The time has come for all organisations to recognise the importance of the privacy role and to see it as a standalone function within the operating model.
Cyrus Ndyamba, Bizmod’s privacy consultant, says that although the data privacy and information security disciplines complement one another, they are distinctively different. “However it is the relationship between the two that has resulted in many organisations being unable to distinguish them.”
He likens the two disciplines to a home – privacy is why we have curtains on our windows and security is why we have locks on our doors. “In the past, information security has been the primary focus with some aspects of the privacy function being incorporated into the information security function.”
With the rise of data privacy regulations, and the recently commenced effective date for the protection of personal information (PoPIA), a clear distinction has started to form between the two functions with the privacy function becoming distinctively, standalone one.
The risk for organisations who have not done this, is that often the privacy requirements are diluted and, in some cases, even totally neglected for the more familiar and prioritised information security function and, with this, the potential failure to comply with data privacy/data protection regulatory requirements.
Ndyamba says: “With a standalone privacy office the privacy function can be formed within the triage of governed data and information disciplines, comprising of data privacy, data governance and information security.”
He says that it is important to understand the needs of the different disciplines – privacy, information security and data governance – and what the overlaps are. These functions, their associated activities and combined assurance strategies enable the mitigation and management of data and information risks.
Data Governance and the focus on structured data management, data ownership, data quality, regulatory compliance, and data risk management, makes this discipline a key partner and collaborator in achieving regulatory compliance with data protection regulations such as PoPIA and GDPR.
Ndyamba highlights the core functions of the privacy office role as:
* To create a culture of privacy within the organisation and a structure for the management of all personal data.
* Embedment of the principles of privacy by design, these include end-to-end business processes and key personal data touch points across various business processes ensuring that the necessary controls at a process, system and user level are applied.
* Collaborating with the other disciplines and functions, such as data governance, information security and information risk and compliance.
* Reviewing the technology and systems that support business processes.
* Enabling the organisation to enhance its privacy posture by implementing privacy impact assessments, user access reports and data subject requests.
* Managing deletion or the right to be forgotten, access requests from the public and determining the entitlement of the requestors for access to information under PAIA.
* Managing breach notifications and incident management in relation to privacy.
* Defining the governance of how personal information is being collected and processed.