During my years designing, building, and refining privacy programs across a variety of industries, I’m
constantly reminded that every business is unique. No matter how similar, companies interpret
regulations differently and implement operating models differently. Because there is no silver bullet or
one answer to how privacy should be done, you have many options for finding the right privacy operating
model for your company. You can navigate this challenge by understanding where you currently are in the
privacy journey, identifying available resources, and keeping an eye on the horizon for signals that
point to change.
You’ve likely noticed the trend that many consulting companies will help you find your data strategy.
They offer advice on restructuring your approach to data collection, processing, protection, and
retention with an eye toward use cases and business value. I’ve participated in many such engagements,
and they can be tremendously valuable in identifying a common north star and creating alignment among
stakeholders. What this lacks, though, is the flexibility required to zig and zag with ever-changing
privacy and security regulations. The result is a nice, eloquent data strategy and mission but comes up
short in execution and fails to address constant changes in the regulatory environment. For privacy,
this is a fatal flaw.
Whether US-based or globally-focused, the success of a privacy program depends on its ability to adjust
and evolve to meet the needs of a shifting policy landscape. Given this uncertainty, what can be done?
In my experience, it starts with structuring your privacy program as an operating model, which includes
how privacy functions and how required changes in data-related practices are communicated and
implemented out across the broader business environment. For example, when Virginia’s Consumer Data
Privacy Act goes into effect next year, how will your security function become aware of new requirements
around recurring cybersecurity risk assessments and how will they be executed and organized?
Privacy operating models often fall into one of three common structures: decentralized, centralized, and
hybrid (or federated). Each has pros and cons and allows for varied degrees of embeddedness and
Decentralized Privacy Model
In a decentralized privacy operating model, individual functions within a business are responsible for
identifying their privacy risk and compliance obligations. While they may have supplemental, advisory
functions at their disposal, risk remediation and control are expected to be executed at the
function-level. That is, the Finance department is responsible for taking high-level guidance from
Legal, and then designing, implementing, and maintaining control activities fit to address those privacy
obligations on a day-to-day basis. Similarly, Security has its own accountable risks to address, as with
Human Resources, Marketing, etc. Put another way, the decentralized model is like being asked to fish on
your own, after some very basic training and guidance at the onset and lightly over time.
This model is incredibly useful when a company needs to move quickly and can “ask for forgiveness, not
permission”. It allows for faster decision-making, scalability, functional autonomy, and morale in
direct ownership of functional initiatives. The more openly entrepreneurial a company, the more likely
you are to see this model embraced long-term. It’s also common for newer companies to take on an area of
compliance with which they’re unfamiliar – you know you have to do something, but that “something” is in
question and you just have to figure it out as you go. These can be incredibly fortuitous conditions for
businesses that have a greater risk appetite and are insulated from brand damage that many others are
The model also has some downsides. For starters, standardization often goes out the window on day two. In
the compliance space, the ease of passing an audit is often related directly to how you can demonstrate
a consistent process across your business. A decentralized model, whether immediately or over time,
tends to create as many unique interpretations and implementations of privacy risk mitigation as you
have functions, which can be insanely complex to manage at scale. Communication can also become a
challenge, because different processes and controls often point to different vernacular and risk
decisions between functions. And then, once communication becomes strained, your ability to collaborate
across functions can follow suit, potentially leading to a dozen different versions of the same thing
(all of which end up costing you more over time).
What you’re often left with is a dozen functions whose approach individually checks the box, but together
lack the consistency and standardization needed to scale and gain efficiencies in growing privacy
compliance needs. Furthermore, it’s a rabbit hole that can be very expensive to climb out of, consisting
of overhauling your privacy strategy and a complete re-molding of your function-level practices to
realign with a north star that was left behind long ago. As such, decentralized models are seldom seen
in mature, privacy-aware companies. Which leads us to another option…
Centralized Privacy Model
A centralized model flips the prior example on its head, driving all functional activity through a
singular node responsible for assessing risk, determining remediation, and monitoring effectiveness of
controls over time. This is often a starting point for companies who have not necessarily invested
heavily in privacy in the past, but now see it as a core, board-level risk that requires greater focus
and attention. You also see companies that began as decentralized, but found the lack of standardization
challenging, making the move to a more centralized model in search of a singular, aligned message.
Regardless of the prior state, there are similarly pros and cons to this approach.
