Imagine having a sales team that is tasked to “Make everyone become and remain our customers”. Imagine having a product team whose assignment is to “build a product that everyone loves, forever.” No direction or focus, no prioritisation, no milestones.

And now add this: Imagine having these teams work only reactively. Sales spending all their time on who comes to them. Product building only features that your loudest customers ask for.

Is that how you build a successful business? How you get the best out of people, how you best leverage available resources and skills, and realise the company vision?

It is not. 

So how come this is still how some privacy teams work? Their goal is “ensure compliance”, and all time is spent on putting out fires, and dealing with requests from the rest of the organisation. 

Is it because privacy professionals don’t have the ability to identify and prioritise between risks and opportunities, and work structured according to a plan? Or because management’s expectations are off, and a failure to fully appreciate how privacy management progress is key to the overall long term success of the business?

I’m leaning towards the latter.

It is not wrong for a business to strive towards compliance, but in order to build a privacy program that delivers maximum long term value, you have to think about it differently.

I’ve had the luxury to sit down and learn from hundreds of privacy teams over the last few years, and I see clearly what the most value adding and motivated privacy teams have in common.

They have a privacy program that is centered around desired outcomes. It’s a program that takes into account strategic context, available resources, and current challenges and opportunities. And very importantly, their programs include a clear plan of action that spans over a fixed time period, and it recognises that everything will soon have to change.

A lifecycle approach

Let’s start with the time period a privacy program spans over, the lifecycle approach. To ensure that plans are relevant here and now and based on the most pressing challenges and opportunities, well-executing privacy teams typically set a plan for a year. At the start of each year, they will consider questions like:

• Where are we now and what do we know about the coming 12 months?
• What should we do given our objectives, resources, challenges and opportunities? 

They will set a plan for the year and then execute on it. They will make sure they have time to deal also with the unforeseen must-solve-challenges that will come for sure, and they set aside time to evaluate their work and results. This evaluation then goes into the planning for next year’s privacy program, along with a fresh view on the above questions.

Desired outcomes

So what actually goes into the annual plan? That is and should be different for each business and privacy program. No team can do everything at the same time. And if we simply say that everything is equally important, we risk ending up doing far less meaningful work than what is possible (ask your sales and product team if they believe direction and focus is a good thing).

Therefore, deciding on desired outcomes per year or quarter is crucial. Is it most important this year to focus on improving how we manage data subject requests or incidents, privacy by design, or transparency and communication? 

What areas are most important and why? Here we need to take into account where our greatest challenges and gaps are, but also where we see opportunities as a company – what is the strategic context? Are we expanding into new segments or markets, launching new products or considering acquisitions?

Obviously, this is not something figured out only by the privacy team – we need cross-team collaboration and management input to set a relevant plan, that in turn those stakeholders including management can buy in to.

Small steps for big results

Wherever you want your privacy program to take you, small steps are more likely to get you there.

By prioritising desired outcomes for the next year or quarter, taking into account the strategic context, available resources, current challenges and opportunities, a more value-adding plan can be set. And a well-crafted plan that management and other stakeholders buy into and respect is a necessity for enabling the privacy team to actually execute on it and achieve progress. 

It’s ok to have a vision on a department level, like “100% compliance”, “make everyone our customers”, or “build a product that everyone loves”, but you have to realise that these are not the same as actionable and meaningful plans.

Finally, let’s not forget that privacy professionals, like most people, like to achieve goals and to see those wins being recognised and celebrated. So also from an employee motivation, personal growth and retention perspective, a relevant, achievable and value-adding privacy program is a great idea.