Jared Maslin
April 2022
Finding the right privacy operating model for you

During my years designing, building, and refining privacy programs across a variety of industries, I’m constantly reminded that every business is unique. No matter how similar, companies interpret regulations differently and implement operating models differently. Because there is no silver bullet or one answer to how privacy should be done, you have many options for finding the right privacy operating model for your company. You can navigate this challenge by understanding where you currently are in the privacy journey, identifying available resources, and keeping an eye on the horizon for signals that point to change.

You’ve likely noticed the trend that many consulting companies will help you find your data strategy. They offer advice on restructuring your approach to data collection, processing, protection, and retention with an eye toward use cases and business value. I’ve participated in many such engagements, and they can be tremendously valuable in identifying a common north star and creating alignment among stakeholders. What this lacks, though, is the flexibility required to zig and zag with ever-changing privacy and security regulations. The result is a nice, eloquent data strategy and mission but comes up short in execution and fails to address constant changes in the regulatory environment. For privacy, this is a fatal flaw.

Whether US-based or globally-focused, the success of a privacy program depends on its ability to adjust and evolve to meet the needs of a shifting policy landscape. Given this uncertainty, what can be done? In my experience, it starts with structuring your privacy program as an operating model, which includes how privacy functions and how required changes in data-related practices are communicated and implemented out across the broader business environment. For example, when Virginia’s Consumer Data Privacy Act goes into effect next year, how will your security function become aware of new requirements around recurring cybersecurity risk assessments and how will they be executed and organized?

Privacy operating models often fall into one of three common structures: decentralized, centralized, and hybrid (or federated). Each has pros and cons and allows for varied degrees of embeddedness and collaboration.

Decentralized Privacy Model

In a decentralized privacy operating model, individual functions within a business are responsible for identifying their privacy risk and compliance obligations. While they may have supplemental, advisory functions at their disposal, risk remediation and control are expected to be executed at the function-level. That is, the Finance department is responsible for taking high-level guidance from Legal, and then designing, implementing, and maintaining control activities fit to address those privacy obligations on a day-to-day basis. Similarly, Security has its own accountable risks to address, as with Human Resources, Marketing, etc. Put another way, the decentralized model is like being asked to fish on your own, after some very basic training and guidance at the onset and lightly over time.

This model is incredibly useful when a company needs to move quickly and can “ask for forgiveness, not permission”. It allows for faster decision-making, scalability, functional autonomy, and morale in direct ownership of functional initiatives. The more openly entrepreneurial a company, the more likely you are to see this model embraced long-term. It’s also common for newer companies to take on an area of compliance with which they’re unfamiliar – you know you have to do something, but that “something” is in question and you just have to figure it out as you go. These can be incredibly fortuitous conditions for businesses that have a greater risk appetite and are insulated from brand damage that many others are not.

The model also has some downsides. For starters, standardization often goes out the window on day two. In the compliance space, the ease of passing an audit is often related directly to how you can demonstrate a consistent process across your business. A decentralized model, whether immediately or over time, tends to create as many unique interpretations and implementations of privacy risk mitigation as you have functions, which can be insanely complex to manage at scale. Communication can also become a challenge, because different processes and controls often point to different vernacular and risk decisions between functions. And then, once communication becomes strained, your ability to collaborate across functions can follow suit, potentially leading to a dozen different versions of the same thing (all of which end up costing you more over time).

What you’re often left with is a dozen functions whose approach individually checks the box, but together lack the consistency and standardization needed to scale and gain efficiencies in growing privacy compliance needs. Furthermore, it’s a rabbit hole that can be very expensive to climb out of, consisting of overhauling your privacy strategy and a complete re-molding of your function-level practices to realign with a north star that was left behind long ago. As such, decentralized models are seldom seen in mature, privacy-aware companies. Which leads us to another option…

Centralized Privacy Model

A centralized model flips the prior example on its head, driving all functional activity through a singular node responsible for assessing risk, determining remediation, and monitoring effectiveness of controls over time. This is often a starting point for companies who have not necessarily invested heavily in privacy in the past, but now see it as a core, board-level risk that requires greater focus and attention. You also see companies that began as decentralized, but found the lack of standardization challenging, making the move to a more centralized model in search of a singular, aligned message. Regardless of the prior state, there are similarly pros and cons to this approach.

