Implementation of a sustainable privacy program to meet the regulatory requirements has long become a point to consider for many organisations. To properly drive this program across the company and make it manageable and trackable, establishing dedicated privacy teams is becoming more common in businesses, and there are different types of those, including centralised, decentralised (or distributed), and hybrid types of privacy teams. In this blog post, we will discuss each of these privacy team models and their advantages and disadvantages.
Centralised privacy team
A centralised privacy team is a team (or a single person like Chief Privacy Officer, as the case may be) responsible for managing all privacy-related matters across the organisation. In other words, a centralised privacy team naturally works on the basis of a ‘bottleneck’ principle, meaning that all privacy-related decisions are taken by that team (or, at least, with its direct participation).
Advantages and disadvantages of centralised privacy team
The advantages of having a centralised privacy team include:
- Consistency – a centralised privacy team ensures that privacy policies and procedures are consistently implemented across the organisation. Other individuals or groups, before making a decision, should first get an approval from the centralised privacy team. Such an approach naturally means that privacy practices implemented across the organisation are aligned with each other.
- Efficiency – a centralised privacy team can streamline privacy-related tasks, such as various assessments, handling of data subject requests and data breaches.
There are, of course, some disadvantages arising out of the centralised privacy team model. The disadvantages of a centralised privacy team include:
- Lack of knowledge – a centralised privacy team may not have a comprehensive understanding of all the privacy-related issues across the organisation and, thus, may need help from other stakeholders in this regard.
- Delayed response time and lack of flexibility – a centralised privacy team may be overwhelmed with privacy requests, leading to delayed response times. In addition, given that the centralised privacy team model initially aims at making processes in the organisation as uniform as possible, there might be a visible lack of flexibility here, while taking ‘individual’ needs into account may be difficult and time-consuming.
Decentralised privacy team
A decentralised privacy team is a team responsible for privacy-related matters within specific business units or departments. This type of privacy team is typically found in organisations that have multiple business units or departments that process personal data locally. The decentralised privacy team model naturally means that all privacy-related decisions are taken locally with no involvement of the central authority, thus avoiding the ‘bottle-neck’ effect typical for centralised privacy teams.
Advantages and disadvantages of decentralised privacy team
The advantages of a decentralised privacy team include:
- In-depth knowledge – a decentralised privacy team is more likely to have in-depth knowledge of privacy issues within specific business units or departments.
- Flexibility – a decentralised privacy team can respond to privacy concerns more quickly and in a more flexible manner.
- Collaboration and customisation – a decentralised privacy team can collaborate more closely and be better integrated with locally sitting business units or departments to identify and/or address privacy-related issues relevant specifically for those units and departments.
The disadvantages of a decentralised privacy team are, however, as follows:
- Inconsistency – having a decentralised privacy team may lead to inconsistent implementation of privacy policies and procedures across the organisation.
- Limited expertise – being more focused on local matters, a decentralised privacy team might lack ‘global vision’ and may not have the same level of expertise and understanding as a centralised privacy team.
- Duplication of effort – multiple decentralised privacy teams may result in duplication of effort and resources to address the issues that are similar (or even identical) across all functions.
Hybrid privacy team
An attempt to combine the features of the centralised and decentralised privacy team models will lead to what is usually called ‘hybrid’ privacy teams. In this model, a centralised team provides oversight and overall guidance for privacy-related matters across the organisation, while decentralised teams manage privacy risks and implement privacy practices specific to their department or business unit. Hybrid teams can often be found in global organisations operating across different countries and comprising multiple functions and business units.
The advantages of having a hybrid privacy team include:
- Hybrid teams can ensure consistency in privacy policies and procedures across the organisation while allowing for tailored privacy practices at the business unit level.
- This model can increase ownership and accountability for privacy among business units while ensuring a centralised approach to privacy management.
- Hybrid teams can leverage the expertise of a central team to address complex privacy concerns while maintaining a more localised approach to privacy management.
However, it does not mean that implementation of the hybrid approach would be a good idea in all cases. The hybrid model can be complex to implement and manage, requiring careful coordination and communication between the central team and business units. Besides, it may require more resources to manage, as it requires both a centralised team and local privacy resources at the business unit level.
As a matter of example, it makes little sense to maintain hybrid privacy teams in small organisations with a flat structure. Instead, in this case, a centralised team will most likely be able to do the job more effectively and save resources. In other words, each privacy team model has its own benefits and drawbacks, and the right model for an organisation will depend on its specific needs and resources.
Comments are closed.