only a small, dedicated team.

As privacy experts committed to helping organizations of all sizes succeed in their privacy initiatives, we’re going to explain how. In this blog post, we’ll describe the common hurdles small privacy teams will face and how you can overcome them to set your organization up for long-term success.

Common Challenges for Small Privacy Teams

 

Whether your devoted privacy team is made up of just one/a handful of dedicated individuals or if it’s a subset of another team in your organization—like your legal department, security, or compliance team—managing and strengthening privacy protections can be challenging for a small team.

Aside from navigating competing priorities, there are two main challenges that small privacy teams often face:

  • Limited Expertise: Whether it’s a small team or a multi-disciplined one, personnel may lack specialized knowledge in privacy laws across different regions, data protection techniques, and cybersecurity measures, making it difficult to stay compliant with the evolving landscape of applicable privacy regulations and industry best practices.
    • This limitation trickles down in several ways: A small team may similarly lack experience in:
      • Handling privacy incidents should they occur;
      • Providing adequate privacy oversight;
      • Administering training to other employees regarding organizational privacy policies, procedures, and best practices; or
      • Meeting compliance challenges.
    • Lack of Strategic Approach: Though privacy by design—or, its integration into development and business processes from the outset—is optimal, organizations often instead prioritize initiatives to drive rapid growth and meet sales milestones. But without a clear understanding of what information they collect, process, and store—a fundamental building block of any privacy program—your already strapped team will find themselves ill-equipped and overwhelmed against strict data protection requirements.

5 Strategies for Protecting Privacy with a Small Team

 

Despite these challenges, there are ways you can help your smaller privacy team navigate them while also setting them up for success in protecting your data privacy—here are five specific strategies to consider implementing and embracing.

1. Align Your “Stars.”

 

By that, we mean identify 3–5 high-impact, privacy-centric objectives that support your organization’s broader strategic goals so that in achieving them, you’ll not only serve the greater purpose but also put your small team in a better position going forward.

Consider the below example:

Example Organizational Goal

To drive international sales expansion

Potential Related Privacy Goal(s)

1) Identify applicable data protection laws and regulations with which your organization is required to comply.

Make sure you answer:

  • What countries does your organization do business in?
  • Does your team maintain a list of applicable privacy laws and regulations that are in the scope of your operations?
  • Do you have a process to track changes in those laws and regulations?

Why Is This Helpful? You might already have an idea of what data privacy laws and regulations apply, but performing this kind of assessment and documenting the outputs will be two key components to help determine the jurisdictions in which your organization operates—and wants to operate in—as well as its role concerning information processing (e.g., controller, processor, etc.).

2) Hone your data mapping.

As part of this process, identify onward transfers based on the subprocessors, affiliates, and other third parties that process data on your organization’s behalf.

Why Is This Helpful? Understanding what data and personally identifiable information (PII) your organization collects, processes, and stores, as well as where to find it, positions your other privacy initiatives—like enforcement of records retention policies and data deletion—well for success.

3) Ensure your organization is prepared to handle data subject requests (DSRs).

Though your obligations regarding the fulfillment of data subject rights will vary depending on applicable data privacy laws and whether you function as a data controller or processor, take the opportunity to review your organization’s customer agreements and any negotiated terms to confirm what commitments were made during the contracting process and implement a procedure on how to respond when a request is submitted.

Why Is This Helpful? Not only will this inform your privacy team of how to effectively maintain compliance when DSRs are received, but it will also help ensure a repeatable, consistent process with clearly defined steps to document, re-direct, and/or validate requests, which will help reduce dependencies when certain team members are unavailable.

 

2. Ensure Buy-in from Leadership.

 

A privacy-centric, organization-wide culture of compliance will be key in supporting a small privacy team, but such a culture cannot thrive in isolation—even more experienced privacy professionals may struggle to succeed if other departments are not receptive to privacy initiatives that often require their support.

So, make sure to designate a privacy champion at the executive leadership level who will promote privacy from the top down and initiate cross-functional collaboration with stakeholders across the organization, sparing your privacy team spending valuable time chasing what they need.