Centralized models produce the opportunity for a single, aligned approach and messaging around how to implement and manage a privacy program globally. For example, when standardization supersedes the need for haste in operations, companies can see significant short-term gains in their risk posture. In addition, you create enhanced visibility and transparency when each function plays by the same set of rules, and maintaining connection and control across the enterprise can become simpler. Where one message and one approach drives all functions, you can eventually see reduced compliance expenses and an improved ability to communicate using common language and shared objectives.

That said, a centralized model isn’t all roses. Various functions may find their ability to innovate freely, especially in the data collection and processing space, heavily constrained. While compliance should be a common goal, it can often conflict directly with one’s ability to meet performance and financial incentives, which place the two missions in direct competition. In my experience, very few companies have the stomach to say that compliance should override revenue and opportunity gains. As a consumer, I’d love to say otherwise, but this just isn’t the reality for a vast majority.

Furthermore, decision-making becomes a slog and your centralized function that was formed to manage risk can find itself policing your internal teams, rather than partnering. This results in an environment where everyone feels powerless – functions can’t make their own decisions, central functions lose visibility to function-level behavior and become burnt out trying to manage functions that simply don’t want their involvement, and executive leadership is forced to either choose a favorite or shift their focus to something else. If you ever get to this point, the results are bad – bad for your compliance, bad for your culture, bad for your workforce, and bad for your business.

And before any of you think, “that would never happen to us”, believe me – it can. I’ve seen some of the most value-driven companies on the planet fall victim to this very challenge, and it can be a severely deep hole out of which to climb. It’s important to ensure alignment between your centralized function and executive leadership. Without this continued, invested connection, functions can lose their way more quickly than you can react, and your central team could lack the influence to course correct in time. So, if this one isn’t perfect either, what else can we try?

Hybrid (or Federated) Privacy Model

The goal of a hybrid model is to leverage the pros of both decentralized and centralized approaches, while minimizing the negative effects that we explored above. I should start by saying that jumping straight from nothing to a hybrid model is incredibly rare (and often not practical). A hybrid model requires an understanding of both prior operating models, and furthermore, an understanding of what can go wrong when mishandled. It also calls for a sizable resource pool, given there needs to be both function-level privacy support as well as a central privacy governance node that maintains constant connection and collaboration with function-level resources. For these reasons, hybrid privacy models are most commonly seen in companies who have been invested in their privacy journey, but found the other unidirectional models to be lacking.

Hybrid models allow for function-level autonomy, guided by an embedded privacy resource who is well-versed in the central privacy program’s obligations, but also well-versed in your team, their operations, and their specific subject matter. While you can try to staff the most incredible central privacy team with the most diverse skill set imaginable, it’s unwieldy to expect to keep up with the rate of technological and procedural advancement across all aspects of your business. A hybrid model provides you with the best of both worlds, permitting your central privacy team to focus on broader, global impacts, while your functional resources can more intimately understand and address privacy risks in a way that suits their operating rhythm and culture.

Similarly, the pure compliance-based activities that are driven by audits and external certifications can be more effectively distributed across functional subject matter experts, instead of asking engineers and analysts to morph into audit and compliance SMEs a few times a year. Offsetting this constant onslaught of audit and evidence requests can have significant effects on your teams’ morale and culture.

Those said, again, a hybrid model can be very expensive to implement and requires significant understanding of its motivation and role in the broader organizational journey. Expecting to simply wake up one day and develop an effective, hybrid approach, just isn’t a reasonable expectation. It also isn’t the perfect answer for everyone. In fact, some companies may find that privacy is such a small part of their risk environment that it just doesn’t warrant such a large investment. While my heart is a biased heart, which sees privacy as central to all we do as employees and consumers alike, the fact is that many executive leaders just don’t find the same degree of value. In those cases, a hybrid model might do more harm than good.

Where to go next?

If there’s no silver bullet and no “correct answer,” what now? The first step is to gain a common understanding of your global privacy risk posture and to define your risk appetite amongst executive leadership. This can be a lofty challenge, seeking alignment between your Legal Counsel and C-suite, which often have very different end goals in mind. However, it’s absolutely critical to ensure that, regardless of which model you find to be best for your today and tomorrow, you have this alignment as a common denominator. Without it, your privacy journey, like many security journeys seen before it, can be a painful and costly one.

You’re in luck, though! This very strategy development and objective alignment is precisely what we do at Good Research. If you’re struggling to further your privacy objectives, or if you’re looking for opportunities to refine your approach, reach out to us. Good Research can be your partner in that journey, both now and long into the future!

Thanks to Maritza Johnson and Jessica Traynor.