Building a privacy program. Where to start and why your company needs it.

What is a privacy program?

A privacy program is a set of actions, enacted internal and external documents and other measures taken to manage and protect personal data. The main purpose of the privacy program is to meet obligations under applicable privacy legislation.

This includes adapting legal requirements into appropriate policies and procedures, together with prescribing monitoring mechanisms and controls to ensure that those policies and procedures are effectively implemented. 

A company with a sound privacy program shall be able to demonstrate the capacity to comply with applicable privacy laws. Thus, to implement necessary procedures and draft documents.

Yet, a standard privacy policy is not enough. Companies need to be thoughtful about the data they collect and how they use it.

The key moment about the privacy program is that it is not a template document that suits each and every situation. The company should tailor its personal data protection policies and processes to its organizational needs.

What is more, building a solid privacy program requires constant support. That means that it is not enough to draft a few documents that will demonstrate compliance only on paper. Baseline fundamentals that the company needs to have are always evolving to keep pace with changes both within and outside the company.

We have outlined the following key areas of consideration for the privacy program:

That is comprehensive privacy program is not only about drafting respectful policies but also about personal training together with data flow mapping and implementation of security safeguards.

The benefits of the development of the privacy program

After understanding the fundamentals of the privacy program, we can dive deeper into the benefits of its development.

Every company that is subject to privacy laws is obliged to comply with them. Whether we are talking about GDPR, CCPA, PIPEDA or LGPD, the conclusion is the same – it is necessary to achieve and maintain data compliance. A privacy program appears to be a helpful instrument to do so. 

A comprehensive privacy program provides an effective way for companies to meet the requirements of the applicable privacy laws and make sure they are compliant. What is more, it is crucial to monitor and follow updates in the field of data protection to avoid fines from supervisory authorities. But it is much more than that. 

Privacy program helps foster a culture of privacy throughout an organization. Privacy is about a lot more than mere legal compliance. The privacy-as-a-culture approach includes awareness of data protection issues among all staff. That is why it enhances a shared understanding of how personal data can and should be used to support broader strategic objectives. In turn, it drives the achievement of privacy goals.

Another reason is that respect for privacy is nurturing customers’ trust. When a company takes the position that privacy is vital to its operations and develops a solid privacy management program, enhanced trust that is essential for clients to engage with that organization follows. 

Thus, a culture of privacy is an environment where privacy is recognized as a priority.

Step-by-step approach

What should a company do to ensure that it is handling personal information appropriately? We outlined three basic steps on the way to building a privacy program.

  1. Organizational Commitment

Accountability has several significant requirements. One of such requirements is to designate someone responsible for the development, implementation, and maintenance of the company’s privacy protection program. Thus, the development of an internal governance structure is the first building block for those struggling to build a privacy program.

The company may appoint and empower Data Protection Officer (DPO), privacy manager (or Officer), or both. Those positions may be performed by company employees or external contractors. Thus, the organization may appoint an external DPO, for example. 

A DPO is a position or a contractor that helps the company introduce and maintain compliance with the data protection laws across the European Union and European Economic Area. Here you can learn more about DPO as a service from the Legal IT Group.

The role of DPO and privacy manager covers a range of duties. The scope of its obligations includes moderating and implementing privacy as a culture in the organization.

Senior management shall keep in touch with such appointed persons to promptly react to situations that may occur concerning privacy. 

  1. Program Controls

The company shall take all reasonable measures to ensure that personal information is protected. There are several actions to be undertaken by the company in the process of building a robust privacy program. 

  • Start with mapping all data items and data flows in a table or diagram. 

It is vital to understand which personal data is collected and processed. Also, mapping data flows will help to determine applicable privacy laws.

  • Ensure that suitable legal bases are chosen. 

There is a necessity to check the relevance of legal grounds for data collection and processing. 

  • Delete unnecessary or excessive data.

The company should delete data that is no more needed. This falls within such principles of GDPR as data minimization and storage limitation.

  • Review the technical and organizational measures put in place. 

Manage risk assessment tools. Organizations are expected to ensure that all necessary breach and incident management response protocols are implemented.

  • Document all the assessments, policies, and procedures adopted. 

Companies are required to develop internal policies and enact procedures that give effect to the principles established in applicable privacy legislation. They should be documented and should show how they connect to the applicable privacy legislation.

  • Check yourself against the criteria of Articles 27 (Representative),
    35 (DPIA) and 37 (DPO). 

Those are articles from the GDPR as an example of vital criteria to be checked. 

  • Invest the time in preparing the personnel to tackle the data breach incidents and data subject requests. 

The reality is that the biggest threat a company faces to its privacy program is an employee who either does not know about the company’s approach to privacy or simply does not care about it. Another point is to react appropriately to data subject requests. To do so staff training is needed. Therefore, staff should constantly stay alert to risks and take proactive steps in response. Moving forward and educating your employees is the most dynamic and effective way toward compliance. Nevertheless, there is an option to delegate an obligation to answer data subject requests to a competent outsourcing privacy manager.  

  1. Ongoing Assessment and Revision

Drafting documents and implementing policies is not enough. The organization should plan the review of the privacy program. 

The privacy program provides constant support, including updating documents, as well as implementing best practices. Keeping data protection policies and practices relevant is one of the major objectives of maintenance as a part of a privacy program. 

To ensure that data protection policies and practices remain up to date, companies must monitor the external and internal environment and privacy tendencies.

The data flow map together with the risk register helps companies to identify where sensitive data is stored in the systems. Risk assessment and monitoring shall be taken on a regular basis. It is better to treat privacy impact assessments and security threat and risk assessments as evergreen documents. Also, the privacy manager should be directly involved in every development of initiatives, services, or programs with high risk.

Data subjects should have the right of access to personal data collected concerning them to be aware of, and verify, the lawfulness of the processing. That is companies are expected to have systems in place to respond to data subjects’ requests. Prompt and effective responses to requests from individuals are part of accountability. 


A robust privacy program is not a template solution that suits each and every organization. The company shall tailor such a program, taking into account its data flows and collecting processes. 

To do so the company may appoint an internal officer or hire the external one. A team of professional lawyers with appropriate qualifications can help with it on a constant basis. So, a company may outsource a privacy manager.

An organization should be able to demonstrate compliance. Thus, it is necessary to monitor both internal and external developments and to keep all the documents and processes up-to-date.

Privacy is essential to establish and maintain trust within the company. Considering privacy as a priority is a key step in the development of a culture of privacy that is even beyond compliance. 

    Your question to IT lawyers