Understanding the delivery of a data privacy manager
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
As we enter an era where data privacy is quite a significant part of business processes, companies are wondering what they should be on the lookout for when they are making hires with regards to a data privacy manager. In this piece, I simply explain what companies should look out for by explaining in detail various skills needed.
As any privacy professional knows, the foundation of any data privacy project starts from carrying out a data mapping exercise. As such, the data privacy manager must understand how to execute a data mapping exercise to locate where the company is vulnerable to threats and exposed to breaches with regards to data protection regulation. Using a risk-based approach, the data privacy manager must prioritise the project products, mainly focusing on those that present high risks.
Another skill required is for the data privacy manager to know how to execute a data privacy impact assessment. In this regards, she works with various product owners and project managers to ensure that projects heavily involved in processing personal data are assessed for privacy risks and must have the analytical skills to help mitigate those risks.
Vendor management and third-party negotiations is another key area a thorough data privacy manager must pay critical attention to. She must, working with other parts of the business, including legal, procurement and IT team, carry out due diligence on service, test it against some of the existing processes and ensure the product does not expose company to privacy risks. With management approval and extensive consultation, she can implement the service, accordingly.
Amongst other requirements, the data privacy manager must understand policy lifecycle management. She must know how to craft policies that meet the demands and expectations of the business. Working with various stakeholders—business analysts, development engineers, testing managers, data manager, marketing manager—to ensure that the wordings carrying actionable points are embedded in the policies.
In addition, she must have the knowledge to create training and awareness programmes that would ensure continuity of privacy progress within the business. Usually, this can be done in partnership with the learning and development team to meet the overall privacy mission of the organisation. It must be added that generic data privacy training which is the stock trade these days is not enough; training must be bespoke in that it serves the day-to-day activities of stakeholders attending these training programmes.
She must act as the first point of contact and subject matter expert within the business for providing day-to-day specialist advice, technical guidance and interpretation of various data protection law and requirements for the business operations. Coupled with this, she must carry out various admin tasks and monitoring the project products and writing timely reports and communicating with stakeholders as at when necessary.
It might be quite tasking to get the right fit for this role, but it is essential that the company gets the definition and expectations of this role right. Because if this part of the whole data privacy framework is not done right it might affect the trajectory of the entire project and thereby lead to an ineffective data protection mechanism.