Centralized models produce the opportunity for a single, aligned approach and messaging around how to
implement and manage a privacy program globally. For example, when standardization supersedes the need
for haste in operations, companies can see significant short-term gains in their risk posture. In
addition, you create enhanced visibility and transparency when each function plays by the same set of
rules, and maintaining connection and control across the enterprise can become simpler. Where one
message and one approach drives all functions, you can eventually see reduced compliance expenses and an
improved ability to communicate using common language and shared objectives.
That said, a centralized model isn’t all roses. Various functions may find their ability to innovate
freely, especially in the data collection and processing space, heavily constrained. While compliance
should be a common goal, it can often conflict directly with one’s ability to meet performance and
financial incentives, which place the two missions in direct competition. In my experience, very few
companies have the stomach to say that compliance should override revenue and opportunity gains. As a
consumer, I’d love to say otherwise, but this just isn’t the reality for a vast majority.
Furthermore, decision-making becomes a slog and your centralized function that was formed to manage risk
can find itself policing your internal teams, rather than partnering. This results in an environment
where everyone feels powerless – functions can’t make their own decisions, central functions lose
visibility to function-level behavior and become burnt out trying to manage functions that simply don’t
want their involvement, and executive leadership is forced to either choose a favorite or shift their
focus to something else. If you ever get to this point, the results are bad – bad for your compliance,
bad for your culture, bad for your workforce, and bad for your business.
And before any of you think, “that would never happen to us”, believe me – it can. I’ve seen some of the
most value-driven companies on the planet fall victim to this very challenge, and it can be a severely
deep hole out of which to climb. It’s important to ensure alignment between your centralized function
and executive leadership. Without this continued, invested connection, functions can lose their way more
quickly than you can react, and your central team could lack the influence to course correct in time.
So, if this one isn’t perfect either, what else can we try?
Hybrid (or Federated) Privacy Model
The goal of a hybrid model is to leverage the pros of both decentralized and centralized approaches,
while minimizing the negative effects that we explored above. I should start by saying that jumping
straight from nothing to a hybrid model is incredibly rare (and often not practical). A hybrid model
requires an understanding of both prior operating models, and furthermore, an understanding of what can
go wrong when mishandled. It also calls for a sizable resource pool, given there needs to be both
function-level privacy support as well as a central privacy governance node that maintains constant
connection and collaboration with function-level resources. For these reasons, hybrid privacy models are
most commonly seen in companies who have been invested in their privacy journey, but found the other
unidirectional models to be lacking.
Hybrid models allow for function-level autonomy, guided by an embedded privacy resource who is
well-versed in the central privacy program’s obligations, but also well-versed in your team, their
operations, and their specific subject matter. While you can try to staff the most incredible central
privacy team with the most diverse skill set imaginable, it’s unwieldy to expect to keep up with the
rate of technological and procedural advancement across all aspects of your business. A hybrid model
provides you with the best of both worlds, permitting your central privacy team to focus on broader,
global impacts, while your functional resources can more intimately understand and address privacy risks
in a way that suits their operating rhythm and culture.
Similarly, the pure compliance-based activities that are driven by audits and external certifications can
be more effectively distributed across functional subject matter experts, instead of asking engineers
and analysts to morph into audit and compliance SMEs a few times a year. Offsetting this constant
onslaught of audit and evidence requests can have significant effects on your teams’ morale and culture.
Those said, again, a hybrid model can be very expensive to implement and requires significant
understanding of its motivation and role in the broader organizational journey. Expecting to simply wake
up one day and develop an effective, hybrid approach, just isn’t a reasonable expectation. It also isn’t
the perfect answer for everyone. In fact, some companies may find that privacy is such a small part of
their risk environment that it just doesn’t warrant such a large investment. While my heart is a biased
heart, which sees privacy as central to all we do as employees and consumers alike, the fact is that
many executive leaders just don’t find the same degree of value. In those cases, a hybrid model might do
more harm than good.
Where to go next?
If there’s no silver bullet and no “correct answer,” what now? The first step is to gain a common
understanding of your global privacy risk posture and to define your risk appetite amongst executive
leadership. This can be a lofty challenge, seeking alignment between your Legal Counsel and C-suite,
which often have very different end goals in mind. However, it’s absolutely critical to ensure that,
regardless of which model you find to be best for your today and tomorrow, you have this alignment as a
common denominator. Without it, your privacy journey, like many security journeys seen before it, can be
a painful and costly one.
You’re in luck, though! This very strategy development and objective alignment is precisely what we do
at Good Research. If you’re struggling to further your privacy objectives, or if you’re looking for
opportunities to refine your approach, reach out to us. Good Research can be your partner in that
journey, both now and long into the future!
Thanks to Maritza Johnson and Jessica Traynor.