3. Protect Your Team’s Time.

 

Other than being bogged down by dependencies on other stakeholders, your privacy team may also be disproportionately inundated with administrative tasks—e.g., DSRs, responding to customer compliance questionnaires, evaluating third-party vendors, etc.—and that may limit them in progressing through their initiatives.

That’s why it’s important to evaluate where your privacy team is spending their time so that you can optimize it wherever possible by:

  • Working with your executive sponsor and others to identify what other departments may share interests or have existing processes in place for the privacy team to leverage; and
  • Identifying opportunities (where feasible) to delegate certain tasks to stakeholders on other teams to lighten your privacy team’s workload, enabling them to focus on other priority tasks.

4. Consider Automation.

 

If your privacy team has identified blockers that cannot be easily delegated or shared with other business areas, you may also want to investigate enterprise privacy and compliance software tools to help them. While these can potentially be expensive, if there’s a clear opportunity to automate or streamline the efficiency of processes by leveraging artificial intelligence (AI) or privacy technologies, these solutions may be worth the cost.

To determine if that’s the case, ask and answer the following preliminary questions:

  • How might the adoption of privacy technologies assist your organization in meeting its objectives?
  • Will the proposed tooling require time and additional resources to learn, implement, and maintain, or can it be used from day one?
  • What are the costs of the tooling vs. the costs of delays in meeting the objectives (or possibly not meeting the objectives at all)?

Considerations When Selecting Automated Privacy Tools

If your organization indeed moves forward with tools to support your privacy team, compile a focus group of stakeholders across your organization to ensure the chosen solution is the right fit. Specific factors to consider include the following:

  • The internal and external resources that will be required to implement the tool and how long it will take
  • Projected costs associated with ongoing maintenance, storage, and data processing
  • The extent of customer support offered by the service provider
  • Cost of licenses and number of users who would require access to the tool
  • How well the tool will integrate with your existing infrastructure, systems, and processes

While you should focus on each solution’s prospective value additions by answering how it’ll save your team time and how it’ll enable them to work smarter and focus on your defined privacy objectives, also consider the root cause of the challenge your organization is trying to overcome. If the root cause of your team’s challenges stems from the aforementioned lack of communication or responsiveness from different teams, that indicates a broader cultural issue and not something that will be easily remedied by the addition of a new software tool.

5. Keep One Eye on the Horizon.

 

The world of privacy is constantly changing, and with that evolution comes new opportunities to learn about ways to better safeguard the data your organization collects, processes, and stores. So, while there’s likely no shortage of tasks to keep your privacy team busy, remember to hold space for personnel to explore prospective new ways to protect privacy and enhance your security.

Because while there may not be a current use case for your organization to adopt certain privacy-enhancing technologies—such as differential privacy or anonymization—that doesn’t mean the opportunity won’t arise in the future. By investing in the expansion of your team’s expertise and encouraging them to pursue certifications or learning opportunities, you will support both their individual professional development goals and the organization’s privacy objectives.

Next Steps for Safeguarding Customer Privacy

 

Despite the importance of privacy in today’s digital economy, some organizations only have the bandwidth to allot limited resources for its protection. While not ideal, it is still possible to ably protect privacy with only a small team, and now you understand a few avenues you can take to put yours in the best position to succeed.

Taking a thoughtful and resourceful approach using the above strategies will help, but as a final note, also keep in mind the following two things:

  • Stay receptive to feedback from your privacy team—ask them what they need, and what would make their defined objectives more feasible to achieve; and
  • There may come a time when you’ve exhausted all of your options and it becomes time to simply grow your team.

To learn more about privacy initiatives and regulations, check out our other articles that can further inform your efforts:

About Kathryn Young

Kathryn Young is a senior associate with Schellman based in Providence, Rhode Island. She currently performs privacy assessments and certifications related to ISO 27701, GDPR, SOC 2, and Microsoft DPR, among others. Before joining Schellman, Kathryn worked in a variety of privacy compliance and cybersecurity-focused roles in the information technology and healthcare sectors. She has her master's degree in cybersecurity and international cyber law from Norwich University and is an active member of the International Association of Privacy Professionals (IAPP) and Women in Cybersecurity (WiCyS) Privacy, Law, and Policy Affiliate.